idp_oidc: discard ambiguous profile validation context variable (#70553)

This variable did not help determining whether the profiles weren't
    shown because (a) the user does not own any or (b) the oidc client
    deactivates this feature.

src/authentic2_idp_oidc/templates/authentic2_idp_oidc/authorization.html

@@ -26,7 +26,7 @@
         {% endfor %}
       </ul>
     {% endif %}
-    {% if needs_profile_validation %}
+    {% if client.activate_user_profiles and user_has_selectable_profiles %}
       <div id="profile-validation">
         <p>{% trans "You may authenticate as owner of the following juridical entity management profile, which may change the aforementioned information." %}</p>
         <div class="profile" id="profile-validation-none">

src/authentic2_idp_oidc/views.py

@@ -366,7 +366,7 @@ def authorize_for_client(request, client, redirect_uri):
 
     iat = now()  # iat = issued at
 
-    needs_profile_validation = False
+    user_has_selectable_profiles = False
     needs_scope_validation = False
     profile = None
     if client.authorization_mode != client.AUTHORIZATION_MODE_NONE or 'consent' in prompt:
@@ -395,13 +395,13 @@ def authorize_for_client(request, client, redirect_uri):
             # load first authorized profile
             if not authorized_profile and authorization.profile:
                 authorized_profile = authorization.profile
-        if request.user.profiles.count() and not authorized_profile and client.activate_user_profiles:
-            needs_profile_validation = True
+        if request.user.profiles.count() and not authorized_profile:
+            user_has_selectable_profiles = True
         else:
             profile = authorized_profile
         if (authorized_scopes & scopes) < scopes:
             needs_scope_validation = True
-        if needs_scope_validation or needs_profile_validation:
+        if needs_scope_validation or (user_has_selectable_profiles and client.activate_user_profiles):
             if 'none' in prompt:
                 raise ConsentRequired(_('Consent is required but prompt parameter is "none"'))
             if request.method == 'POST':
@@ -446,7 +446,7 @@ def authorize_for_client(request, client, redirect_uri):
                     request,
                     'authentic2_idp_oidc/authorization.html',
                     {
-                        'needs_profile_validation': needs_profile_validation,
+                        'user_has_selectable_profiles': user_has_selectable_profiles,
                         'needs_scope_validation': needs_scope_validation,
                         'client': client,
                         'scopes': scopes - {'openid'},

tests/idp_oidc/test_user_profiles.py

@@ -143,6 +143,29 @@ def test_login_profiles_absent(app, oidc_client, simple_user, profile_settings):
     assert not 'profile-validation-' in response.text
 
 
+def test_login_profiles_deactivated(app, oidc_client, profile_user, profile_settings):
+    redirect_uri = oidc_client.redirect_uris.split()[0]
+    oidc_client.activate_user_profiles = False
+    oidc_client.save()
+    params = {
+        'client_id': oidc_client.client_id,
+        'scope': 'openid profile email',
+        'redirect_uri': redirect_uri,
+        'state': 'xxx',
+        'nonce': 'yyy',
+        'login_hint': 'backoffice john@example.com',
+        'response_type': 'code',
+    }
+    assert profile_user.profiles.count() == 2
+
+    authorize_url = make_url('oidc-authorize', params=params)
+    utils.login(app, profile_user)
+    response = app.get(authorize_url)
+    assert 'a2-oidc-authorization-form' in response.text
+    # not interface changes for users without a profile
+    assert not 'profile-validation-' in response.text
+
+
 def test_login_profile_selection(app, oidc_client, profile_user, profile_settings):
     oidc_client.idtoken_algo = oidc_client.ALGO_HMAC
     oidc_client.activate_user_profiles = True