entrouvert
/
authentic
16
0
Fork 0
Code Issues Pull Requests 32 Releases Activity

idp_oidc: add support for multivalued attribute claims (#86663)
gitea/authentic/pipeline/head This commit looks good Details

This commit is contained in:
Paul Marillonnet 2024-02-07 09:48:05 +01:00
parent d50622cb81
commit 47d9680ecf
2 changed files with 26 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/authentic2/attributes_ng/sources/django_user.py
View File

@ -87,8 +87,12 @@ def get_attributes(instance, ctx):
serialize = av.attribute.get_kind().get('attributes_ng_serialize', lambda a, b: b)
value = av.to_python()
serialized = serialize(ctx, value)
ctx['django_user_' + str(av.attribute.name)] = serialized
ctx['django_user_' + str(av.attribute.name) + ':verified'] = av.verified
if not av.attribute.multiple:
ctx['django_user_' + str(av.attribute.name)] = serialized
ctx['django_user_' + str(av.attribute.name) + ':verified'] = av.verified
else:
ctx.setdefault('django_user_' + str(av.attribute.name), [])
ctx['django_user_' + str(av.attribute.name)].append(serialized)
ctx['django_user_groups'] = [group for group in user.groups.all()]
ctx['django_user_group_names'] = [str(group) for group in user.groups.all()]
if user.username:

21
tests/idp_oidc/test_misc.py
View File

@ -1267,16 +1267,31 @@ def test_claim_default_value(oidc_settings, normal_oidc_client, simple_user, app
oidc_settings.A2_IDP_OIDC_SCOPES = ['openid', 'profile', 'email', 'phone']
Attribute.objects.create(
name='phone',
label='phone',
label='Phone',
kind='phone_number',
asked_on_registration=False,
required=False,
user_visible=False,
user_editable=False,
)
Attribute.objects.create(
name='neighborhoods',
label='Neighborhoods',
kind='string',
asked_on_registration=False,
required=False,
user_visible=True,
user_editable=True,
multiple=True, # test str multi-valued attributes' serialization into claims
)
simple_user.attributes.neighborhoods = ['foo', 'bar', 'baz']
simple_user.save()
OIDCClaim.objects.create(
client=normal_oidc_client, name='phone', value='django_user_phone', scopes='phone'
)
OIDCClaim.objects.create(
client=normal_oidc_client, name='neighborhoods', value='django_user_neighborhoods', scopes='profile'
)
normal_oidc_client.authorization_flow = normal_oidc_client.FLOW_AUTHORIZATION_CODE
normal_oidc_client.authorization_mode = normal_oidc_client.AUTHORIZATION_MODE_NONE
normal_oidc_client.save()
@ -1336,6 +1351,7 @@ def test_claim_default_value(oidc_settings, normal_oidc_client, simple_user, app
assert claims['family_name'] == simple_user.last_name
assert claims['email'] == simple_user.email
assert claims['phone'] == simple_user.phone
assert claims['neighborhoods'] == ['foo', 'bar', 'baz']
assert claims['email_verified'] is False
assert user_info['sub'] == make_sub(oidc_client, simple_user)
@ -1344,6 +1360,7 @@ def test_claim_default_value(oidc_settings, normal_oidc_client, simple_user, app
assert user_info['family_name'] == simple_user.last_name
assert user_info['email'] == simple_user.email
assert user_info['phone'] == simple_user.phone
assert user_info['neighborhoods'] == ['foo', 'bar', 'baz']
assert user_info['email_verified'] is False
params['scope'] = 'openid email'
@ -1354,6 +1371,7 @@ def test_claim_default_value(oidc_settings, normal_oidc_client, simple_user, app
assert claims['email'] == simple_user.email
assert claims['email_verified'] is False
assert 'phone' not in claims
assert 'neighborhoods' not in claims
assert 'preferred_username' not in claims
assert 'given_name' not in claims
assert 'family_name' not in claims
@ -1362,6 +1380,7 @@ def test_claim_default_value(oidc_settings, normal_oidc_client, simple_user, app
assert user_info['email'] == simple_user.email
assert user_info['email_verified'] is False
assert 'phone' not in user_info
assert 'neighborhoods' not in user_info
assert 'preferred_username' not in user_info
assert 'given_name' not in user_info
assert 'family_name' not in user_info