Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cie UserInfoResponse does not respect scopes #293

Open
matteo-s opened this issue Dec 15, 2023 · 3 comments
Open

Cie UserInfoResponse does not respect scopes #293

matteo-s opened this issue Dec 15, 2023 · 3 comments
Labels
enhancement New feature or request

Comments

@matteo-s
Copy link

It looks like the userInfo response supports only claims explicitly requested. When the authorization request contains scope=openid profile and no claims both idToken and userInfo should report the "standard" profile, as per spec

From https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#parametri-scope-e-claims

Gli attributi dell'utente POSSONO essere richiesti dal RP nell'Authorization Request usando i parametri scope o claims.
---
Gli attributi richiesti tramite il parametro scope sono disponibili sia nell'ID Token e sia nella risposta allo userinfo endpoint.

It looks like the code simply picks explicitly requested claims from attributes with matching names

spid-cie-oidc-django/spid_cie_oidc/provider/views/userinfo_endpoint.py

Line 78 in 2b0c2ef

for claim in (

Maybe related #271
@peppelinux
Copy link
Member

yes

at time of the development of this toolchain the cie specifications was in progress, and the feature you have described is something that was defined later on

I'll keep this for the next milestones, thx

@peppelinux peppelinux added the enhancement New feature or request label Dec 15, 2023
@matteo-s
Copy link
Author

Thanks for the response. Until then I've got around with a quick&dirty implementation which maybe can help others

        for scope in (
            token.session.authz_request.get(
                "scope", ""
            ).split()
        ):
            if scope == 'profile':
                jwt['name'] = token.session.user.attributes['username']
                jwt['given_name'] = token.session.user.attributes['given_name']
                jwt['family_name'] = token.session.user.attributes['family_name']
                jwt['birthdate'] = token.session.user.attributes['birthdate']
                jwt['https://attributes.eid.gov.it/fiscal_number'] = token.session.user.attributes['https://attributes.eid.gov.it/fiscal_number']

            if scope == 'email':
                jwt['email'] = token.session.user.attributes['email']
                jwt['email_verified'] = token.session.user.attributes['email_verified']

@peppelinux
Copy link
Member

peppelinux commented Dec 15, 2023
edited
Loading

please do that in a PR and I'll review, approve and we'll have a new release together

in a settings.py like this https://github.com/italia/spid-cie-oidc-django/blob/main/spid_cie_oidc/provider/settings.py

create a mapping of the scopes2claims

OIDC_SCOPES_CLAIMS_MAP = {
     "profile": ["username", "given_name", "family_name", "birthdate", "https://attributes.eid.gov.it/fiscal_number"],
     "email": ["email", "email_verified"]
}

then in the code do something like this

        for scope in token.session.authz_request.get("scope", "").split():
            _user_attrs = token.session.user.attributes
            for i in OIDC_SCOPES_CLAIMS_MAP.get(scope, []):
                jwt[i] = _user_attrs.get(settings.OIDCFED_PROVIDER_ATTRIBUTES_MAP[i][0])

try to use the local app settings defaults (overloadable also in the settings project) to reduce the constants in the code

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@peppelinux @matteo-s