feat: allow clientAssertionPayload to overwrite default payload

This allows a developer to get around various IdP quirks when using _jwt authentication methods.
panva · Sep 6, 2019 · 28c8964 · 28c8964
1 parent 82855a5
commit 28c8964
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/lib/helpers/client.js b/lib/helpers/client.js
@@ -67,13 +67,13 @@ async function authFor(endpoint, { clientAssertionPayload } = {}) {
     case 'client_secret_jwt': {
       const timestamp = now();
       const assertion = await clientAssertion.call(this, endpoint, {
-        ...clientAssertionPayload,
         iat: timestamp,
         exp: timestamp + 60,
         jti: random(),
         iss: this.client_id,
         sub: this.client_id,
-        aud: this.issuer[`${endpoint}_endpoint`], // TODO: pass the issuer instead
+        aud: this.issuer[`${endpoint}_endpoint`], // TODO: in v4.x pass the issuer instead (for now clientAssertionPayload can be used for that)
+        ...clientAssertionPayload,
       });
 
       return {