From 8c736b8b08a097d7974906473a11978911750061 Mon Sep 17 00:00:00 2001 From: dhrp Date: Thu, 14 Dec 2017 18:03:15 +0100 Subject: [PATCH 1/2] Made token and token_refresh endpoint return requested claims. --- oidc_provider/lib/claims.py | 7 +++---- oidc_provider/lib/utils/token.py | 10 ++++++++-- oidc_provider/tests/app/utils.py | 1 + oidc_provider/tests/test_claims.py | 2 +- oidc_provider/tests/test_token_endpoint.py | 11 +++++++++-- oidc_provider/views.py | 2 +- 6 files changed, 23 insertions(+), 10 deletions(-) diff --git a/oidc_provider/lib/claims.py b/oidc_provider/lib/claims.py index d4af2ad..d5a0947 100644 --- a/oidc_provider/lib/claims.py +++ b/oidc_provider/lib/claims.py @@ -16,12 +16,11 @@ STANDARD_CLAIMS = { class ScopeClaims(object): - def __init__(self, token): - self.user = token.user + def __init__(self, user, scope): + self.user = user claims = copy.deepcopy(STANDARD_CLAIMS) self.userinfo = settings.get('OIDC_USERINFO', import_str=True)(claims, self.user) - self.scopes = token.scope - self.client = token.client + self.scopes = scope def create_response_dic(self): """ diff --git a/oidc_provider/lib/utils/token.py b/oidc_provider/lib/utils/token.py index 80868db..8700a4f 100644 --- a/oidc_provider/lib/utils/token.py +++ b/oidc_provider/lib/utils/token.py @@ -10,6 +10,7 @@ from jwkest.jws import JWS from jwkest.jwt import JWT from oidc_provider.lib.utils.common import get_issuer +from oidc_provider.lib.claims import StandardScopeClaims from oidc_provider.models import ( Code, RSAKey, @@ -52,8 +53,13 @@ def create_id_token(user, aud, nonce='', at_hash='', request=None, scope=None): if at_hash: dic['at_hash'] = at_hash - if ('email' in scope) and getattr(user, 'email', None): - dic['email'] = user.email + if settings.get('OIDC_EXTRA_SCOPE_CLAIMS'): + custom_claims = settings.get('OIDC_EXTRA_SCOPE_CLAIMS', import_str=True)(user, scope) + claims = custom_claims.create_response_dic() + else: + claims = StandardScopeClaims(user=user, scope=scope).create_response_dic() + + dic.update(claims) # modifies dic, adding all requested claims processing_hook = settings.get('OIDC_IDTOKEN_PROCESSING_HOOK') diff --git a/oidc_provider/tests/app/utils.py b/oidc_provider/tests/app/utils.py index 4f824ec..98b4d6b 100644 --- a/oidc_provider/tests/app/utils.py +++ b/oidc_provider/tests/app/utils.py @@ -96,6 +96,7 @@ def userinfo(claims, user): claims['family_name'] = 'Doe' claims['name'] = '{0} {1}'.format(claims['given_name'], claims['family_name']) claims['email'] = user.email + claims['email_verified'] = True claims['address']['country'] = 'Argentina' return claims diff --git a/oidc_provider/tests/test_claims.py b/oidc_provider/tests/test_claims.py index c1ac794..f209990 100644 --- a/oidc_provider/tests/test_claims.py +++ b/oidc_provider/tests/test_claims.py @@ -15,7 +15,7 @@ class ClaimsTestCase(TestCase): self.scopes = ['openid', 'address', 'email', 'phone', 'profile'] self.client = create_fake_client('code') self.token = create_fake_token(self.user, self.scopes, self.client) - self.scopeClaims = ScopeClaims(self.token) + self.scopeClaims = ScopeClaims(self.token.user, self.token.scope) def test_empty_standard_claims(self): for v in [v for k, v in STANDARD_CLAIMS.items() if k != 'address']: diff --git a/oidc_provider/tests/test_token_endpoint.py b/oidc_provider/tests/test_token_endpoint.py index 49b7598..a151e1a 100644 --- a/oidc_provider/tests/test_token_endpoint.py +++ b/oidc_provider/tests/test_token_endpoint.py @@ -300,13 +300,14 @@ class TokenTestCase(TestCase): def test_scope_is_ignored_for_auth_code(self): """ Scope is ignored for token respones to auth code grant type. + This comes down to that the scopes requested in authorize are returned. """ SIGKEYS = self._get_keys() - for code_scope in [['openid'], ['openid', 'email']]: + for code_scope in [['openid'], ['openid', 'email'], ['openid', 'profile']]: code = self._create_code(code_scope) post_data = self._auth_code_post_data( - code=code.code, scope=['openid', 'profile']) + code=code.code, scope=code_scope) response = self._post_request(post_data) response_dic = json.loads(response.content.decode('utf-8')) @@ -317,9 +318,15 @@ class TokenTestCase(TestCase): if 'email' in code_scope: self.assertIn('email', id_token) + self.assertIn('email_verified', id_token) else: self.assertNotIn('email', id_token) + if 