idp_oidc: export claim even if source attribute is absent (fixes #27540)

src/authentic2_idp_oidc/utils.py

@@ -174,15 +174,22 @@ def create_user_info(request, client, user, scope_set, id_token=False):
         'service': client,
         '__wanted_attributes': client.get_wanted_attributes(),
     })
-    for claim in client.oidcclaim_set.filter(name__isnull=False):
+    claims = client.oidcclaim_set.filter(name__isnull=False)
+    for claim in claims:
         if not set(claim.get_scopes()).intersection(scope_set):
             continue
-        if not claim.value in attributes:
+        if claim.value not in attributes:
             continue
-        user_info[claim.name] = normalize_claim_values(attributes[claim.value])
+        attribute_value = attributes[claim.value]
+        if attribute_value is None:
+            continue
+        user_info[claim.name] = normalize_claim_values(attribute_value)
         # check if attribute is verified
         if claim.value + ':verified' in attributes:
             user_info[claim.name + '_verified'] = True
+    for claim in claims:
+        if claim.name not in user_info:
+            user_info[claim.name] = None
     hooks.call_hooks('idp_oidc_modify_user_info', client, user, scope_set, user_info)
     return user_info
 

tests/test_idp_oidc.py

@@ -285,7 +285,7 @@ def test_authorization_code_sso(login_first, oidc_settings, oidc_client, simple_
     simple_user.username = None
     simple_user.save()
     response = app.get(user_info_url, headers=bearer_authentication_headers(access_token))
-    assert 'preferred_username' not in response.json
+    assert response.json['preferred_username'] is None
 
     # Now logout
     if oidc_client.post_logout_redirect_uris: