Merge pull request #11 from its-dirg/issue-6

Fix #6: Handle pre-existing subject identifier in the userinfo db.

Author: RebeckaG

src/pyop/provider.py

@@ -133,8 +133,14 @@ def authorize(self, authentication_request,  # type: oic.oic.message.Authorizati
         Creates an Authentication Response for the specified authentication request and local identifier of the
         authenticated user.
         """
-        sub = self._create_subject_identifier(user_id, authentication_request['client_id'],
-                                              authentication_request['redirect_uri'])
+        custom_sub = self.userinfo[user_id].get('sub')
+        if custom_sub:
+            self.authz_state.subject_identifiers[user_id] = {'public': custom_sub}
+            sub = custom_sub
+        else:
+            sub = self._create_subject_identifier(user_id, authentication_request['client_id'],
+                                                  authentication_request['redirect_uri'])
+
         self._check_subject_identifier_matches_requested(authentication_request, sub)
         response = AuthorizationResponse()
 
@@ -425,7 +431,8 @@ def handle_userinfo_request(self, request=None, http_headers=None):
         requested_claims.update(self._get_requested_claims_in(authentication_request, 'userinfo'))
         user_claims = self.userinfo.get_claims_for(user_id, requested_claims)
 
-        response = OpenIDSchema(sub=introspection['sub'], **user_claims)
+        user_claims.setdefault('sub', introspection['sub'])
+        response = OpenIDSchema(**user_claims)
         logger.debug('userinfo=%s from requested_claims=%s userinfo=%s',
                      response, requested_claims, user_claims)
         return response

tests/pyop/test_provider.py

@@ -184,6 +184,15 @@ def test_authorize(self):
         assert resp['code'] in self.provider.authz_state.authorization_codes
         assert resp['state'] == self.authn_request_args['state']
 
+    def test_authorize_with_custom_sub(self, monkeypatch):
+        sub = 'test_sub1'
+        monkeypatch.setitem(self.provider.userinfo._db[TEST_USER_ID], 'sub', sub)
+        auth_req = AuthorizationRequest().from_dict(self.authn_request_args)
+        resp = self.provider.authorize(auth_req, TEST_USER_ID)
+        assert resp['code'] in self.provider.authz_state.authorization_codes
+        assert resp['state'] == self.authn_request_args['state']
+        assert self.provider.authz_state.authorization_codes[resp['code']]['sub'] == sub
+
     @patch('time.time', MOCK_TIME)
     @pytest.mark.parametrize('extra_claims', [
         {'foo': 'bar'},
@@ -427,6 +436,15 @@ def test_handle_userinfo(self):
         assert response.to_dict() == self.provider.userinfo[TEST_USER_ID]
         assert self.provider.authz_state.get_user_id_for_subject_identifier(response_sub) == TEST_USER_ID
 
+    def test_handle_userinfo_with_custom_sub(self, monkeypatch):
+        sub = 'test_sub1'
+        monkeypatch.setitem(self.provider.userinfo._db[TEST_USER_ID], 'sub', sub)
+        claims_request = ClaimsRequest(userinfo=Claims(email=None))
+        access_token = self.create_access_token({'scope': 'openid profile', 'claims': claims_request})
+        response = self.provider.handle_userinfo_request(urlencode({'access_token': access_token}))
+
+        assert response['sub'] == sub
+
     def test_handle_userinfo_rejects_request_missing_access_token(self):
         with pytest.raises(BearerTokenError) as exc:
             self.provider.handle_userinfo_request()