Support for claims_supported in provider config and make it matter.

Author: rohe

src/oidcendpoint/common/authorization.py

@@ -30,6 +30,10 @@
 </html>"""
 
 DEFAULT_SCOPES = list(SCOPE2CLAIMS.keys())
+_CLAIMS = set()
+for scope, claims in SCOPE2CLAIMS.items():
+    _CLAIMS.update(set(claims))
+DEFAULT_CLAIMS = list(_CLAIMS)
 
 
 def inputs(form_args):

src/oidcendpoint/oidc/add_on/custom_scopes.py

@@ -24,4 +24,9 @@ def add_custom_scopes(endpoint, **kwargs):
     if authz_enp:
         _supported = set(authz_enp.default_capabilities['scopes_supported'])
         _supported.update(set(kwargs.keys()))
-        authz_enp.default_capabilities['scopes_supported'] = list(_supported)
+        authz_enp.default_capabilities['scopes_supported'] = list(_supported)
+
+        _claims = set(authz_enp.default_capabilities['claims_supported'])
+        for vals in kwargs.values():
+            _claims.update(set(vals))
+        authz_enp.default_capabilities['claims_supported'] = list(_claims)

src/oidcendpoint/oidc/authorization.py

@@ -20,6 +20,7 @@
 from oidcendpoint import sanitize
 from oidcendpoint.authn_event import create_authn_event
 from oidcendpoint.common.authorization import AllowedAlgorithms
+from oidcendpoint.common.authorization import DEFAULT_CLAIMS
 from oidcendpoint.common.authorization import DEFAULT_SCOPES
 from oidcendpoint.common.authorization import FORM_POST
 from oidcendpoint.common.authorization import authn_args_gather
@@ -198,6 +199,8 @@ class Authorization(Endpoint):
         "request_object_encryption_enc_values_supported": None,
         "grant_types_supported": ["authorization_code", "implicit"],
         "scopes_supported": DEFAULT_SCOPES,
+        "claims_supported": DEFAULT_CLAIMS,
+        "claim_types_supported": ["normal", "aggregated", "distributed"]
     }
 
     def __init__(self, endpoint_context, **kwargs):

src/oidcendpoint/userinfo.py

@@ -9,18 +9,18 @@
 logger = logging.getLogger(__name__)
 
 
-def id_token_claims(session):
+def id_token_claims(session, provider_info):
     """
     Pick the IdToken claims from the request
 
     :param session: Session information
     :return: The IdToken claims
     """
-    itc = update_claims(session, "id_token", {})
+    itc = update_claims(session, "id_token", provider_info=provider_info, old_claims={})
     return itc
 
 
-def update_claims(session, about, old_claims=None):
+def update_claims(session, about, provider_info, old_claims=None):
     """
 
     :param session:
@@ -45,6 +45,11 @@ def update_claims(session, about, old_claims=None):
             pass
         else:
             if _claims:
+                # Deal only with supported claims
+                _unsup = [c for c in _claims.keys() if c not in provider_info["claims_supported"]]
+                for _c in _unsup:
+                    del _claims[_c]
+
                 # update with old claims, do not overwrite
                 for key, val in old_claims.items():
                     if key not in _claims:
@@ -130,7 +135,9 @@ def collect_user_info(
         if perm_set:
             uic = {key: uic[key] for key in uic if key in perm_set}
 
-        uic = update_claims(session, "userinfo", uic)
+        uic = update_claims(session, "userinfo",
+                            provider_info=endpoint_context.provider_info,
+                            old_claims=uic)
 
         if uic:
             userinfo_claims = Claims(**uic)
@@ -176,7 +183,7 @@ def userinfo_in_id_token_claims(endpoint_context, session, def_itc=None):
     else:
         itc = {}
 
-    itc.update(id_token_claims(session))
+    itc.update(id_token_claims(session, provider_info=endpoint_context.provider_info))
 
     if not itc:
         return None

tests/test_07_userinfo.py

@@ -2,6 +2,9 @@
 import os
 
 import pytest
+from oidcmsg.message import Message
+from oidcmsg.oidc import OpenIDRequest
+from oidcmsg.oidc import OpenIDSchema
 
 from oidcendpoint.authn_event import create_authn_event
 from oidcendpoint.endpoint_context import EndpointContext
@@ -16,9 +19,6 @@
 from oidcendpoint.userinfo import claims_match
 from oidcendpoint.userinfo import collect_user_info
 from oidcendpoint.userinfo import update_claims
-from oidcmsg.message import Message
-from oidcmsg.oidc import OpenIDRequest
-from oidcmsg.oidc import OpenIDSchema
 
