pdk_jwt_lib/model/

claims.rs

// Copyright (c) 2026, Salesforce, Inc.,
// All rights reserved.
// For full license text, see the LICENSE.txt file

//! JWT claims and data structures
//!
//! This module provides data structures for representing JWT claims and headers.
//! It includes support for standard JWT claims, custom claims and claim validation.

use crate::error::jwt_error::JWTError;
use crate::parser::jwt_claims_parser::JWTClaimsParser;
use chrono::{DateTime, Duration, TimeZone, Utc};
use jwt_compact::{Claims, Token};
use jwt_simple::prelude::{Audiences, UnixTimeStamp};
use pdk_core::logger::debug;
use serde::{Deserialize, Serialize};
use serde_json::Value;
use std::collections::HashMap;

/// JWT available claims.
pub mod claim_names {
    /// Audience claim.
    pub const AUD_CLAIM: &str = "aud";
    /// Subject claim.
    pub const SUBJECT_CLAIM: &str = "sub";
    /// Issuer claim.
    pub const ISSUER_CLAIM: &str = "iss";
    /// JWT ID claim.
    pub const JTI_CLAIM: &str = "jti";
    /// Nonce claim.
    pub const NONCE_CLAIM: &str = "nonce";
    /// Expiration claim.
    pub const EXPIRATION_CLAIM: &str = "exp";
    /// Not before claim.
    pub const NOT_BEFORE_CLAIM: &str = "nbf";
    /// Issued at claim.
    pub const ISSUED_AT_CLAIM: &str = "iat";
}

use claim_names::*;
use pdk_script::IntoValue;

/// Claim Structures to hold custom claims.
#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
pub struct CustomClaims {
    /// Inner custom claims.
    #[serde(flatten)]
    pub inner: HashMap<String, serde_json::Value>,
}

/// The JWT decoded content. It consists of 2 key-value maps: one for
/// the JWT header and another one for the JWT body.
#[derive(Clone, Debug, PartialEq, Eq, Serialize)]
pub struct JWTClaims {
    #[serde(flatten)]
    pub(crate) claims: HashMap<String, serde_json::Value>,
    #[serde(flatten)]
    pub(crate) headers: HashMap<String, serde_json::Value>,
}

impl JWTClaims {
    /// Create a new [`JWTClaims`] with the given expiration,
    /// not before, issued at, claims and headers.
    pub fn new(
        expiration: Option<DateTime<Utc>>,
        not_before: Option<DateTime<Utc>>,
        issued_at: Option<DateTime<Utc>>,
        claims: HashMap<String, Value>,
        headers: HashMap<String, Value>,
    ) -> Result<Self, JWTError> {
        let mut claims = claims;

        extract_datetime_value(EXPIRATION_CLAIM, &expiration, &mut claims);
        extract_datetime_value(NOT_BEFORE_CLAIM, &not_before, &mut claims);
        extract_datetime_value(ISSUED_AT_CLAIM, &issued_at, &mut claims);

        Ok(JWTClaims { claims, headers })
    }

    /// Get the audience claim.
    pub fn audience(&self) -> Option<Result<Vec<String>, JWTError>> {
        self.claims.get(AUD_CLAIM).map(parse_audiences_to_list)
    }

    /// Get the not before claim.
    pub fn not_before(&self) -> Option<DateTime<Utc>> {
        self.get_claim(NOT_BEFORE_CLAIM)
    }

    /// Get the expiration claim.
    pub fn expiration(&self) -> Option<DateTime<Utc>> {
        self.get_claim(EXPIRATION_CLAIM)
    }

    /// Get the issued at claim.
    pub fn issued_at(&self) -> Option<DateTime<Utc>> {
        self.get_claim(ISSUED_AT_CLAIM)
    }

    /// Get the issuer claim.
    pub fn issuer(&self) -> Option<String> {
        self.get_claim(ISSUER_CLAIM)
    }

    /// Get the JWT ID claim.
    pub fn jti(&self) -> Option<String> {
        self.get_claim(JTI_CLAIM)
    }

    /// Get the nonce claim.
    pub fn nonce(&self) -> Option<String> {
        self.get_claim(NONCE_CLAIM)
    }

