From b0d8f620fd3f7a2a9b04fb3976963d57b13ab634 Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Thu, 22 Nov 2018 12:37:29 +0100
Subject: [PATCH 2/2] idp_oidc: export claim even if source attribute is absent
 (fixes #27540)

---
 src/authentic2_idp_oidc/utils.py | 13 ++++++++++---
 tests/test_idp_oidc.py           |  2 +-
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/src/authentic2_idp_oidc/utils.py b/src/authentic2_idp_oidc/utils.py
index aa246a07..31df48ce 100644
--- a/src/authentic2_idp_oidc/utils.py
+++ b/src/authentic2_idp_oidc/utils.py
@@ -174,15 +174,22 @@ def create_user_info(request, client, user, scope_set, id_token=False):
         'service': client,
         '__wanted_attributes': client.get_wanted_attributes(),
     })
-    for claim in client.oidcclaim_set.filter(name__isnull=False):
+    claims = client.oidcclaim_set.filter(name__isnull=False)
+    for claim in claims:
         if not set(claim.get_scopes()).intersection(scope_set):
             continue
-        if not claim.value in attributes:
+        if claim.value not in attributes:
             continue
-        user_info[claim.name] = normalize_claim_values(attributes[claim.value])
+        attribute_value = attributes[claim.value]
+        if attribute_value is None:
+            continue
+        user_info[claim.name] = normalize_claim_values(attribute_value)
         # check if attribute is verified
         if claim.value + ':verified' in attributes:
             user_info[claim.value + '_verified'] = True
+    for claim in claims:
+        if claim.name not in user_info:
+            user_info[claim.name] = None
     hooks.call_hooks('idp_oidc_modify_user_info', client, user, scope_set, user_info)
     return user_info
 
diff --git a/tests/test_idp_oidc.py b/tests/test_idp_oidc.py
index a27f4986..102f7257 100644
--- a/tests/test_idp_oidc.py
+++ b/tests/test_idp_oidc.py
@@ -285,7 +285,7 @@ def test_authorization_code_sso(login_first, oidc_settings, oidc_client, simple_
     simple_user.username = None
     simple_user.save()
     response = app.get(user_info_url, headers=bearer_authentication_headers(access_token))
-    assert 'preferred_username' not in response.json
+    assert response.json['preferred_username'] is None
 
     # Now logout
     if oidc_client.post_logout_redirect_uris:
-- 
2.18.0