idp_oidc: render templated claims in user-info-creation utilities (#37884)
This commit is contained in:
parent
6803bcd2f0
commit
afa8e45afd
|
@ -30,6 +30,7 @@ from django.utils.six.moves.urllib import parse as urlparse
|
|||
|
||||
from authentic2 import hooks, crypto
|
||||
from authentic2.attributes_ng.engine import get_attributes
|
||||
from authentic2.utils.template import Template
|
||||
|
||||
from . import app_settings
|
||||
|
||||
|
@ -197,9 +198,13 @@ def create_user_info(request, client, user, scope_set, id_token=False):
|
|||
if not set(claim.get_scopes()).intersection(scope_set):
|
||||
continue
|
||||
claims_to_show.add(claim)
|
||||
if claim.value not in attributes:
|
||||
continue
|
||||
attribute_value = attributes[claim.value]
|
||||
if claim.value and ('{{' in claim.value or '{%' in claim.value):
|
||||
template = Template(claim.value)
|
||||
attribute_value = template.render(context=attributes)
|
||||
else:
|
||||
if claim.value not in attributes:
|
||||
continue
|
||||
attribute_value = attributes[claim.value]
|
||||
if attribute_value is None:
|
||||
continue
|
||||
user_info[claim.name] = normalize_claim_values(attribute_value)
|
||||
|
|
|
@ -1116,6 +1116,79 @@ def test_claim_default_value(oidc_settings, normal_oidc_client, simple_user, app
|
|||
assert 'family_name' not in user_info
|
||||
|
||||
|
||||
def test_claim_templated(oidc_settings, normal_oidc_client, simple_user, app):
|
||||
oidc_settings.A2_IDP_OIDC_SCOPES = ['openid', 'profile', 'email']
|
||||
OIDCClaim.objects.filter(
|
||||
client=normal_oidc_client, name='given_name').delete()
|
||||
OIDCClaim.objects.filter(
|
||||
client=normal_oidc_client, name='family_name').delete()
|
||||
claim1 = OIDCClaim.objects.create(
|
||||
client=normal_oidc_client,
|
||||
name='given_name',
|
||||
value='{{ django_user_first_name|add:"ounet" }}',
|
||||
scopes='profile')
|
||||
claim2 = OIDCClaim.objects.create(
|
||||
client=normal_oidc_client,
|
||||
name='family_name',
|
||||
value='{{ "Von der "|add:django_user_last_name }}',
|
||||
scopes='profile')
|
||||
normal_oidc_client.authorization_flow = normal_oidc_client.FLOW_AUTHORIZATION_CODE
|
||||
normal_oidc_client.authorization_mode = normal_oidc_client.AUTHORIZATION_MODE_NONE
|
||||
normal_oidc_client.save()
|
||||
|
||||
utils.login(app, simple_user)
|
||||
|
||||
oidc_client = normal_oidc_client
|
||||
redirect_uri = oidc_client.redirect_uris.split()[0]
|
||||
|
||||
params = {
|
||||
'client_id': oidc_client.client_id,
|
||||
'scope': 'openid email profile',
|
||||
'redirect_uri': redirect_uri,
|
||||
'state': 'xxx',
|
||||
'nonce': 'yyy',
|
||||
'response_type': 'code',
|
||||
}
|
||||
|
||||
def sso():
|
||||
authorize_url = make_url('oidc-authorize', params=params)
|
||||
|
||||
response = app.get(authorize_url)
|
||||
location = urlparse.urlparse(response['Location'])
|
||||
query = urlparse.parse_qs(location.query)
|
||||
code = query['code'][0]
|
||||
|
||||
token_url = make_url('oidc-token')
|
||||
response = app.post(token_url, params={
|
||||
'grant_type': 'authorization_code',
|
||||
'code': code,
|
||||
'redirect_uri': oidc_client.redirect_uris.split()[0],
|
||||
}, headers=client_authentication_headers(oidc_client))
|
||||
access_token = response.json['access_token']
|
||||
id_token = response.json['id_token']
|
||||
|
||||
k = base64.b64encode(oidc_client.client_secret.encode('utf-8'))
|
||||
key = JWK(kty='oct', k=force_text(k))
|
||||
jwt = JWT(jwt=id_token, key=key)
|
||||
claims = json.loads(jwt.claims)
|
||||
|
||||
user_info_url = make_url('oidc-user-info')
|
||||
response = app.get(user_info_url, headers=bearer_authentication_headers(access_token))
|
||||
return claims, response.json
|
||||
|
||||
claims, user_info = sso()
|
||||
|
||||
assert claims['given_name'].endswith('ounet')
|
||||
assert claims['given_name'].startswith(simple_user.first_name)
|
||||
assert claims['family_name'].startswith('Von der')
|
||||
assert claims['family_name'].endswith(simple_user.last_name)
|
||||
|
||||
assert user_info['given_name'].endswith('ounet')
|
||||
assert user_info['given_name'].startswith(simple_user.first_name)
|
||||
assert user_info['family_name'].startswith('Von der')
|
||||
assert user_info['family_name'].endswith(simple_user.last_name)
|
||||
|
||||
|
||||
def test_client_is_valid_redirect_uri():
|
||||
client = OIDCClient(redirect_uris='''http://example.com
|
||||
http://example2.com/
|
||||
|
|
Loading…
Reference in New Issue