2016-09-19 21:05:29 +00:00
.. _scopesclaims:
2016-02-11 20:24:34 +00:00
2016-09-19 21:05:29 +00:00
Scopes and Claims
#################
2016-02-11 20:24:34 +00:00
This subset of OpenID Connect defines a set of standard Claims. They are returned in the UserInfo Response.
2016-09-19 20:38:17 +00:00
The package comes with a setting called `` OIDC_USERINFO `` , basically it refers to a function that will be called with `` claims `` (dict) and `` user `` (user instance). It returns the `` claims `` dict with all the claims populated.
2016-02-11 20:24:34 +00:00
2016-09-19 20:38:17 +00:00
List of all the `` claims `` keys grouped by scopes:
2016-02-11 20:24:34 +00:00
+--------------------+----------------+-----------------------+------------------------+
| profile | email | phone | address |
+====================+================+=======================+========================+
2016-07-07 15:50:27 +00:00
| name | email | phone_number | formatted |
2016-02-11 20:24:34 +00:00
+--------------------+----------------+-----------------------+------------------------+
2016-07-07 15:50:27 +00:00
| given_name | email_verified | phone_number_verified | street_address |
2016-02-11 20:24:34 +00:00
+--------------------+----------------+-----------------------+------------------------+
2016-07-07 15:50:27 +00:00
| family_name | | | locality |
2016-02-11 20:24:34 +00:00
+--------------------+----------------+-----------------------+------------------------+
2016-07-07 15:50:27 +00:00
| middle_name | | | region |
2016-02-11 20:24:34 +00:00
+--------------------+----------------+-----------------------+------------------------+
2016-07-07 15:50:27 +00:00
| nickname | | | postal_code |
2016-02-11 20:24:34 +00:00
+--------------------+----------------+-----------------------+------------------------+
2016-07-07 15:50:27 +00:00
| preferred_username | | | country |
2016-02-11 20:24:34 +00:00
+--------------------+----------------+-----------------------+------------------------+
| profile | | | |
+--------------------+----------------+-----------------------+------------------------+
| picture | | | |
+--------------------+----------------+-----------------------+------------------------+
| website | | | |
+--------------------+----------------+-----------------------+------------------------+
| gender | | | |
+--------------------+----------------+-----------------------+------------------------+
| birthdate | | | |
+--------------------+----------------+-----------------------+------------------------+
| zoneinfo | | | |
+--------------------+----------------+-----------------------+------------------------+
| locale | | | |
+--------------------+----------------+-----------------------+------------------------+
| updated_at | | | |
+--------------------+----------------+-----------------------+------------------------+
2016-09-19 21:05:29 +00:00
How to populate standard claims
===============================
2016-09-19 20:38:17 +00:00
2016-07-07 15:50:27 +00:00
Somewhere in your Django `` settings.py `` ::
2016-02-11 20:24:34 +00:00
2016-07-07 15:50:27 +00:00
OIDC_USERINFO = 'myproject.oidc_provider_settings.userinfo'
2016-02-11 20:24:34 +00:00
2016-09-19 20:38:17 +00:00
Then inside your `` oidc_provider_settings.py `` file create the function for the `` OIDC_USERINFO `` setting::
2016-02-11 20:24:34 +00:00
2016-07-07 15:50:27 +00:00
def userinfo(claims, user):
2016-09-19 20:38:17 +00:00
# Populate claims dict.
2016-07-07 15:50:27 +00:00
claims['name'] = '{0} {1}'.format(user.first_name, user.last_name)
claims['given_name'] = user.first_name
claims['family_name'] = user.last_name
claims['email'] = user.email
claims['address']['street_address'] = '...'
2016-02-11 20:24:34 +00:00
2016-07-07 15:50:27 +00:00
return claims
2016-02-11 20:24:34 +00:00
2016-09-19 20:38:17 +00:00
Now test an Authorization Request using these scopes `` openid profile email `` and see how user attributes are returned.
2016-07-07 15:50:27 +00:00
.. note ::
Please **DO NOT** add extra keys or delete the existing ones in the `` claims `` dict. If you want to add extra claims to some scopes you can use the `` OIDC_EXTRA_SCOPE_CLAIMS `` setting.
2016-09-19 21:05:29 +00:00
How to add custom scopes and claims
===================================
The `` OIDC_EXTRA_SCOPE_CLAIMS `` setting is used to add extra scopes specific for your app. Is just a class that inherit from `` oidc_provider.lib.claims.ScopeClaims `` . You can create or modify scopes by adding this methods into it:
* `` info_scopename `` class property for setting the verbose name and description.
* `` scope_scopename `` method for returning some information related.
Let's say that you want add your custom `` foo `` scope for your OAuth2/OpenID provider. So when a client (RP) makes an Authorization Request containing `` foo `` in the list of scopes, it will be listed in the consent page (`` templates/oidc_provider/authorize.html `` ) and then some specific claims like `` bar `` will be returned from the `` /userinfo `` response.
Somewhere in your Django `` settings.py `` ::
OIDC_USERINFO = 'yourproject.oidc_provider_settings.CustomScopeClaims'
Inside your oidc_provider_settings.py file add the following class::
from django.utils.translation import ugettext as _
from oidc_provider.lib.claims import ScopeClaims
class CustomScopeClaims(ScopeClaims):
info_foo = (
_(u'Foo'),
_(u'Some description for the scope.'),
)
def scope_foo(self):
# self.user - Django user instance.
# self.userinfo - Dict returned by OIDC_USERINFO function.
# self.scopes - List of scopes requested.
dic = {
'bar': 'Something dynamic here',
}
return dic
# If you want to change the description of the profile scope, you can redefine it.
info_profile = (
_(u'Profile'),
_(u'Another description.'),
)
.. note ::
If a field is empty or `` None `` inside the dictionary your return on `` scope_scopename `` method, it will be cleaned from the response.