Spring Security put() in DefaultOAuth2TokenContext is not respected during token generation

We use this guide to create a custom grant type for our CIBA use case but we found a potential problem in enriching the token context.

OAuth2TokenContext tokenContext = DefaultOAuth2TokenContext.builder()
                .registeredClient(registeredClient)
                .principal(principal)
                .authorizationServerContext(AuthorizationServerContextHolder.getContext())
                .tokenType(OAuth2TokenType.ACCESS_TOKEN)
                .authorizationGrantType(token.getGrantType())
                .authorizationGrant(token)
                .put("custom-claim", "custom-claim")
                .build();
        OAuth2Token generatedAccessToken = this.tokenGenerator.generate(tokenContext);

As you see in the snippet above we are creating token context from DefaultOAuth2TokenContext and we use the put() to add a custom claim which we assumed that the token will be enriched with but unfortunately its not. We saw the code of JwtGenerator and OAuth2AccessTokenGenerator where the DefaultOAuth2TokenContext's put() method is not respected.

We of course know that the custom claims can be added with this guide but instead of dealing it as a bean we thought of adding it in one place. Can this be addressed in your coming releases or please correct us if we are using put() method wrongly.

Comment From: jgrandja

@kpur-sbab

we use the put() to add a custom claim which we assumed that the token will be enriched

OAuth2TokenContext is not intended to hold individual claims. If you need to customize the claims then you should use an OAuth2TokenCustomizer or a custom OAuth2TokenGenerator.

I'll go ahead and close this.