From ed9788dfa85d49434a5dc6e1a5058b18913536f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20P=C3=A9ters?= Date: Mon, 7 May 2018 19:36:35 +0200 Subject: [PATCH] idp oidc: skip unset attributes in user-info (#23643) --- src/authentic2_idp_oidc/utils.py | 2 ++ tests/test_idp_oidc.py | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/src/authentic2_idp_oidc/utils.py b/src/authentic2_idp_oidc/utils.py index 12999905..bae504d8 100644 --- a/src/authentic2_idp_oidc/utils.py +++ b/src/authentic2_idp_oidc/utils.py @@ -172,6 +172,8 @@ def create_user_info(client, user, scope_set, id_token=False): for claim in client.oidcclaim_set.filter(name__isnull=False): if not set(claim.get_scopes()).intersection(scope_set): continue + if not claim.value in attributes: + continue user_info[claim.name] = normalize_claim_values(attributes[claim.value]) # check if attribute is verified if claim.value + ':verified' in attributes: diff --git a/tests/test_idp_oidc.py b/tests/test_idp_oidc.py index e9462b5e..26ae9054 100644 --- a/tests/test_idp_oidc.py +++ b/tests/test_idp_oidc.py @@ -253,6 +253,12 @@ def test_authorization_code_sso(login_first, oidc_settings, oidc_client, simple_ assert response.json['ou'] == simple_user.ou.name assert response.json['roles'][0] == 'Whatever' + # check against a user without username + simple_user.username = None + simple_user.save() + response = app.get(user_info_url, headers=bearer_authentication_headers(access_token)) + assert 'preferred_username' not in response.json + # Now logout if oidc_client.post_logout_redirect_uris: params = { -- 2.17.0