From 7a82c352fd790d66c932e2f8dae842e232dc10ae Mon Sep 17 00:00:00 2001
From: juanifioren <juanifioren@gmail.com>
Date: Thu, 7 May 2015 16:12:45 -0300
Subject: [PATCH] Add scope validation in userinfo endpoint.

---
 oidc_provider/lib/endpoints/userinfo.py | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/oidc_provider/lib/endpoints/userinfo.py b/oidc_provider/lib/endpoints/userinfo.py
index 61e10e5..3be9d6d 100644
--- a/oidc_provider/lib/endpoints/userinfo.py
+++ b/oidc_provider/lib/endpoints/userinfo.py
@@ -13,13 +13,11 @@ from oidc_provider import settings
 class UserInfoEndpoint(object):
 
     def __init__(self, request):
-
         self.request = request
         self.params = Params()
         self._extract_params()
 
     def _extract_params(self):
-
         # TODO: Maybe add other ways of passing access token
         # http://tools.ietf.org/html/rfc6750#section-2
         self.params.access_token = self._get_access_token()
@@ -41,13 +39,15 @@ class UserInfoEndpoint(object):
         return access_token
 
     def validate_params(self):
-        
         try:
             self.token = Token.objects.get(access_token=self.params.access_token)
 
             if self.token.has_expired():
                 raise UserInfoError('invalid_token')
 
+            if not ('openid' in self.token.scope):
+                raise UserInfoError('insufficient_scope')
+
         except Token.DoesNotExist:
             raise UserInfoError('invalid_token')
 
@@ -75,7 +75,6 @@ class UserInfoEndpoint(object):
 
     @classmethod
     def response(cls, dic):
-
         response = JsonResponse(dic, status=200)
         response['Cache-Control'] = 'no-store'
         response['Pragma'] = 'no-cache'
@@ -84,7 +83,6 @@ class UserInfoEndpoint(object):
 
     @classmethod
     def error_response(cls, code, description, status):
-
         response = HttpResponse(status=status)
         response['WWW-Authenticate'] = 'error="{0}", error_description="{1}"'.format(code, description)