    /// Get the subject claim.
    pub fn subject(&self) -> Option<String> {
        self.get_claim(SUBJECT_CLAIM)
    }

    /// Check if a specific claim exists.
    pub fn has_claim(&self, name: &str) -> bool {
        self.claims.contains_key(name)
    }

    /// Get a specific claim by name with type conversion.
    pub fn get_claim<T>(&self, name: &str) -> Option<T>
    where
        T: ValueRetrieval,
    {
        let value = self.claims.get(name);

        match value {
            Some(val) => T::retrieve(val.clone()),
            None => None,
        }
    }

    /// Check if a specific header exists.
    pub fn has_header(&self, name: &str) -> bool {
        self.headers.contains_key(name)
    }

    /// Get a specific header by name as string.
    pub fn get_header(&self, name: &str) -> Option<String> {
        let value = self.headers.get(name);

        match value {
            Some(val) => val.as_str().map(|str| str.into()),
            None => None,
        }
    }

    /// Serialize the claims to a [`Value`].
    pub fn to_serde(&self) -> Result<Value, JWTError> {
        serde_json::to_value(self)
            .map_err(|e| JWTError::TokenParseFailed(format!("Error serializing claims: {e}")))
    }

    /// Get all JWT claims as PDK script value.
    pub fn get_claims(&self) -> pdk_script::Value {
        self.claims.clone().into_value()
    }

    /// Get all JWT headers as PDK script value.
    pub fn get_headers(&self) -> pdk_script::Value {
        self.headers.clone().into_value()
    }
}

fn parse_audiences_to_list(aud: &Value) -> Result<Vec<String>, JWTError> {
    let correct_type = if aud.is_string() || aud.is_array() {
        Ok(aud)
    } else {
        Err(JWTError::ClaimAudValidationFailed)
    }?;

    if correct_type.is_string() {
        let aud_str = correct_type
            .as_str()
            .ok_or(JWTError::ClaimAudValidationFailed)?;
        Ok(vec![String::from(aud_str)])
    } else {
        let aud_array = correct_type
            .as_array()
            .ok_or(JWTError::ClaimAudValidationFailed)?;

        Ok(aud_array
            .iter()
            .filter_map(|v| v.as_str().map(String::from))
            .collect::<Vec<String>>())
    }
}

/// Trait to convert untrusted JWT compact claims to [`JWTClaims`].
pub trait TryFromUntrustedJWTCompactClaims {
    fn try_from_untrusted_jwt_compact_claims(
        claims: Claims<CustomClaims>,
        token: String,
    ) -> Result<JWTClaims, JWTError>;
}

impl TryFromUntrustedJWTCompactClaims for JWTClaims {
    fn try_from_untrusted_jwt_compact_claims(
        claims: Claims<CustomClaims>,
        token: String,
    ) -> Result<JWTClaims, JWTError> {
        let headers: HashMap<String, Value> = JWTClaimsParser::parse_headers(token)?;

        JWTClaims::new(
            claims.expiration,
            claims.not_before,
            claims.issued_at,
            claims.custom.inner,
            headers,
        )
    }
}

/// Trait to convert trusted JWT compact claims to [`JWTClaims`].
pub trait TryFromTrustedJWTCompactClaims {
    fn try_from_trusted_jwt_compact_claims(
        claims: Token<CustomClaims>,
        token: String,
    ) -> Result<JWTClaims, JWTError>;
}

impl TryFromTrustedJWTCompactClaims for JWTClaims {
    fn try_from_trusted_jwt_compact_claims(
        trusted_token: Token<CustomClaims>,
        token_str: String,
    ) -> Result<Self, JWTError> {
        let claims = trusted_token.claims().to_owned();

