Skip to content
This repository was archived by the owner on Jun 23, 2023. It is now read-only.

Use filter_scopes in check_unknown_scopes_policy #138

Merged
merged 3 commits into from
Oct 7, 2021
Merged

Use filter_scopes in check_unknown_scopes_policy #138

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
cdfa5e5
Use filter_scopes in check_unknown_scopes_policy
nsklikas Oct 6, 2021
82cb13a
Fix log
nsklikas Oct 6, 2021
49c6cec
Don't require a scope to be defined
nsklikas Sep 22, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 9 additions & 7 deletions src/oidcop/oauth2/authorization.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -250,14 +250,16 @@ def check_unknown_scopes_policy(request_info, client_id, endpoint_context):
if not endpoint_context.conf["capabilities"].get("deny_unknown_scopes"):
return

allowed_scopes = endpoint_context.scopes_handler.get_allowed_scopes(client_id=client_id)

scope = request_info["scope"]
filtered_scopes = set(
endpoint_context.scopes_handler.filter_scopes(scope, client_id=client_id)
)
scopes = set(scope)
# this prevents that authz would be released for unavailable scopes
for scope in request_info["scope"]:
if scope not in allowed_scopes:
_msg = "{} requested an unauthorized scope ({})"
logger.warning(_msg.format(client_id, scope))
raise UnAuthorizedClientScope()
if scopes != filtered_scopes:
diff = " ".join(scopes - filtered_scopes)
logger.warning(f"{client_id} requested unauthorized scopes: {diff}")
raise UnAuthorizedClientScope()


class Authorization(Endpoint):
Expand Down
4 changes: 2 additions & 2 deletions src/oidcop/scopes.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,12 +31,12 @@ def convert_scopes2claims(scopes, allowed_claims=None, scope2claim_map=None):
res = {}
if allowed_claims is None:
for scope in scopes:
claims = {name: None for name in scope2claim_map[scope]}
claims = {name: None for name in scope2claim_map.get(scope, [])}
res.update(claims)
else:
for scope in scopes:
try:
claims = {name: None for name in scope2claim_map[scope] if name in allowed_claims}
claims = {name: None for name in scope2claim_map.get(scope, []) if name in allowed_claims}
res.update(claims)
except KeyError:
continue
Expand Down
3 changes: 2 additions & 1 deletion tests/test_26_oidc_userinfo_endpoint.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -360,9 +360,10 @@ def test_scopes_to_claims_per_client(self):
"eduperson_scoped_affiliation",
],
}
self.endpoint_context.cdb["client_1"]["allowed_scopes"] = list(self.endpoint_context.cdb["client_1"]["scopes_to_claims"].keys()) + ["aba"]

_auth_req = AUTH_REQ.copy()
_auth_req["scope"] = ["openid", "research_and_scholarship_2"]
_auth_req["scope"] = ["openid", "research_and_scholarship_2", "aba"]

session_id = self._create_session(_auth_req)
grant = self.session_manager[session_id]
Expand Down