idp oidc: skip unset attributes in user-info (#23643)

2018-05-07 19:36:35 +02:00 · 2018-05-07 19:36:35 +02:00 · 465df3f788
parent 74c29b60a9
commit 465df3f788
2 changed files with 8 additions and 0 deletions
--- a/src/authentic2_idp_oidc/utils.py
+++ b/src/authentic2_idp_oidc/utils.py
@ -172,6 +172,8 @@ def create_user_info(client, user, scope_set, id_token=False):
    for claim in client.oidcclaim_set.filter(name__isnull=False):
        if not set(claim.get_scopes()).intersection(scope_set):
            continue
+        if not claim.value in attributes:
+            continue
        user_info[claim.name] = normalize_claim_values(attributes[claim.value])
        # check if attribute is verified
        if claim.value + ':verified' in attributes:
--- a/tests/test_idp_oidc.py
+++ b/tests/test_idp_oidc.py
@ -253,6 +253,12 @@ def test_authorization_code_sso(login_first, oidc_settings, oidc_client, simple_
    assert response.json['ou'] == simple_user.ou.name
    assert response.json['roles'][0] == 'Whatever'

+    # check against a user without username
+    simple_user.username = None
+    simple_user.save()
+    response = app.get(user_info_url, headers=bearer_authentication_headers(access_token))
+    assert 'preferred_username' not in response.json
+
    # Now logout
    if oidc_client.post_logout_redirect_uris:
        params = {