        JWTClaims::try_from_untrusted_jwt_compact_claims(claims, token_str)
    }
}

/// Trait to convert trusted JWT simple claims to [`JWTClaims`].
pub trait TryFromTrustedJWTSimpleClaims {
    fn try_from_trusted_jwt_simple_claims(
        claims: jwt_simple::claims::JWTClaims<CustomClaims>,
        token: String,
    ) -> Result<JWTClaims, JWTError>;
}

impl TryFromTrustedJWTSimpleClaims for JWTClaims {
    fn try_from_trusted_jwt_simple_claims(
        claims: jwt_simple::claims::JWTClaims<CustomClaims>,
        token: String,
    ) -> Result<Self, JWTError> {
        let expiration = utc_from_duration(&claims.expires_at);
        let not_before = utc_from_duration(&claims.invalid_before);
        let issued_at = utc_from_duration(&claims.issued_at);
        let mut custom_claims = claims.custom.inner;

        extract_value(ISSUER_CLAIM, &claims.issuer, &mut custom_claims);
        extract_value(SUBJECT_CLAIM, &claims.subject, &mut custom_claims);
        extract_value(JTI_CLAIM, &claims.jwt_id, &mut custom_claims);
        extract_value(NONCE_CLAIM, &claims.nonce, &mut custom_claims);
        parse_custom_claim_audiences_to_list(claims.audiences, &mut custom_claims);

        let headers: HashMap<String, Value> = JWTClaimsParser::parse_headers(token)?;

        JWTClaims::new(expiration, not_before, issued_at, custom_claims, headers)
    }
}

fn parse_custom_claim_audiences_to_list(
    aud: Option<Audiences>,
    custom_claims: &mut HashMap<String, Value>,
) {
    if let Some(audiences) = aud {
        match audiences {
            Audiences::AsSet(set) => {
                if let Ok(value_set) = serde_json::to_value(set) {
                    custom_claims.insert(AUD_CLAIM.to_string(), value_set);
                }
            }
            Audiences::AsString(str) => {
                custom_claims.insert(AUD_CLAIM.to_string(), Value::String(str));
            }
        }
    }
}

/// Trait to be implemented for any sized data type for which a JWT claim wants to casted when
/// retrieved by the [`JWTClaims::get_claim`] method.
pub trait ValueRetrieval {
    fn retrieve(claim_value: serde_json::Value) -> Option<Self>
    where
        Self: Sized;
}

impl ValueRetrieval for Value {
    fn retrieve(claim_value: serde_json::Value) -> Option<Self> {
        Some(claim_value)
    }
}

impl ValueRetrieval for String {
    fn retrieve(claim_value: serde_json::Value) -> Option<Self> {
        Some(claim_value.as_str().unwrap().into())
    }
}

impl ValueRetrieval for f64 {
    fn retrieve(claim_value: serde_json::Value) -> Option<Self> {
        claim_value.as_f64()
    }
}

impl ValueRetrieval for Vec<String> {
    fn retrieve(claim_value: serde_json::Value) -> Option<Self> {
        claim_value.as_array().map(|val| {
            val.iter()
                .map(|item| item.as_str().unwrap().into())
                .collect()
        })
    }
}

impl ValueRetrieval for DateTime<Utc> {
    fn retrieve(claim_value: serde_json::Value) -> Option<Self> {
        claim_value.as_i64().map(|val| Utc.timestamp_nanos(val))
    }
}

/* Helper functions */

fn extract_datetime_value(
    key: &str,
    datetime: &Option<DateTime<Utc>>,
    custom_claims: &mut HashMap<String, Value>,
) {
    if datetime.is_some() {
        custom_claims.insert(
            key.to_string(),
            // This is the most precise representation as a value. But still, it can represent all dates between
            // 1677-09-21T00:12:44.0 and 2262-04-11T23:47:16.854775804, which should be more than enough for claims.
            Value::from(datetime.unwrap().timestamp_nanos_opt().unwrap()),
        );
    }
}

fn extract_value(
    key: &str,
    claim_value: &Option<String>,
    custom_claims: &mut HashMap<String, Value>,
) {
    if let Some(claim) = claim_value {
        let value = Value::String(claim.to_string());
        custom_claims.insert(key.to_string(), value);
    }
}

fn utc_from_duration(duration: &Option<UnixTimeStamp>) -> Option<DateTime<Utc>> {
    let start_utc_date = match Utc.with_ymd_and_hms(1970, 1, 1, 0, 0, 0).single() {
        None => {
            // This should not happened
            debug!("Using default start_utc_date");
            DateTime::default()
        }
        Some(date) => date,
    };

    duration
        .as_ref()
        .and_then(|timestamp| Duration::try_milliseconds(timestamp.as_millis() as i64))
        .map(|some_duration| start_utc_date + some_duration)
}