'profile' in code_scope: + self.assertIn('given_name', id_token) + else: + self.assertNotIn('given_name', id_token) + def test_refresh_token(self): """ A request to the Token Endpoint can also use a Refresh Token diff --git a/oidc_provider/views.py b/oidc_provider/views.py index 72d941e..eea9729 100644 --- a/oidc_provider/views.py +++ b/oidc_provider/views.py @@ -234,7 +234,7 @@ def userinfo(request, *args, **kwargs): 'sub': token.id_token.get('sub'), } - standard_claims = StandardScopeClaims(token) + standard_claims = StandardScopeClaims(user=token.user, scope=token.scope) dic.update(standard_claims.create_response_dic()) if settings.get('OIDC_EXTRA_SCOPE_CLAIMS'): From 900cc9e5dfd8e759a9aa895c96826b4656a0ced5 Mon Sep 17 00:00:00 2001 From: dhrp Date: Fri, 15 Dec 2017 09:29:49 +0100 Subject: [PATCH 2/2] Now passing along the token to create_id_token function. --- oidc_provider/lib/claims.py | 7 ++++--- oidc_provider/lib/endpoints/authorize.py | 1 + oidc_provider/lib/endpoints/token.py | 3 +++ oidc_provider/lib/utils/token.py | 6 +++--- oidc_provider/tests/test_claims.py | 2 +- oidc_provider/tests/test_end_session_endpoint.py | 7 +++++-- oidc_provider/tests/test_userinfo_endpoint.py | 12 +++++++----- oidc_provider/tests/test_utils.py | 8 +++++--- oidc_provider/views.py | 2 +- 9 files changed, 30 insertions(+), 18 deletions(-) diff --git a/oidc_provider/lib/claims.py b/oidc_provider/lib/claims.py index d5a0947..d4af2ad 100644 --- a/oidc_provider/lib/claims.py +++ b/oidc_provider/lib/claims.py @@ -16,11 +16,12 @@ STANDARD_CLAIMS = { class ScopeClaims(object): - def __init__(self, user, scope): - self.user = user + def __init__(self, token): + self.user = token.user claims = copy.deepcopy(STANDARD_CLAIMS) self.userinfo = settings.get('OIDC_USERINFO', import_str=True)(claims, self.user) - self.scopes = scope + self.scopes = token.scope + self.client = token.client def create_response_dic(self): """ diff --git a/oidc_provider/lib/endpoints/authorize.py b/oidc_provider/lib/endpoints/authorize.py index 3313bd6..3c8e908 100644 --- a/oidc_provider/lib/endpoints/authorize.py +++ b/oidc_provider/lib/endpoints/authorize.py @@ -155,6 +155,7 @@ class AuthorizeEndpoint(object): kwargs = { 'user': self.request.user, 'aud': self.client.client_id, + 'token': token, 'nonce': self.params['nonce'], 'request': self.request, 'scope': self.params['scope'], diff --git a/oidc_provider/lib/endpoints/token.py b/oidc_provider/lib/endpoints/token.py index 5a6b0af..7962bd6 100644 --- a/oidc_provider/lib/endpoints/token.py +++ b/oidc_provider/lib/endpoints/token.py @@ -164,6 +164,7 @@ class TokenEndpoint(object): id_token_dic = create_id_token( user=self.user, aud=self.client.client_id, + token=token, nonce='self.code.nonce', at_hash=token.at_hash, request=self.request, @@ -193,6 +194,7 @@ class TokenEndpoint(object): id_token_dic = create_id_token( user=self.code.user, aud=self.client.client_id, + token=token, nonce=self.code.nonce, at_hash=token.at_hash, request=self.request, @@ -237,6 +239,7 @@ class TokenEndpoint(object): id_token_dic = create_id_token( user=self.token.user, aud=self.client.client_id, + token=token, nonce=None, at_hash=token.at_hash, request=self.request, diff --git a/oidc_provider/lib/utils/token.py b/oidc_provider/lib/utils/token.py index 8700a4f..600f2c2 100644 --- a/oidc_provider/lib/utils/token.py +++ b/oidc_provider/lib/utils/token.py @@ -19,7 +19,7 @@ from oidc_provider.models import ( from oidc_provider import settings -def create_id_token(user, aud, nonce='', at_hash='', request=None, scope=None): +def create_id_token(user, aud, token, nonce='', at_hash='', request=None, scope=None): """ Creates the id_token dictionary. See: http://openid.net/specs/openid-connect-core-1_0.html#IDToken @@ -54,10 +54,10 @@ def create_id_token(user, aud, nonce='', at_hash='', request=None, scope=None): dic['at_hash'] = at_hash if settings.get('OIDC_EXTRA_SCOPE_CLAIMS'): - custom_claims = settings.get('OIDC_EXTRA_SCOPE_CLAIMS', import_str=True)(user, scope) + custom_claims = settings.get('OIDC_EXTRA_SCOPE_CLAIMS', import_str=True)(token) claims = custom_claims.create_response_dic() else: - claims = StandardScopeClaims(user=user, scope=scope).create_response_dic() + claims = StandardScopeClaims(token).create_response_dic() dic.update(claims) # modifies dic, adding all requested claims diff --git a/oidc_provider/tests/test_claims.py b/oidc_provider/tests/test_claims.py index f209990..c1ac794 100644 --- a/oidc_provider/tests/test_claims.py +++ b/oidc_provider/tests/test_claims.py @@ -15,7 +15,7 @@ class ClaimsTestCase(TestCase): self.scopes = ['openid', 'address', 'email', 'phone', 'profile'] self.client = create_fake_client('code') self.token = create_fake_token(self.user, self.scopes, self.client) - self.scopeClaims = ScopeClaims(self.token.user, self.token.scope) + self.scopeClaims = ScopeClaims(self.token) def test_empty_standard_claims(self): for v in [v for k, v in STANDARD_CLAIMS.items() if k != 'address']: diff --git a/oidc_provider/tests/test_end_session_endpoint.py b/oidc_provider/tests/test_end_session_endpoint.py index 636af8b..586a00c 100644 --- a/oidc_provider/tests/test_end_session_endpoint.py +++ b/oidc_provider/tests/test_end_session_endpoint.py @@ -3,6 +3,7 @@ from django.core.urlresolvers import reverse from django.test import TestCase from oidc_provider.lib.utils.token import ( + create_token, create_id_token, encode_id_token, ) @@ -41,8 +42,9 @@ class EndSessionTestCase(TestCase): response, settings.get('OIDC_LOGIN_URL'), fetch_redirect_response=False) + token = create_token(self.user, self.oidc_client, []) id_token_dic = create_id_token( - user=self.user, aud=self.oidc_client.client_id) + user=self.user, aud=self.oidc_client.client_id, token=token) id_token = encode_id_token(id_token_dic, self.oidc_client) query_params['id_token_hint'] = id_token @@ -56,8 +58,9 @@ class EndSessionTestCase(TestCase): query_params = { 'post_logout_redirect_uri': self.LOGOUT_URL, } + token = create_token(self.user, self.oidc_client, []) id_token_dic = create_id_token( - user=self.user, aud=self.oidc_client.client_id) + user=self.user, aud=self.oidc_client.client_id, token=token) id_token_dic['aud'] = [id_token_dic['aud']] id_token = encode_id_token(id_token_dic, self.oidc_client) query_params['id_token_hint'] = id_token diff --git a/oidc_provider/tests/test_userinfo_endpoint.py b/oidc_provider/tests/test_userinfo_endpoint.py index 8ac52c7..62ead94 100644 --- a/oidc_provider/tests/test_userinfo_endpoint.py +++ b/oidc_provider/tests/test_userinfo_endpoint.py @@ -38,18 +38,20 @@ class UserInfoTestCase(TestCase): extra_scope = [] scope = ['openid', 'email'] + extra_scope + token = create_token( + user=self.user, + client=self.client, + scope=scope) + id_token_dic = create_id_token( user=self.user, aud=self.client.client_id, + token=token, nonce=FAKE_NONCE, scope=scope, ) - token = create_token( - user=self.user, - client=self.client, - id_token_dic=id_token_dic, - scope=scope) + token.id_token=id_token_dic token.save() return token diff --git a/oidc_provider/tests/test_utils.py b/oidc_provider/tests/test_utils.py index b09ff46..dd65cd6 100644 --- a/oidc_provider/tests/test_utils.py +++ b/oidc_provider/tests/test_utils.py @@ -8,8 +8,8 @@ from django.utils import timezone from mock import mock from oidc_provider.lib.utils.common import get_issuer, get_browser_state_or_default -from oidc_provider.lib.utils.token import create_id_token -from oidc_provider.tests.app.utils import create_fake_user +from oidc_provider.lib.utils.token import create_token, create_id_token +from oidc_provider.tests.app.utils import create_fake_user, create_fake_client class Request(object): @@ -67,7 +67,9 @@ class TokenTest(TestCase): start_time = int(time.time()) login_timestamp = start_time - 1234 self.user.last_login = timestamp_to_datetime(login_timestamp) - id_token_data = create_id_token(self.user, aud='test-aud') + client = create_fake_client("code") + token = create_token(self.user, client, []) + id_token_data = create_id_token(self.user, aud='test-aud', token=token) iat = id_token_data['iat'] self.assertEqual(type(iat), int) self.assertGreaterEqual(iat, start_time) diff --git a/oidc_provider/views.py b/oidc_provider/views.py index eea9729..72d941e 100644 --- a/oidc_provider/views.py +++ b/oidc_provider/views.py @@ -234,7 +234,7 @@ def userinfo(request, *args, **kwargs): 'sub': token.id_token.get('sub'), } - standard_claims = StandardScopeClaims(user=token.user, scope=token.scope) + standard_claims = StandardScopeClaims(token) dic.update(standard_claims.create_response_dic()) if settings.get('OIDC_EXTRA_SCOPE_CLAIMS'):