Made token and token_refresh endpoint return requested claims.
This commit is contained in:
dhrp
parent
65c6cc6fec
commit
8c736b8b08
|
|
@ -16,12 +16,11 @@ STANDARD_CLAIMS = {
|
||||||
|
|
||||||
class ScopeClaims(object):
|
class ScopeClaims(object):
|
||||||
|
|
||||||
def __init__(self, token):
|
def __init__(self, user, scope):
|
||||||
self.user = token.user
|
self.user = user
|
||||||
claims = copy.deepcopy(STANDARD_CLAIMS)
|
claims = copy.deepcopy(STANDARD_CLAIMS)
|
||||||
self.userinfo = settings.get('OIDC_USERINFO', import_str=True)(claims, self.user)
|
self.userinfo = settings.get('OIDC_USERINFO', import_str=True)(claims, self.user)
|
||||||
self.scopes = token.scope
|
self.scopes = scope
|
||||||
self.client = token.client
|
|
||||||
|
|
||||||
def create_response_dic(self):
|
def create_response_dic(self):
|
||||||
"""
|
"""
|
||||||
|
|
|
||||||
|
|
@ -10,6 +10,7 @@ from jwkest.jws import JWS
|
||||||
from jwkest.jwt import JWT
|
from jwkest.jwt import JWT
|
||||||
|
|
||||||
from oidc_provider.lib.utils.common import get_issuer
|
from oidc_provider.lib.utils.common import get_issuer
|
||||||
|
from oidc_provider.lib.claims import StandardScopeClaims
|
||||||
from oidc_provider.models import (
|
from oidc_provider.models import (
|
||||||
Code,
|
Code,
|
||||||
RSAKey,
|
RSAKey,
|
||||||
|
|
@ -52,8 +53,13 @@ def create_id_token(user, aud, nonce='', at_hash='', request=None, scope=None):
|
||||||
if at_hash:
|
if at_hash:
|
||||||
dic['at_hash'] = at_hash
|
dic['at_hash'] = at_hash
|
||||||
|
|
||||||
if ('email' in scope) and getattr(user, 'email', None):
|
if settings.get('OIDC_EXTRA_SCOPE_CLAIMS'):
|
||||||
dic['email'] = user.email
|
custom_claims = settings.get('OIDC_EXTRA_SCOPE_CLAIMS', import_str=True)(user, scope)
|
||||||
|
claims = custom_claims.create_response_dic()
|
||||||
|
else:
|
||||||
|
claims = StandardScopeClaims(user=user, scope=scope).create_response_dic()
|
||||||
|
|
||||||
|
dic.update(claims) # modifies dic, adding all requested claims
|
||||||
|
|
||||||
processing_hook = settings.get('OIDC_IDTOKEN_PROCESSING_HOOK')
|
processing_hook = settings.get('OIDC_IDTOKEN_PROCESSING_HOOK')
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -96,6 +96,7 @@ def userinfo(claims, user):
|
||||||
claims['family_name'] = 'Doe'
|
claims['family_name'] = 'Doe'
|
||||||
claims['name'] = '{0} {1}'.format(claims['given_name'], claims['family_name'])
|
claims['name'] = '{0} {1}'.format(claims['given_name'], claims['family_name'])
|
||||||
claims['email'] = user.email
|
claims['email'] = user.email
|
||||||
|
claims['email_verified'] = True
|
||||||
claims['address']['country'] = 'Argentina'
|
claims['address']['country'] = 'Argentina'
|
||||||
return claims
|
return claims
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -15,7 +15,7 @@ class ClaimsTestCase(TestCase):
|
||||||
self.scopes = ['openid', 'address', 'email', 'phone', 'profile']
|
self.scopes = ['openid', 'address', 'email', 'phone', 'profile']
|
||||||
self.client = create_fake_client('code')
|
self.client = create_fake_client('code')
|
||||||
self.token = create_fake_token(self.user, self.scopes, self.client)
|
self.token = create_fake_token(self.user, self.scopes, self.client)
|
||||||
self.scopeClaims = ScopeClaims(self.token)
|
self.scopeClaims = ScopeClaims(self.token.user, self.token.scope)
|
||||||
|
|
||||||
def test_empty_standard_claims(self):
|
def test_empty_standard_claims(self):
|
||||||
for v in [v for k, v in STANDARD_CLAIMS.items() if k != 'address']:
|
for v in [v for k, v in STANDARD_CLAIMS.items() if k != 'address']:
|
||||||
|
|
|
||||||
|
|
@ -300,13 +300,14 @@ class TokenTestCase(TestCase):
|
||||||
def test_scope_is_ignored_for_auth_code(self):
|
def test_scope_is_ignored_for_auth_code(self):
|
||||||
"""
|
"""
|
||||||
Scope is ignored for token respones to auth code grant type.
|
Scope is ignored for token respones to auth code grant type.
|
||||||
|
This comes down to that the scopes requested in authorize are returned.
|
||||||
"""
|
"""
|
||||||
SIGKEYS = self._get_keys()
|
SIGKEYS = self._get_keys()
|
||||||
for code_scope in [['openid'], ['openid', 'email']]:
|
for code_scope in [['openid'], ['openid', 'email'], ['openid', 'profile']]:
|
||||||
code = self._create_code(code_scope)
|
code = self._create_code(code_scope)
|
||||||
|
|
||||||
post_data = self._auth_code_post_data(
|
post_data = self._auth_code_post_data(
|
||||||
code=code.code, scope=['openid', 'profile'])
|
code=code.code, scope=code_scope)
|
||||||
|
|
||||||
response = self._post_request(post_data)
|
response = self._post_request(post_data)
|
||||||
response_dic = json.loads(response.content.decode('utf-8'))
|
response_dic = json.loads(response.content.decode('utf-8'))
|
||||||
|
|
@ -317,9 +318,15 @@ class TokenTestCase(TestCase):
|
||||||
|
|
||||||
if 'email' in code_scope:
|
if 'email' in code_scope:
|
||||||
self.assertIn('email', id_token)
|
self.assertIn('email', id_token)
|
||||||
|
self.assertIn('email_verified', id_token)
|
||||||
else:
|
else:
|
||||||
self.assertNotIn('email', id_token)
|
self.assertNotIn('email', id_token)
|
||||||
|
|
||||||
|
if 'profile' in code_scope:
|
||||||
|
self.assertIn('given_name', id_token)
|
||||||
|
else:
|
||||||
|
self.assertNotIn('given_name', id_token)
|
||||||
|
|
||||||
def test_refresh_token(self):
|
def test_refresh_token(self):
|
||||||
"""
|
"""
|
||||||
A request to the Token Endpoint can also use a Refresh Token
|
A request to the Token Endpoint can also use a Refresh Token
|
||||||
|
|
|
||||||
|
|
@ -234,7 +234,7 @@ def userinfo(request, *args, **kwargs):
|
||||||
'sub': token.id_token.get('sub'),
|
'sub': token.id_token.get('sub'),
|
||||||
}
|
}
|
||||||
|
|
||||||
standard_claims = StandardScopeClaims(token)
|
standard_claims = StandardScopeClaims(user=token.user, scope=token.scope)
|
||||||
dic.update(standard_claims.create_response_dic())
|
dic.update(standard_claims.create_response_dic())
|
||||||
|
|
||||||
if settings.get('OIDC_EXTRA_SCOPE_CLAIMS'):
|
if settings.get('OIDC_EXTRA_SCOPE_CLAIMS'):
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue