Pass token and request to OIDC_ID_TOKEN_PROCESSING_HOOK

The ID token processing hook might need the token or request too, so make them available.
2018-05-24 00:24:52 +03:00 · 2018-05-24 00:24:52 +03:00 · b0a82aa4ab
commit b0a82aa4ab
parent 93420461b4
4 changed files with 51 additions and 12 deletions
--- a/oidc_provider/lib/utils/common.py
+++ b/oidc_provider/lib/utils/common.py
@ -107,9 +107,10 @@ def default_after_end_session_hook(
    return None


-def default_idtoken_processing_hook(id_token, user, scope=None):
+def default_idtoken_processing_hook(
+        id_token, user, scope, token, request, **kwargs):
    """
-    Hook to perform some additional actions ti `id_token` dictionary just before serialization.
+    Hook for modifying `id_token` just before serialization.

    :param id_token: dictionary contains values that going to be serialized into `id_token`
    :type id_token: dict
@ -120,8 +121,14 @@ def default_idtoken_processing_hook(id_token, user, scope=None):
    :param scope: scope for the token
    :type scope: list[str]|None

+    :param token: the Token object created for the authentication request
+    :type token: oidc_provider.models.Token
+
+    :param request: the request initiating this ID token processing
+    :type request: django.http.HttpRequest
+
    :return: custom modified dictionary of values for `id_token`
-    :rtype dict
+    :rtype: dict
    """
    return id_token

--- a/oidc_provider/lib/utils/token.py
+++ b/oidc_provider/lib/utils/token.py
@ -64,7 +64,7 @@ def create_id_token(token, user, aud, nonce='', at_hash='', request=None, scope=

    dic = run_processing_hook(
        dic, 'OIDC_IDTOKEN_PROCESSING_HOOK',
-        user=user, scope=scope)
+        user=user, scope=scope, token=token, request=request)

    return dic

--- a/oidc_provider/tests/app/utils.py
+++ b/oidc_provider/tests/app/utils.py
@ -113,7 +113,7 @@ def fake_sub_generator(user):
    return user.email


-def fake_idtoken_processing_hook(id_token, user, scope=None):
+def fake_idtoken_processing_hook(id_token, user, **kwargs):
    """
    Fake function for inserting some keys into token. Testing OIDC_IDTOKEN_PROCESSING_HOOK.
    """
@ -122,7 +122,7 @@ def fake_idtoken_processing_hook(id_token, user, scope=None):
    return id_token


-def fake_idtoken_processing_hook2(id_token, user, scope=None):
+def fake_idtoken_processing_hook2(id_token, user, **kwargs):
    """
    Fake function for inserting some keys into token.
    Testing OIDC_IDTOKEN_PROCESSING_HOOK - tuple or list as param
@ -132,7 +132,7 @@ def fake_idtoken_processing_hook2(id_token, user, scope=None):
    return id_token


-def fake_idtoken_processing_hook3(id_token, user, scope=None):
+def fake_idtoken_processing_hook3(id_token, user, scope=None, **kwargs):
    """
    Fake function for checking scope is passed to processing hook.
    """
@ -140,6 +140,17 @@ def fake_idtoken_processing_hook3(id_token, user, scope=None):
    return id_token


+def fake_idtoken_processing_hook4(id_token, user, **kwargs):
+    """
+    Fake function for checking kwargs passed to processing hook.
+    """
+    id_token['kwargs_passed_to_processing_hook'] = {
+        key: repr(value)
+        for (key, value) in kwargs.items()
+    }
+    return id_token
+
+
 def fake_introspection_processing_hook(response_dict, client, id_token):
    response_dict['test_introspection_processing_hook'] = FAKE_RANDOM_STRING
    return response_dict
--- a/oidc_provider/tests/cases/test_token_endpoint.py
+++ b/oidc_provider/tests/cases/test_token_endpoint.py
@ -735,7 +735,31 @@ class TokenTestCase(TestCase):
        """
        Test scope parameter is passed to OIDC_IDTOKEN_PROCESSING_HOOK.
        """
-        code = self._create_code(['openid', 'email', 'profile', 'dummy'])
+        id_token = self._request_id_token_with_scope(
+            ['openid', 'email', 'profile', 'dummy'])
+        self.assertEqual(
+            id_token.get('scope_passed_to_processing_hook'),
+            ['openid', 'email', 'profile', 'dummy'])
+
+    @override_settings(
+        OIDC_IDTOKEN_PROCESSING_HOOK=(
+                'oidc_provider.tests.app.utils.fake_idtoken_processing_hook4'))
+    def test_additional_idtoken_processing_hook_kwargs(self):
+        """
+        Test correct kwargs are passed to OIDC_IDTOKEN_PROCESSING_HOOK.
+        """
+        id_token = self._request_id_token_with_scope(['openid', 'profile'])
+        kwargs_passed = id_token.get('kwargs_passed_to_processing_hook')
+        assert kwargs_passed
+        self.assertEqual(kwargs_passed.get('scope'),
+                         repr([u'openid', u'profile']))
+        self.assertEqual(kwargs_passed.get('token'),
+                         '<Token: Some Client - johndoe@example.com>')
+        self.assertEqual(kwargs_passed.get('request'),
+                         "<WSGIRequest: POST '/openid/token'>")
+
+    def _request_id_token_with_scope(self, scope):
+        code = self._create_code(scope)

        post_data = self._auth_code_post_data(code=code.code)

@ -743,10 +767,7 @@ class TokenTestCase(TestCase):

        response_dic = json.loads(response.content.decode('utf-8'))
        id_token = JWT().unpack(response_dic['id_token'].encode('utf-8')).payload()
-
-        self.assertEqual(
-            id_token.get('scope_passed_to_processing_hook'),
-            ['openid', 'email', 'profile', 'dummy'])
+        return id_token

    def test_pkce_parameters(self):
        """