From 79e66c1c14e50f16e44c2e75fe121741a7387eb0 Mon Sep 17 00:00:00 2001
From: strehle <markus.strehle@sap.com>
Date: Wed, 22 Jan 2025 15:29:01 +0100
Subject: [PATCH] feature: support federated jwt client configuration

---
 lib/uaa/scim.rb   |  8 +++++++-
 spec/scim_spec.rb | 12 ++++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/lib/uaa/scim.rb b/lib/uaa/scim.rb
index 05180f0..b425535 100644
--- a/lib/uaa/scim.rb
+++ b/lib/uaa/scim.rb
@@ -380,13 +380,19 @@ def change_secret(client_id, new_secret, old_secret = nil)
   # @param [String] jwks the JSON Web Key Set
   # @param [String] kid If changeMode is DELETE provide the id of key
   # @param [String] changeMode Change mode, possible is ADD, UPDATE, DELETE
+  # @param [String] iss Issuer in case of federation JWT trust
+  # @param [String] sub Subject in case of federation JWT trust
+  # @param [String] aud Audience in case of federation JWT trust
   # @return [Hash] success message from server
-  def change_clientjwt(client_id, jwks_uri = nil, jwks = nil, kid = nil, changeMode = nil)
+  def change_clientjwt(client_id, jwks_uri = nil, jwks = nil, kid = nil, changeMode = nil, iss = nil, sub = nil, aud = nil)
     req = {"client_id" => client_id }
     req["jwks_uri"] = jwks_uri if jwks_uri
     req["jwks"] = jwks if jwks
     req["kid"] = kid if kid
     req["changeMode"] = changeMode if changeMode
+    req["iss"] = iss if iss
+    req["sub"] = sub if sub
+    req["aud"] = aud if aud
     json_parse_reply(@key_style, *json_put(@target,
                                            "#{type_info(:client, :path)}/#{Addressable::URI.encode(client_id)}/clientjwt", req, headers))
   end
diff --git a/spec/scim_spec.rb b/spec/scim_spec.rb
index 26b1e26..b967846 100644
--- a/spec/scim_spec.rb
+++ b/spec/scim_spec.rb
@@ -184,6 +184,18 @@ def check_headers(headers, content, accept, zone)
     result['id'].should == 'id12345'
   end
 
+  it "add federated client's jwt trust using issuer, subject and audience" do
+    subject.set_request_handler do |url, method, body, headers|
+      url.should == "#{@target}/oauth/clients/id12345/clientjwt"
+      method.should == :put
+      check_headers(headers, :json, :json, nil)
+      body.should include('"iss":"issuer"', '"sub":"subject"', '"aud":"audience"')
+      [200, '{"id":"id12345"}', {'content-type' => 'application/json'}]
+    end
+    result = subject.change_clientjwt('id12345', jwks_uri=nil, jwks=nil, kid=nil, changemod='ADD', iss='issuer', sub='subject', aud='audience')
+    result['id'].should == 'id12345'
+  end
+
   it 'unlocks a user' do
     subject.set_request_handler do |url, method, body, headers|
       url.should == "#{@target}/Users/id12345/status"