Allow extra claims to be added to the idtoken by Rebecka Gulliksson.

2014-12-15 16:20:44 +01:00 · 2014-12-15 16:20:44 +01:00 · 59cb4481e5
parent ec3af7261d
commit 59cb4481e5
3 changed files with 29 additions and 5 deletions
--- a/src/oic/oic/init.py
+++ b/src/oic/oic/init.py
@ -1311,7 +1311,7 @@ class Server(oauth2.Server):

    def make_id_token(self, session, loa="2", issuer="",
                      alg="RS256", code=None, access_token=None,
-                      user_info=None, auth_time=0, exp=None):
+                      user_info=None, auth_time=0, exp=None, extra_claims=None):
        """

        :param session: Session information
@ -1366,6 +1366,8 @@ class Server(oauth2.Server):

        halg = "HS%s" % alg[-3:]

+        if extra_claims is not None:
+            _args.update(extra_claims)
        if code:
            _args["c_hash"] = jws.left_hash(code, halg)
        if access_token:
--- a/src/oic/oic/provider.py
+++ b/src/oic/oic/provider.py
@ -262,7 +262,8 @@ class Provider(AProvider):
                    self.capabilities[val] = [_enc_enc]

    def id_token_as_signed_jwt(self, session, loa="2", alg="", code=None,
-                               access_token=None, user_info=None, auth_time=0):
+                               access_token=None, user_info=None, auth_time=0,
+                               exp=None, extra_claims=None):

        if alg == "":
            alg = self.jwx_def["sign_alg"]["id_token"]
@ -273,7 +274,8 @@ class Provider(AProvider):
            alg = "none"

        _idt = self.server.make_id_token(session, loa, self.baseurl, alg, code,
-                                         access_token, user_info, auth_time)
+                                         access_token, user_info, auth_time,
+                                         exp, extra_claims)

        logger.debug("id_token: %s" % _idt.to_dict())
        # My signing key if its RS*, can use client secret if HS*
--- a/tests/test_oic_provider.py
+++ b/tests/test_oic_provider.py
@ -233,14 +233,14 @@ def test_server_authorization_endpoint_id_token():
           "prompt": ["none"]}

    req = AuthorizationRequest(**bib)
-    AREQ = AuthorizationRequest(response_type="code",
+    areq = AuthorizationRequest(response_type="code",
                                client_id="client_1",
                                redirect_uri="http://example.com/authz",
                                scope=["openid"], state="state000")

    sdb = provider.sdb
    ae = AuthnEvent("userX")
-    sid = sdb.create_authz_session(ae, AREQ)
+    sid = sdb.create_authz_session(ae, areq)
    sdb.do_sub(sid)
    _info = sdb[sid]
    # All this is jut removed when the id_token is constructed
@ -528,6 +528,26 @@ def test_idtoken():
    assert len(id_token.split(".")) == 3


+def test_idtoken_with_extra_claims():
+    server = provider_init
+    areq = AuthorizationRequest(response_type="code", client_id=CLIENT_ID,
+                                redirect_uri="http://example.com/authz",
+                                scope=["openid"], state="state000")
+    aevent = AuthnEvent("sub")
+    sid = server.sdb.create_authz_session(aevent, areq)
+    server.sdb.do_sub(sid)
+    session = server.sdb[sid]
+
+    claims = {'k1': 'v1', 'k2': 32}
+
+    id_token = server.id_token_as_signed_jwt(session, extra_claims=claims)
+    parsed = IdToken().from_jwt(id_token, keyjar=server.keyjar)
+
+    print id_token
+    for key, value in claims.iteritems():
+        assert parsed[key] == value
+
+
 def test_userinfo_endpoint():
    server = provider_init