#[cfg(test)]
mod tests {
    use crate::api::JWTClaimsParser;
    use pdk_script::IntoValue;
    use serde_json::json;

    fn valid_token() -> String {
        "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL3JlZGFjdGVkLmFuei5jb20iLCJhdWQiOiJyZWRhY3RlZC5hbnouY29tL2VtYWlsQWRkcmVzcy1yZWRhY3RlZEBhbnouY29tIiwic3ViIjoicmVkYWN0ZWQuYW56LmNvbS9lbWFpbEFkZHJlc3MtcmVkYWN0ZWRAYW56LmNvbSIsImV4cCI6MTY5Mzk4ODY1Ni41OTcsInNjb3BlcyI6WyJyZWRhY3RlZDEiLCJyZWRhY3RlZCJdLCJhbXIiOlsicmVkYWN0ZWQiXSwiYWNyIjoicmVkYWN0ZWQifQ.EswBSyD9976PVC6o4tWwsT5rGTf2RJcvL7hdpcTwXUo"
            .to_string()
    }

    fn no_exp_token() -> String {
        "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL3JlZGFjdGVkLmFuei5jb20iLCJhdWQiOiJyZWRhY3RlZC5hbnouY29tL2VtYWlsQWRkcmVzcy1yZWRhY3RlZEBhbnouY29tIiwic3ViIjoicmVkYWN0ZWQuYW56LmNvbS9lbWFpbEFkZHJlc3MtcmVkYWN0ZWRAYW56LmNvbSIsInNjb3BlcyI6WyJyZWRhY3RlZDEiLCJyZWRhY3RlZCJdLCJhbXIiOlsicmVkYWN0ZWQiXSwiYWNyIjoicmVkYWN0ZWQifQ.vxNPrXPIG8VuGb9Bf2MjLFXPRX9EmN97WZtM-jzQniE"
            .to_string()
    }

    mod tests_accessors {
        use crate::{error::jwt_error::JWTError, model::claims::JWTClaims};
        use chrono::{DateTime, Utc};
        use serde_json::Value;
        use std::collections::HashMap;

        impl JWTClaims {
            /// Create a new empty [`JWTClaims`].
            pub fn empty() -> Result<Self, JWTError> {
                JWTClaims::new(None, None, None, HashMap::default(), HashMap::default())
            }

            /// Create a new [`JWTClaims`] with only expiration claim.
            pub fn just_expiration(expiration: DateTime<Utc>) -> Result<Self, JWTError> {
                JWTClaims::new(
                    Some(expiration),
                    None,
                    None,
                    HashMap::default(),
                    HashMap::default(),
                )
            }

            /// Create a new [`JWTClaims`] with only not before claim.
            pub fn just_not_before(not_before: DateTime<Utc>) -> Result<Self, JWTError> {
                JWTClaims::new(
                    None,
                    Some(not_before),
                    None,
                    HashMap::default(),
                    HashMap::default(),
                )
            }

            /// Create a new [`JWTClaims`] with only custom claims.
            pub fn from_custom_claims(
                custom_claims: HashMap<String, Value>,
            ) -> Result<Self, JWTError> {
                JWTClaims::new(None, None, None, custom_claims, HashMap::default())
            }

            /// Get the number of custom claims.
            pub fn custom_claims_count(&self) -> usize {
                self.claims.len()
            }
        }
    }

