0001-idp_oidc-fill-id_token-also-with-user-s-info-fixes-1.patch
src/authentic2_idp_oidc/utils.py | ||
---|---|---|
94 | 94 |
sub = sector_identifier + str(user.uuid) + settings.SECRET_KEY |
95 | 95 |
sub = base64.b64encode(hashlib.sha256(sub).digest()) |
96 | 96 |
return sub |
97 | ||
98 | ||
99 |
def create_user_info(client, user, scope_set, id_token=False): |
|
100 |
'''Create user info dictionnary''' |
|
101 |
user_info = { |
|
102 |
'sub': make_sub(client, user) |
|
103 |
} |
|
104 |
if 'profile' in scope_set: |
|
105 |
user_info['family_name'] = user.last_name |
|
106 |
user_info['given_name'] = user.first_name |
|
107 |
if user.username: |
|
108 |
user_info['preferred_username'] = user.username.split('@', 1)[0] |
|
109 |
if 'email' in scope_set: |
|
110 |
user_info['email'] = user.email |
|
111 |
user_info['email_verified'] = True |
|
112 |
return user_info |
src/authentic2_idp_oidc/views.py | ||
---|---|---|
246 | 246 |
acr = 0 |
247 | 247 |
if nonce and last_auth.get('nonce') == nonce: |
248 | 248 |
acr = 1 |
249 |
id_token = { |
|
249 |
id_token = utils.create_user_info(client, request.user, scopes, id_token=True) |
|
250 |
id_token.update({ |
|
250 | 251 |
'iss': request.build_absolute_uri('/'), |
251 | 252 |
'sub': utils.make_sub(client, request.user), |
252 | 253 |
'aud': client.client_id, |
... | ... | |
255 | 256 |
'iat': timestamp_from_datetime(start), |
256 | 257 |
'auth_time': last_auth['when'], |
257 | 258 |
'acr': acr, |
258 |
} |
|
259 |
})
|
|
259 | 260 |
if nonce: |
260 | 261 |
id_token['nonce'] = nonce |
261 | 262 |
params = { |
... | ... | |
349 | 350 |
if (oidc_code.nonce and last_authentication_event(oidc_code.session).get('nonce') == |
350 | 351 |
oidc_code.nonce): |
351 | 352 |
acr = 1 |
352 |
id_token = { |
|
353 |
# prefill id_token with user info |
|
354 |
id_token = utils.create_user_info(client, oidc_code.user, oidc_code.scope_set(), id_token=True) |
|
355 |
id_token.update({ |
|
353 | 356 |
'iss': request.build_absolute_uri('/'), |
354 | 357 |
'sub': utils.make_sub(client, oidc_code.user), |
355 | 358 |
'aud': client.client_id, |
... | ... | |
358 | 361 |
'iat': timestamp_from_datetime(start), |
359 | 362 |
'auth_time': timestamp_from_datetime(oidc_code.auth_time), |
360 | 363 |
'acr': acr, |
361 |
} |
|
364 |
})
|
|
362 | 365 |
if oidc_code.nonce: |
363 | 366 |
id_token['nonce'] = oidc_code.nonce |
364 | 367 |
response = HttpResponse(json.dumps({ |
... | ... | |
393 | 396 |
access_token = authenticate_access_token(request) |
394 | 397 |
if access_token is None: |
395 | 398 |
return HttpResponse('unauthenticated', status=401) |
396 |
scope_set = access_token.scope_set() |
|
397 |
user = access_token.user |
|
398 |
user_info = { |
|
399 |
'sub': utils.make_sub(access_token.client, access_token.user) |
|
400 |
} |
|
401 |
if 'profile' in scope_set: |
|
402 |
user_info['family_name'] = user.last_name |
|
403 |
user_info['given_name'] = user.first_name |
|
404 |
if user.username: |
|
405 |
user_info['preferred_username'] = user.username.split('@', 1)[0] |
|
406 |
if 'email' in scope_set: |
|
407 |
user_info['email'] = user.email |
|
408 |
user_info['email_verified'] = True |
|
399 |
user_info = utils.create_user_info(access_token.client, access_token.user, |
|
400 |
access_token.scope_set()) |
|
409 | 401 |
return HttpResponse(json.dumps(user_info), content_type='application/json') |
410 | 402 | |
411 | 403 |
tests/test_idp_oidc.py | ||
---|---|---|
199 | 199 |
assert claims['acr'] == 0 |
200 | 200 |
else: |
201 | 201 |
assert claims['acr'] == 1 |
202 |
assert claims['sub'] == make_sub(oidc_client, simple_user) |
|
203 |
assert claims['preferred_username'] == simple_user.username |
|
204 |
assert claims['given_name'] == simple_user.first_name |
|
205 |
assert claims['family_name'] == simple_user.last_name |
|
206 |
assert claims['email'] == simple_user.email |
|
207 |
assert claims['email_verified'] is True |
|
202 | 208 | |
203 | 209 |
user_info_url = make_url('oidc-user-info') |
204 | 210 |
response = app.get(user_info_url, headers=bearer_authentication_headers(access_token)) |
205 |
- |