 CLAIMS = {
     "userinfo": {
@@ -35,6 +35,15 @@
     },
 }
 
+CLAIMS_2 = {
+    "userinfo": {
+        "eduperson_scoped_affiliation": {"essential": True},
+        "nickname": None,
+        "email": {"essential": True},
+        "email_verified": {"essential": True},
+    }
+}
+
 OIDR = OpenIDRequest(
     response_type="code",
     client_id="client1",
@@ -138,16 +147,25 @@ def test_custom_scopes():
         "eduperson_scoped_affiliation",
     }
 
+PROVIDER_INFO = {
+    "claims_supported": ["auth_time", "acr", "given_name",
+                         "nickname",
+                         "email",
+                         "email_verified",
+                         "picture",
+                         "http://example.info/claims/groups",
+                         ]
+}
 
 def test_update_claims_authn_req_id_token():
     _session_info = {"authn_req": OIDR}
-    claims = update_claims(_session_info, "id_token")
+    claims = update_claims(_session_info, "id_token", PROVIDER_INFO)
     assert set(claims.keys()) == {"auth_time", "acr"}
 
 
 def test_update_claims_authn_req_userinfo():
     _session_info = {"authn_req": OIDR}
-    claims = update_claims(_session_info, "userinfo")
+    claims = update_claims(_session_info, "userinfo", PROVIDER_INFO)
     assert set(claims.keys()) == {
         "given_name",
         "nickname",
@@ -160,13 +178,13 @@ def test_update_claims_authn_req_userinfo():
 
 def test_update_claims_authzreq_id_token():
     _session_info = {"authn_req": OIDR}
-    claims = update_claims(_session_info, "id_token")
+    claims = update_claims(_session_info, "id_token", PROVIDER_INFO)
     assert set(claims.keys()) == {"auth_time", "acr"}
 
 
 def test_update_claims_authzreq_userinfo():
     _session_info = {"authn_req": OIDR}
-    claims = update_claims(_session_info, "userinfo")
+    claims = update_claims(_session_info, "userinfo", PROVIDER_INFO)
     assert set(claims.keys()) == {
         "given_name",
         "nickname",
@@ -262,7 +280,10 @@ def create_endpoint_context(self):
         )
 
     def test_collect_user_info(self):
-        _session_info = {"authn_req": OIDR}
+        _req = OIDR.copy()
+        _req["claims"] = CLAIMS_2
+
+        _session_info = {"authn_req": _req}
         session = _session_info.copy()
         session["sub"] = "doe"
         session["uid"] = "diana"
@@ -271,7 +292,6 @@ def test_collect_user_info(self):
         res = collect_user_info(self.endpoint_context, session)
 
         assert res == {
-            "given_name": "Diana",
             "nickname": "Dina",
             "sub": "doe",
             "email": "diana@example.org",
@@ -324,3 +344,133 @@ def test_collect_user_info_scope_not_supported(self):
         }
 
