/**
  * {@inheritdoc}
  */
 public function handle(AccessTokenInterface $access_token)
 {
     $this->checkScope($access_token->getScope());
     $this->checkHasRedirectUri($access_token);
     $client = $this->getClient($access_token);
     $user = $this->getUserAccount($access_token);
     $endpoint_claims = $this->getEndpointClaims($access_token);
     $claims = $this->getUserinfo()->getUserinfo($client, $user, $access_token->getMetadata('redirect_uri'), $access_token->hasMetadata('claims_locales') ? $access_token->getMetadata('claims_locales') : null, $endpoint_claims, $access_token->getScope());
     if (true === $this->isSignedResponsesSupportEnabled()) {
         $claims = array_merge($claims, ['jti' => Base64Url::encode(random_bytes(25)), 'iss' => $this->getIssuer(), 'aud' => [$this->getIssuer(), $client->getPublicId()], 'iat' => time(), 'nbf' => time(), 'exp' => $access_token->getExpiresAt()]);
         return $this->signAndEncrypt($claims, $client);
     }
     return $claims;
 }
 /**
  * @param \OAuth2\Token\AccessTokenInterface  $access_token
  * @param \OAuth2\Client\ClientInterface|null $resource_server
  *
  * @return array
  */
 protected function preparePayload(AccessTokenInterface $access_token, ClientInterface $resource_server = null)
 {
     $aud = [$this->getIssuer()];
     if (null !== $resource_server) {
         $access_token[] = $resource_server->getPublicId();
     }
     $payload = ['jti' => Base64Url::encode(random_bytes(25)), 'iss' => $this->getIssuer(), 'aud' => $aud, 'iat' => time(), 'nbf' => time(), 'exp' => $access_token->getExpiresAt(), 'sub' => $access_token->getClientPublicId(), 'token_type' => $access_token->getTokenTypeParameter('token_type'), 'scp' => $access_token->getScope(), 'resource_owner' => $access_token->getResourceOwnerPublicId(), 'user_account' => $access_token->getUserAccountPublicId()];
     $payload['metadatas'] = $access_token->getMetadatas();
     if (0 !== ($expires_at = $access_token->getExpiresAt())) {
         $payload['exp'] = $expires_at;
     }
     if (!empty($access_token->getParameters())) {
         $parameters = $access_token->getParameters();
         //This part should be updated to support 'cnf' (confirmation) claim (see POP).
         $payload['other'] = $parameters;
     }
     if (null !== $access_token->getRefreshToken()) {
         $payload['refresh_token'] = $access_token->getRefreshToken();
     }
     return $payload;
 }