    #[test]
    fn basic_methods() {
        let claims = JWTClaimsParser::parse(no_exp_token()).unwrap();

        assert!(claims.has_header("alg"));
        assert!(!claims.has_claim("alg"));
        assert!(claims.has_claim("iss"));
        assert!(!claims.has_header("iss"));

        assert_eq!(
            claims.get_headers(),
            json!({
              "alg": "HS256",
              "typ": "JWT"
            })
            .into_value()
        );

        assert_eq!(
            claims.get_claims(),
            json!(
                {
                  "iss": "https://redacted.anz.com",
                  "aud": "redacted.anz.com/emailAddress-redacted@anz.com",
                  "sub": "redacted.anz.com/emailAddress-redacted@anz.com",
                  "scopes": [
                    "redacted1",
                    "redacted"
                  ],
                  "amr": [
                    "redacted"
                  ],
                  "acr": "redacted"
                }
            )
            .into_value()
        );
    }

    mod audience_claim_extraction {
        use crate::model::claims::{claim_names::AUD_CLAIM, JWTClaims};
        use serde_json::Value::*;
        use serde_json::{Map, Number, Value};
        use std::collections::HashMap;
        use std::string::String;

        #[test]
        fn succeeds_on_string_type() {
            let token_claims = JWTClaims::from_custom_claims(HashMap::from([(
                AUD_CLAIM.to_string(),
                String(String::from("an_audience")),
            )]))
            .unwrap();

            assert!(token_claims.audience().is_some());
            assert!(token_claims.audience().unwrap().is_ok());
            assert_eq!(
                token_claims.audience().unwrap().unwrap(),
                vec![String::from("an_audience")]
            );
        }

        #[test]
        fn succeeds_on_list_type() {
            let token_claims = JWTClaims::from_custom_claims(HashMap::from([(
                AUD_CLAIM.to_string(),
                Array(vec![
                    String(String::from("an_audience1")),
                    String(String::from("an_audience2")),
                ]),
            )]))
            .unwrap();

            assert!(token_claims.audience().is_some());
            assert!(token_claims.audience().unwrap().is_ok());
            assert_eq!(
                token_claims.audience().unwrap().unwrap(),
                vec![String::from("an_audience1"), String::from("an_audience2")]
            );
        }

        #[test]
        fn fails_on_bool_type() {
            let token_claims =
                JWTClaims::from_custom_claims(HashMap::from([(AUD_CLAIM.to_string(), Bool(true))]))
                    .unwrap();

            assert!(token_claims.audience().is_some());
            assert!(token_claims.audience().unwrap().is_err());
        }

        #[test]
        fn fails_on_number_type() {
            let token_claims = JWTClaims::from_custom_claims(HashMap::from([(
                AUD_CLAIM.to_string(),
                Number(Number::from(1u64)),
            )]))
            .unwrap();

            assert!(token_claims.audience().is_some());
            assert!(token_claims.audience().unwrap().is_err());
        }

        #[test]
        fn fails_on_null_type() {
            let token_claims =
                JWTClaims::from_custom_claims(HashMap::from([(AUD_CLAIM.to_string(), Null)]))
                    .unwrap();

            assert!(token_claims.audience().is_some());
            assert!(token_claims.audience().unwrap().is_err());
        }

        #[test]
        fn fails_on_object_type() {
            let token_claims = JWTClaims::from_custom_claims(HashMap::from([(
                AUD_CLAIM.to_string(),
                Object(Map::<String, Value>::new()),
            )]))
            .unwrap();

            assert!(token_claims.audience().is_some());
            assert!(token_claims.audience().unwrap().is_err());
        }
    }

    mod jwt_simple_custom_claims_parsing {
        use super::super::*;

        #[test]
        fn parse_claims_and_exp() {
            let claims: jwt_simple::claims::JWTClaims<CustomClaims> = serde_json::from_str(r#"{"exp":1617757825, "jti": "key1", "sub": "anSubject", "iss": "anIss", "nonce": "anNonce"}"#).unwrap();

            let expiration = Duration::try_seconds(1617757825).unwrap();

            let jwt_claims: JWTClaims =
                JWTClaims::try_from_trusted_jwt_simple_claims(claims, super::valid_token())
                    .unwrap();

            // Retrieve them as custom claims
            assert_eq!(
                jwt_claims
                    .get_claim::<DateTime<Utc>>("exp")
                    .unwrap()
                    .timestamp_millis(),
                expiration.num_milliseconds()
            );
            assert_eq!(jwt_claims.get_claim::<String>("jti").unwrap(), "key1");
            assert_eq!(jwt_claims.get_claim::<String>("sub").unwrap(), "anSubject");
            assert_eq!(jwt_claims.get_claim::<String>("iss").unwrap(), "anIss");
            assert_eq!(jwt_claims.get_claim::<String>("nonce").unwrap(), "anNonce");
            assert!(jwt_claims.audience().is_none());

            // Retrieve them as standard claims
            assert_eq!(
                jwt_claims.expiration().unwrap().timestamp_millis(),
                expiration.num_milliseconds()
            );
            assert_eq!(jwt_claims.jti().unwrap(), "key1");
            assert_eq!(jwt_claims.subject().unwrap(), "anSubject");
            assert_eq!(jwt_claims.issuer().unwrap(), "anIss");
            assert_eq!(jwt_claims.nonce().unwrap(), "anNonce");
        }

        #[test]
        fn parse_custom_and_audiences_with_vec_claims() {
            let claims: jwt_simple::claims::JWTClaims<CustomClaims> = serde_json::from_str(r#"{"exp":1617757827, "otherClaim": "anCustomclaim", "aud": ["audience1", "audience2"]}"#).unwrap();

            let jwt_claims =
                JWTClaims::try_from_trusted_jwt_simple_claims(claims, super::valid_token())
                    .unwrap();

            assert_eq!(
                jwt_claims.get_claim::<String>("otherClaim").unwrap(),
                "anCustomclaim"
            );

            assert!(jwt_claims.audience().is_some());

            let audiences = jwt_claims.audience().unwrap();
            assert!(audiences.is_ok());

            let audiences_vec = audiences.unwrap();

            assert_eq!(audiences_vec.len(), 2);
            assert!(audiences_vec.contains(&String::from("audience1")));
            assert!(audiences_vec.contains(&String::from("audience2")));
        }

        #[test]
        fn parse_audiences_with_string_claims() {
            let claims: jwt_simple::claims::JWTClaims<CustomClaims> =
                serde_json::from_str(r#"{"exp":1617757827, "aud": "audience1"}"#).unwrap();

            let jwt_claims =
                JWTClaims::try_from_trusted_jwt_simple_claims(claims, super::valid_token())
                    .unwrap();

            assert!(jwt_claims.audience().is_some());

            let audiences = jwt_claims.audience().unwrap();
            assert!(audiences.is_ok());

            let audiences_vec = audiences.unwrap();

            assert_eq!(audiences_vec.len(), 1);
            assert!(audiences_vec.contains(&String::from("audience1")));
        }

        #[test]
        fn parse_other_claims() {
            let claims: jwt_simple::claims::JWTClaims<CustomClaims> =
                serde_json::from_str(r#"{"exp":1617757827, "iat":1617757827, "nbf": 1617757827}"#)
                    .unwrap();

            let duration = Duration::try_seconds(1617757827).unwrap();

            let jwt_claims =
                JWTClaims::try_from_trusted_jwt_simple_claims(claims, super::valid_token())
                    .unwrap();

            // Retrieve them as custom claims
            assert_eq!(
                jwt_claims
                    .get_claim::<DateTime<Utc>>("nbf")
                    .unwrap()
                    .timestamp_millis(),
                duration.num_milliseconds()
            );
            assert_eq!(
                jwt_claims
                    .get_claim::<DateTime<Utc>>("iat")
                    .unwrap()
                    .timestamp_millis(),
                duration.num_milliseconds()
            );
            assert_eq!(
                jwt_claims
                    .get_claim::<DateTime<Utc>>("exp")
                    .unwrap()
                    .timestamp_millis(),
                duration.num_milliseconds()
            );

            // Retrieve them as standard claims
            assert_eq!(
                jwt_claims.not_before().unwrap().timestamp_millis(),
                duration.num_milliseconds()
            );
            assert_eq!(
                jwt_claims.issued_at().unwrap().timestamp_millis(),
                duration.num_milliseconds()
            );
            assert_eq!(
                jwt_claims.expiration().unwrap().timestamp_millis(),
                duration.num_milliseconds()
            );

            // Retrieve headers extracted from token string

            assert_eq!(jwt_claims.get_header("alg").unwrap(), "HS256",);

            assert_eq!(jwt_claims.get_header("typ").unwrap(), "JWT",);
        }
    }
}