Made token and token_refresh endpoint return requested claims.

2017-12-14 18:03:15 +01:00 · 2017-12-14 18:03:15 +01:00 · 8c736b8b08
parent 65c6cc6fec
commit 8c736b8b08
6 changed files with 23 additions and 10 deletions
--- a/oidc_provider/lib/claims.py
+++ b/oidc_provider/lib/claims.py
@ -16,12 +16,11 @@ STANDARD_CLAIMS = {

 class ScopeClaims(object):

-    def __init__(self, token):
-        self.user = token.user
+    def __init__(self, user, scope):
+        self.user = user
        claims = copy.deepcopy(STANDARD_CLAIMS)
        self.userinfo = settings.get('OIDC_USERINFO', import_str=True)(claims, self.user)
-        self.scopes = token.scope
-        self.client = token.client
+        self.scopes = scope

    def create_response_dic(self):
        """
--- a/oidc_provider/lib/utils/token.py
+++ b/oidc_provider/lib/utils/token.py
@ -10,6 +10,7 @@ from jwkest.jws import JWS
 from jwkest.jwt import JWT

 from oidc_provider.lib.utils.common import get_issuer
+from oidc_provider.lib.claims import StandardScopeClaims
 from oidc_provider.models import (
    Code,
    RSAKey,
@ -52,8 +53,13 @@ def create_id_token(user, aud, nonce='', at_hash='', request=None, scope=None):
    if at_hash:
        dic['at_hash'] = at_hash

-    if ('email' in scope) and getattr(user, 'email', None):
-        dic['email'] = user.email
+    if settings.get('OIDC_EXTRA_SCOPE_CLAIMS'):
+        custom_claims = settings.get('OIDC_EXTRA_SCOPE_CLAIMS', import_str=True)(user, scope)
+        claims = custom_claims.create_response_dic()
+    else:
+        claims = StandardScopeClaims(user=user, scope=scope).create_response_dic()
+
+    dic.update(claims)  # modifies dic, adding all requested claims

    processing_hook = settings.get('OIDC_IDTOKEN_PROCESSING_HOOK')

--- a/oidc_provider/tests/app/utils.py
+++ b/oidc_provider/tests/app/utils.py
@ -96,6 +96,7 @@ def userinfo(claims, user):
    claims['family_name'] = 'Doe'
    claims['name'] = '{0} {1}'.format(claims['given_name'], claims['family_name'])
    claims['email'] = user.email
+    claims['email_verified'] = True
    claims['address']['country'] = 'Argentina'
    return claims

--- a/oidc_provider/tests/test_claims.py
+++ b/oidc_provider/tests/test_claims.py
@ -15,7 +15,7 @@ class ClaimsTestCase(TestCase):
        self.scopes = ['openid', 'address', 'email', 'phone', 'profile']
        self.client = create_fake_client('code')
        self.token = create_fake_token(self.user, self.scopes, self.client)
-        self.scopeClaims = ScopeClaims(self.token)
+        self.scopeClaims = ScopeClaims(self.token.user, self.token.scope)

    def test_empty_standard_claims(self):
        for v in [v for k, v in STANDARD_CLAIMS.items() if k != 'address']:
--- a/oidc_provider/tests/test_token_endpoint.py
+++ b/oidc_provider/tests/test_token_endpoint.py
@ -300,13 +300,14 @@ class TokenTestCase(TestCase):
    def test_scope_is_ignored_for_auth_code(self):
        """
        Scope is ignored for token respones to auth code grant type.
+        This comes down to that the scopes requested in authorize are returned.
        """
        SIGKEYS = self._get_keys()
-        for code_scope in [['openid'], ['openid', 'email']]:
+        for code_scope in [['openid'], ['openid', 'email'], ['openid', 'profile']]:
            code = self._create_code(code_scope)

            post_data = self._auth_code_post_data(
-                code=code.code, scope=['openid', 'profile'])
+                code=code.code, scope=code_scope)

            response = self._post_request(post_data)
            response_dic = json.loads(response.content.decode('utf-8'))
@ -317,9 +318,15 @@ class TokenTestCase(TestCase):

            if 'email' in code_scope:
                self.assertIn('email', id_token)
+                self.assertIn('email_verified', id_token)
            else:
                self.assertNotIn('email', id_token)

+            if 'profile' in code_scope:
+                self.assertIn('given_name', id_token)
+            else:
+                self.assertNotIn('given_name', id_token)
+
    def test_refresh_token(self):
        """
        A request to the Token Endpoint can also use a Refresh Token
--- a/oidc_provider/views.py
+++ b/oidc_provider/views.py
@ -234,7 +234,7 @@ def userinfo(request, *args, **kwargs):
        'sub': token.id_token.get('sub'),
    }

-    standard_claims = StandardScopeClaims(token)
+    standard_claims = StandardScopeClaims(user=token.user, scope=token.scope)
    dic.update(standard_claims.create_response_dic())

    if settings.get('OIDC_EXTRA_SCOPE_CLAIMS'):