Projet

Général

Profil

0001-idp_oidc-fill-id_token-also-with-user-s-info-fixes-1.patch

Benjamin Dauvergne, 13 juin 2017 13:41

Télécharger (4,82 ko)

Voir les différences: 

Subject: [PATCH] idp_oidc: fill id_token also with user's info (fixes #16854)


 src/authentic2_idp_oidc/utils.py | 16 ++++++++++++++++
 src/authentic2_idp_oidc/views.py | 26 +++++++++-----------------
 tests/test_idp_oidc.py           |  6 ++++++
 3 files changed, 31 insertions(+), 17 deletions(-)
src/authentic2_idp_oidc/utils.py
94 94 
    sub = sector_identifier + str(user.uuid) + settings.SECRET_KEY
95 95 
    sub = base64.b64encode(hashlib.sha256(sub).digest())
96 96 
    return sub
97 

  		




  
  98
  
    

  		




  
  99
  
    
def create_user_info(client, user, scope_set, id_token=False):

  		




  
  100
  
    
    '''Create user info dictionnary'''

  		




  
  101
  
    
    user_info = {

  		




  
  102
  
    
        'sub': make_sub(client, user)

  		




  
  103
  
    
    }

  		




  
  104
  
    
    if 'profile' in scope_set:

  		




  
  105
  
    
        user_info['family_name'] = user.last_name

  		




  
  106
  
    
        user_info['given_name'] = user.first_name

  		




  
  107
  
    
        if user.username:

  		




  
  108
  
    
            user_info['preferred_username'] = user.username.split('@', 1)[0]

  		




  
  109
  
    
    if 'email' in scope_set:

  		




  
  110
  
    
        user_info['email'] = user.email

  		




  
  111
  
    
        user_info['email_verified'] = True

  		




  
  112
  
    
    return user_info

  		












  

    
      src/authentic2_idp_oidc/views.py
    
  





  246
  246
  
    
        acr = 0

  		




  247
  247
  
    
        if nonce and last_auth.get('nonce') == nonce:

  		




  248
  248
  
    
            acr = 1

  		




  249
  
  
    
        id_token = {

  		




  
  249
  
    
        id_token = utils.create_user_info(client, request.user, scopes, id_token=True)

  		




  
  250
  
    
        id_token.update({

  		




  250
  251
  
    
            'iss': request.build_absolute_uri('/'),

  		




  251
  252
  
    
            'sub': utils.make_sub(client, request.user),

  		




  252
  253
  
    
            'aud': client.client_id,

  		




  ......




  255
  256
  
    
            'iat': timestamp_from_datetime(start),

  		




  256
  257
  
    
            'auth_time': last_auth['when'],

  		




  257
  258
  
    
            'acr': acr,

  		




  258
  
  
    
        }

  		




  
  259
  
    
        })

  		




  259
  260
  
    
        if nonce:

  		




  260
  261
  
    
            id_token['nonce'] = nonce

  		




  261
  262
  
    
        params = {

  		




  ......




  349
  350
  
    
    if (oidc_code.nonce and last_authentication_event(oidc_code.session).get('nonce') ==

  		




  350
  351
  
    
            oidc_code.nonce):

  		




  351
  352
  
    
        acr = 1

  		




  352
  
  
    
    id_token = {

  		




  
  353
  
    
    # prefill id_token with user info

  		




  
  354
  
    
    id_token = utils.create_user_info(client, oidc_code.user, oidc_code.scope_set(), id_token=True)

  		




  
  355
  
    
    id_token.update({

  		




  353
  356
  
    
        'iss': request.build_absolute_uri('/'),

  		




  354
  357
  
    
        'sub': utils.make_sub(client, oidc_code.user),

  		




  355
  358
  
    
        'aud': client.client_id,

  		




  ......




  358
  361
  
    
        'iat': timestamp_from_datetime(start),

  		




  359
  362
  
    
        'auth_time': timestamp_from_datetime(oidc_code.auth_time),

  		




  360
  363
  
    
        'acr': acr,

  		




  361
  
  
    
    }

  		




  
  364
  
    
    })

  		




  362
  365
  
    
    if oidc_code.nonce:

  		




  363
  366
  
    
        id_token['nonce'] = oidc_code.nonce

  		




  364
  367
  
    
    response = HttpResponse(json.dumps({

  		




  ......




  393
  396
  
    
    access_token = authenticate_access_token(request)

  		




  394
  397
  
    
    if access_token is None:

  		




  395
  398
  
    
        return HttpResponse('unauthenticated', status=401)

  		




  396
  
  
    
    scope_set = access_token.scope_set()

  		




  397
  
  
    
    user = access_token.user

  		




  398
  
  
    
    user_info = {

  		




  399
  
  
    
        'sub': utils.make_sub(access_token.client, access_token.user)

  		




  400
  
  
    
    }

  		




  401
  
  
    
    if 'profile' in scope_set:

  		




  402
  
  
    
        user_info['family_name'] = user.last_name

  		




  403
  
  
    
        user_info['given_name'] = user.first_name

  		




  404
  
  
    
        if user.username:

  		




  405
  
  
    
            user_info['preferred_username'] = user.username.split('@', 1)[0]

  		




  406
  
  
    
    if 'email' in scope_set:

  		




  407
  
  
    
        user_info['email'] = user.email

  		




  408
  
  
    
        user_info['email_verified'] = True

  		




  
  399
  
    
    user_info = utils.create_user_info(access_token.client, access_token.user,

  		




  
  400
  
    
                                       access_token.scope_set())

  		




  409
  401
  
    
    return HttpResponse(json.dumps(user_info), content_type='application/json')

  		




  410
  402
  
    

  		




  411
  403
  
    

  		












  

    
      tests/test_idp_oidc.py
    
  





  199
  199
  
    
        assert claims['acr'] == 0

  		




  200
  200
  
    
    else:

  		




  201
  201
  
    
        assert claims['acr'] == 1

  		




  
  202
  
    
    assert claims['sub'] == make_sub(oidc_client, simple_user)

  		




  
  203
  
    
    assert claims['preferred_username'] == simple_user.username

  		




  
  204
  
    
    assert claims['given_name'] == simple_user.first_name

  		




  
  205
  
    
    assert claims['family_name'] == simple_user.last_name

  		




  
  206
  
    
    assert claims['email'] == simple_user.email

  		




  
  207
  
    
    assert claims['email_verified'] is True

  		




  202
  208
  
    

  		




  203
  209
  
    
    user_info_url = make_url('oidc-user-info')

  		




  204
  210
  
    
    response = app.get(user_info_url, headers=bearer_authentication_headers(access_token))

  		




  205
  
  
    
-