entrouvert
/
authentic
16
0
Fork 0
Code Issues Pull Requests 32 Releases Activity

idp_oidc: render templated claims in user-info-creation utilities (#37884)

This commit is contained in:
Paul Marillonnet 2020-02-17 17:14:34 +01:00
parent 6803bcd2f0
commit afa8e45afd
2 changed files with 81 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
src/authentic2_idp_oidc/utils.py
View File

@ -30,6 +30,7 @@ from django.utils.six.moves.urllib import parse as urlparse
from authentic2 import hooks, crypto
from authentic2.attributes_ng.engine import get_attributes
from authentic2.utils.template import Template
from . import app_settings
@ -197,9 +198,13 @@ def create_user_info(request, client, user, scope_set, id_token=False):
if not set(claim.get_scopes()).intersection(scope_set):
continue
claims_to_show.add(claim)
if claim.value not in attributes:
continue
attribute_value = attributes[claim.value]
if claim.value and ('{{' in claim.value or '{%' in claim.value):
template = Template(claim.value)
attribute_value = template.render(context=attributes)
else:
if claim.value not in attributes:
continue
attribute_value = attributes[claim.value]
if attribute_value is None:
continue
user_info[claim.name] = normalize_claim_values(attribute_value)

73
tests/test_idp_oidc.py
View File

@ -1116,6 +1116,79 @@ def test_claim_default_value(oidc_settings, normal_oidc_client, simple_user, app
assert 'family_name' not in user_info
def test_claim_templated(oidc_settings, normal_oidc_client, simple_user, app):
oidc_settings.A2_IDP_OIDC_SCOPES = ['openid', 'profile', 'email']
OIDCClaim.objects.filter(
client=normal_oidc_client, name='given_name').delete()
OIDCClaim.objects.filter(
client=normal_oidc_client, name='family_name').delete()
claim1 = OIDCClaim.objects.create(
client=normal_oidc_client,
name='given_name',
value='{{ django_user_first_name|add:"ounet" }}',
scopes='profile')
claim2 = OIDCClaim.objects.create(
client=normal_oidc_client,
name='family_name',
value='{{ "Von der "|add:django_user_last_name }}',
scopes='profile')
normal_oidc_client.authorization_flow = normal_oidc_client.FLOW_AUTHORIZATION_CODE
normal_oidc_client.authorization_mode = normal_oidc_client.AUTHORIZATION_MODE_NONE
normal_oidc_client.save()
utils.login(app, simple_user)
oidc_client = normal_oidc_client
redirect_uri = oidc_client.redirect_uris.split()[0]
params = {
'client_id': oidc_client.client_id,
'scope': 'openid email profile',
'redirect_uri': redirect_uri,
'state': 'xxx',
'nonce': 'yyy',
'response_type': 'code',
}
def sso():
authorize_url = make_url('oidc-authorize', params=params)
response = app.get(authorize_url)
location = urlparse.urlparse(response['Location'])
query = urlparse.parse_qs(location.query)
code = query['code'][0]
token_url = make_url('oidc-token')
response = app.post(token_url, params={
'grant_type': 'authorization_code',
'code': code,
'redirect_uri': oidc_client.redirect_uris.split()[0],
}, headers=client_authentication_headers(oidc_client))
access_token = response.json['access_token']
id_token = response.json['id_token']
k = base64.b64encode(oidc_client.client_secret.encode('utf-8'))
key = JWK(kty='oct', k=force_text(k))
jwt = JWT(jwt=id_token, key=key)
claims = json.loads(jwt.claims)
user_info_url = make_url('oidc-user-info')
response = app.get(user_info_url, headers=bearer_authentication_headers(access_token))
return claims, response.json
claims, user_info = sso()
assert claims['given_name'].endswith('ounet')
assert claims['given_name'].startswith(simple_user.first_name)
assert claims['family_name'].startswith('Von der')
assert claims['family_name'].endswith(simple_user.last_name)
assert user_info['given_name'].endswith('ounet')
assert user_info['given_name'].startswith(simple_user.first_name)
assert user_info['family_name'].startswith('Von der')
assert user_info['family_name'].endswith(simple_user.last_name)
def test_client_is_valid_redirect_uri():
client = OIDCClient(redirect_uris='''http://example.com
http://example2.com/