 
+class TestCollectUserInfoCustomScopes:
+    @pytest.fixture(autouse=True)
+    def create_endpoint_context(self):
+        self.endpoint_context = EndpointContext(
+            {
+                "userinfo": {"class": UserInfo, "kwargs": {"db": USERINFO_DB}},
+                "password": "we didn't start the fire",
+                "issuer": "https://example.com/op",
+                "token_expires_in": 900,
+                "grant_expires_in": 600,
+                "refresh_token_expires_in": 86400,
+                "endpoint": {
+                    "provider_config": {
+                        "path": "{}/.well-known/openid-configuration",
+                        "class": ProviderConfiguration,
+                        "kwargs": {},
+                    },
+                    "registration": {
+                        "path": "{}/registration",
+                        "class": Registration,
+                        "kwargs": {},
+                    },
+                    "authorization": {
+                        "path": "{}/authorization",
+                        "class": Authorization,
+                        "kwargs": {
+                            "response_types_supported": [
+                                " ".join(x) for x in RESPONSE_TYPES_SUPPORTED
+                            ],
+                            "response_modes_supported": ["query", "fragment", "form_post"],
+                            "claims_parameter_supported": True,
+                            "request_parameter_supported": True,
+                            "request_uri_parameter_supported": True,
+                        },
+                    },
+                },
+                "add_on": {
+                    "custom_scopes": {
+                        "function": "oidcendpoint.oidc.add_on.custom_scopes.add_custom_scopes",
+                        "kwargs": {
+                            "research_and_scholarship": [
+                                "name",
+                                "given_name",
+                                "family_name",
+                                "email",
+                                "email_verified",
+                                "sub",
+                                "iss",
+                                "eduperson_scoped_affiliation",
+                            ]
+                        },
+                    }
+                },
+                "jwks": {
+                    "public_path": "jwks.json",
+                    "key_defs": KEYDEFS,
+                    "uri_path": "static/jwks.json",
+                },
+                "authentication": {
+                    "anon": {
+                        "acr": INTERNETPROTOCOLPASSWORD,
+                        "class": "oidcendpoint.user_authn.user.NoAuthn",
+                        "kwargs": {"user": "diana"},
+                    }
+                },
+                "template_dir": "template",
+            }
+        )
+
+    def test_collect_user_info(self):
+        _session_info = {"authn_req": OIDR}
+        session = _session_info.copy()
+        session["sub"] = "doe"
+        session["uid"] = "diana"
+        session["authn_event"] = create_authn_event("diana", "salt")
+
+        res = collect_user_info(self.endpoint_context, session)
+
+        assert res == {
+            'email': 'diana@example.org',
+            'email_verified': False,
+            'nickname': 'Dina',
+            'given_name': 'Diana',
+            'sub': 'doe'
+        }
+
+    def test_collect_user_info_2(self):
+        _req = OIDR.copy()
+        _req["scope"] = "openid email"
+        del _req["claims"]
+
+        _session_info = {"authn_req": _req}
+        session = _session_info.copy()
+        session["sub"] = "doe"
+        session["uid"] = "diana"
+        session["authn_event"] = create_authn_event("diana", "salt")
+
+        self.endpoint_context.provider_info["claims_supported"].remove("email")
+        self.endpoint_context.provider_info["claims_supported"].remove("email_verified")
+
+        res = collect_user_info(self.endpoint_context, session)
+
+        assert res == {
+            "sub": "doe",
+            "email": "diana@example.org",
+            "email_verified": False,
+        }
+
+    def test_collect_user_info_scope_not_supported(self):
+        _req = OIDR.copy()
+        _req["scope"] = "openid email address"
+        del _req["claims"]
+
+        _session_info = {"authn_req": _req}
+        session = _session_info.copy()
+        session["sub"] = "doe"
+        session["uid"] = "diana"
+        session["authn_event"] = create_authn_event("diana", "salt")
+
+        # Scope address not supported
+        self.endpoint_context.provider_info["scopes_supported"] = [
+            "openid", "email", "offline_access"
+        ]
+        res = collect_user_info(self.endpoint_context, session)
+
+        assert res == {
+            "sub": "doe",
+            "email": "diana@example.org",
+            "email_verified": False,
+        }

tests/test_22_oidc_provider_config_endpoint.py

@@ -1,6 +1,7 @@
 import json
 
 import pytest
+
 from oidcendpoint.endpoint_context import EndpointContext
 from oidcendpoint.oidc.provider_config import ProviderConfiguration
 from oidcendpoint.oidc.token import AccessToken
@@ -77,4 +78,10 @@ def test_do_response(self):
         assert _msg
         assert _msg["token_endpoint"] == "https://example.com/token"
         assert _msg["jwks_uri"] == "https://example.com/static/jwks.json"
+        assert set(_msg["claims_supported"]) == {
+            'gender', 'zoneinfo', 'website', 'phone_number_verified', 'middle_name', 'family_name',
+            'nickname', 'email', 'preferred_username', 'profile', 'name', 'phone_number',
+            'given_name', 'email_verified', 'sub', 'locale', 'picture', 'address', 'updated_at',
+            'birthdate'
+        }
         assert ("Content-type", "application/json") in msg["http_headers"]

tests/test_26_oidc_userinfo_endpoint.py

@@ -3,6 +3,9 @@
 
 import pytest
 from cryptojwt.jwt import utc_time_sans_frac
+from oidcmsg.oidc import AccessTokenRequest
+from oidcmsg.oidc import AuthorizationRequest
+
 from oidcendpoint import user_info
 from oidcendpoint.endpoint_context import EndpointContext
 from oidcendpoint.id_token import IDToken
@@ -14,8 +17,6 @@
 from oidcendpoint.session import setup_session
 from oidcendpoint.user_authn.authn_context import INTERNETPROTOCOLPASSWORD
 from oidcendpoint.user_info import UserInfo
-from oidcmsg.oidc import AccessTokenRequest
-from oidcmsg.oidc import AuthorizationRequest
 
 KEYDEFS = [
     {"type": "RSA", "key": "", "use": ["sig"]},
@@ -168,6 +169,11 @@ def create_endpoint(self):
 
     def test_init(self):
         assert self.endpoint
+        assert set(self.endpoint.endpoint_context.provider_info["claims_supported"]) == {
+            'iss', 'picture', 'birthdate', 'middle_name', 'zoneinfo', 'locale', 'address', 'gender',
+            'email', 'nickname', 'phone_number_verified', 'sub', 'phone_number', 'name',
+            'family_name', 'preferred_username', 'email_verified', 'updated_at', 'website',
+            'given_name', 'eduperson_scoped_affiliation', 'profile'}
 
     def test_parse(self):
         session_id = setup_session(