0001-auth_oidc-check-required-claims-only-from-the-idtoke.patch
src/authentic2_auth_oidc/backends.py | ||
---|---|---|
207 | 207 |
if claim_mapping.required: |
208 | 208 |
if '{{' in claim or '{%' in claim: |
209 | 209 |
logger.warning('claim \'%r\' is templated, it cannot be set as required') |
210 |
elif claim_mapping.idtoken_claim and claim not in id_token: |
|
211 |
logger.warning( |
|
212 |
'auth_oidc: cannot create user missing required claim %r in id_token (%r)', |
|
213 |
claim, |
|
214 |
id_token, |
|
215 |
) |
|
216 |
return None |
|
217 |
elif not user_info or claim not in user_info: |
|
218 |
logger.warning( |
|
219 |
'auth_oidc: cannot create user missing required claim %r in user_info (%r)', |
|
220 |
claim, |
|
221 |
user_info, |
|
222 |
) |
|
223 |
return None |
|
210 |
elif claim_mapping.idtoken_claim: |
|
211 |
if claim not in id_token: |
|
212 |
logger.warning( |
|
213 |
'auth_oidc: cannot create user missing required claim %r in id_token (%r)', |
|
214 |
claim, |
|
215 |
id_token, |
|
216 |
) |
|
217 |
return None |
|
218 |
else: # claim from the user_info endpoint |
|
219 |
if not user_info or claim not in user_info: |
|
220 |
logger.warning( |
|
221 |
'auth_oidc: cannot create user missing required claim %r in user_info (%r)', |
|
222 |
claim, |
|
223 |
user_info, |
|
224 |
) |
|
225 |
return None |
|
224 | 226 | |
225 | 227 |
# find en email in mappings |
226 | 228 |
email = None |
tests/test_auth_oidc.py | ||
---|---|---|
1269 | 1269 |
assert second_authenticator.claim_mappings.get().pk == second_provider_claim_mapping.pk |
1270 | 1270 |
assert second_authenticator.accounts.count() == 1 |
1271 | 1271 |
assert second_authenticator.accounts.get().pk == second_provider_account.pk |
1272 | ||
1273 | ||
1274 |
def test_only_idtoken_claims(app, caplog, code, oidc_provider, oidc_provider_jwkset): |
|
1275 |
oidc_provider.claim_mappings.update(idtoken_claim=True) |
|
1276 |
response = app.get('/').maybe_follow() |
|
1277 |
assert oidc_provider.name in response.text |
|
1278 |
response = response.click(oidc_provider.name) |
|
1279 |
location = urllib.parse.urlparse(response.location) |
|
1280 |
query = QueryDict(location.query) |
|
1281 |
state = query['state'] |
|
1282 |
nonce = query['nonce'] |
|
1283 | ||
1284 |
# sub=john.doe |
|
1285 |
extra_id_token = { |
|
1286 |
'given_name': 'John', |
|
1287 |
'family_name': 'Doe', |
|
1288 |
'email': 'john.doe@example.com', |
|
1289 |
} |
|
1290 |
with utils.check_log(caplog, 'missing required claim'): |
|
1291 |
with oidc_provider_mock( |
|
1292 |
oidc_provider, |
|
1293 |
oidc_provider_jwkset, |
|
1294 |
code, |
|
1295 |
nonce=nonce, |
|
1296 |
): |
|
1297 |
response = app.get(login_callback_url(oidc_provider), params={'code': code, 'state': state}) |
|
1298 |
assert User.objects.count() == 0 |
|
1299 | ||
1300 |
with utils.check_log(caplog, 'auth_oidc: created user'): |
|
1301 |
with oidc_provider_mock( |
|
1302 |
oidc_provider, |
|
1303 |
oidc_provider_jwkset, |
|
1304 |
code, |
|
1305 |
nonce=nonce, |
|
1306 |
extra_id_token=extra_id_token, |
|
1307 |
): |
|
1308 |
response = app.get(login_callback_url(oidc_provider), params={'code': code, 'state': state}) |
|
1309 |
assert User.objects.count() == 1 |
|
1272 |
- |