From 8c736b8b08a097d7974906473a11978911750061 Mon Sep 17 00:00:00 2001
From: dhrp <t.peskens@nerdalize.com>
Date: Thu, 14 Dec 2017 18:03:15 +0100
Subject: [PATCH] Made token and token_refresh endpoint return requested
 claims.

---
 oidc_provider/lib/claims.py                |  7 +++----
 oidc_provider/lib/utils/token.py           | 10 ++++++++--
 oidc_provider/tests/app/utils.py           |  1 +
 oidc_provider/tests/test_claims.py         |  2 +-
 oidc_provider/tests/test_token_endpoint.py | 11 +++++++++--
 oidc_provider/views.py                     |  2 +-
 6 files changed, 23 insertions(+), 10 deletions(-)

diff --git a/oidc_provider/lib/claims.py b/oidc_provider/lib/claims.py
index d4af2ad..d5a0947 100644
--- a/oidc_provider/lib/claims.py
+++ b/oidc_provider/lib/claims.py
@@ -16,12 +16,11 @@ STANDARD_CLAIMS = {
 
 class ScopeClaims(object):
 
-    def __init__(self, token):
-        self.user = token.user
+    def __init__(self, user, scope):
+        self.user = user
         claims = copy.deepcopy(STANDARD_CLAIMS)
         self.userinfo = settings.get('OIDC_USERINFO', import_str=True)(claims, self.user)
-        self.scopes = token.scope
-        self.client = token.client
+        self.scopes = scope
 
     def create_response_dic(self):
         """
diff --git a/oidc_provider/lib/utils/token.py b/oidc_provider/lib/utils/token.py
index 80868db..8700a4f 100644
--- a/oidc_provider/lib/utils/token.py
+++ b/oidc_provider/lib/utils/token.py
@@ -10,6 +10,7 @@ from jwkest.jws import JWS
 from jwkest.jwt import JWT
 
 from oidc_provider.lib.utils.common import get_issuer
+from oidc_provider.lib.claims import StandardScopeClaims
 from oidc_provider.models import (
     Code,
     RSAKey,
@@ -52,8 +53,13 @@ def create_id_token(user, aud, nonce='', at_hash='', request=None, scope=None):
     if at_hash:
         dic['at_hash'] = at_hash
 
-    if ('email' in scope) and getattr(user, 'email', None):
-        dic['email'] = user.email
+    if settings.get('OIDC_EXTRA_SCOPE_CLAIMS'):
+        custom_claims = settings.get('OIDC_EXTRA_SCOPE_CLAIMS', import_str=True)(user, scope)
+        claims = custom_claims.create_response_dic()
+    else:
+        claims = StandardScopeClaims(user=user, scope=scope).create_response_dic()
+
+    dic.update(claims)  # modifies dic, adding all requested claims
 
     processing_hook = settings.get('OIDC_IDTOKEN_PROCESSING_HOOK')
 
diff --git a/oidc_provider/tests/app/utils.py b/oidc_provider/tests/app/utils.py
index 4f824ec..98b4d6b 100644
--- a/oidc_provider/tests/app/utils.py
+++ b/oidc_provider/tests/app/utils.py
@@ -96,6 +96,7 @@ def userinfo(claims, user):
     claims['family_name'] = 'Doe'
     claims['name'] = '{0} {1}'.format(claims['given_name'], claims['family_name'])
     claims['email'] = user.email
+    claims['email_verified'] = True
     claims['address']['country'] = 'Argentina'
     return claims
 
diff --git a/oidc_provider/tests/test_claims.py b/oidc_provider/tests/test_claims.py
index c1ac794..f209990 100644
--- a/oidc_provider/tests/test_claims.py
+++ b/oidc_provider/tests/test_claims.py
@@ -15,7 +15,7 @@ class ClaimsTestCase(TestCase):
         self.scopes = ['openid', 'address', 'email', 'phone', 'profile']
         self.client = create_fake_client('code')
         self.token = create_fake_token(self.user, self.scopes, self.client)
-        self.scopeClaims = ScopeClaims(self.token)
+        self.scopeClaims = ScopeClaims(self.token.user, self.token.scope)
 
     def test_empty_standard_claims(self):
         for v in [v for k, v in STANDARD_CLAIMS.items() if k != 'address']:
diff --git a/oidc_provider/tests/test_token_endpoint.py b/oidc_provider/tests/test_token_endpoint.py
index 49b7598..a151e1a 100644
--- a/oidc_provider/tests/test_token_endpoint.py
+++ b/oidc_provider/tests/test_token_endpoint.py
@@ -300,13 +300,14 @@ class TokenTestCase(TestCase):
     def test_scope_is_ignored_for_auth_code(self):
         """
         Scope is ignored for token respones to auth code grant type.
+        This comes down to that the scopes requested in authorize are returned.
         """
         SIGKEYS = self._get_keys()
-        for code_scope in [['openid'], ['openid', 'email']]:
+        for code_scope in [['openid'], ['openid', 'email'], ['openid', 'profile']]:
             code = self._create_code(code_scope)
 
             post_data = self._auth_code_post_data(
-                code=code.code, scope=['openid', 'profile'])
+                code=code.code, scope=code_scope)
 
             response = self._post_request(post_data)
             response_dic = json.loads(response.content.decode('utf-8'))
@@ -317,9 +318,15 @@ class TokenTestCase(TestCase):
 
             if 'email' in code_scope:
                 self.assertIn('email', id_token)
+                self.assertIn('email_verified', id_token)
             else:
                 self.assertNotIn('email', id_token)
 
+            if 'profile' in code_scope:
+                self.assertIn('given_name', id_token)
+            else:
+                self.assertNotIn('given_name', id_token)
+
     def test_refresh_token(self):
         """
         A request to the Token Endpoint can also use a Refresh Token
diff --git a/oidc_provider/views.py b/oidc_provider/views.py
index 72d941e..eea9729 100644
--- a/oidc_provider/views.py
+++ b/oidc_provider/views.py
@@ -234,7 +234,7 @@ def userinfo(request, *args, **kwargs):
         'sub': token.id_token.get('sub'),
     }
 
-    standard_claims = StandardScopeClaims(token)
+    standard_claims = StandardScopeClaims(user=token.user, scope=token.scope)
     dic.update(standard_claims.create_response_dic())
 
     if settings.get('OIDC_EXTRA_SCOPE_CLAIMS'):