First attempt at supporting custom scopes.

Author: rohe

src/oidcendpoint/__init__.py

@@ -6,7 +6,7 @@
 except ImportError:
     import random as rnd
 
-__version__ = "0.10.0"
+__version__ = "0.10.1"
 
 
 DEF_SIGN_ALG = {

src/oidcendpoint/endpoint_context.py

@@ -11,7 +11,6 @@
 from jinja2 import Environment
 from jinja2 import FileSystemLoader
 from oidcmsg.oidc import IdToken
-from oidcmsg.oidc import SCOPE2CLAIMS
 
 from oidcendpoint import authz
 from oidcendpoint import rndstr
@@ -23,6 +22,7 @@
 from oidcendpoint.sso_db import SSODb
 from oidcendpoint.template_handler import Jinja2TemplateHandler
 from oidcendpoint.user_authn.authn_context import populate_authn_broker
+from oidcendpoint.user_info import SCOPE2CLAIMS
 from oidcendpoint.util import build_endpoints
 from oidcendpoint.util import importer
 
@@ -167,6 +167,7 @@ def __init__(
         self.args = {}
 
         self._sub_func = None
+        self.scope2claims = SCOPE2CLAIMS
 
         if cookie_name:
             self.cookie_name = cookie_name
@@ -180,12 +181,12 @@ def __init__(
             }
 
         for param in [
-                "verify_ssl",
-                "issuer",
-                "sso_ttl",
-                "symkey",
-                "client_authn",
-                "id_token_schema",
+            "verify_ssl",
+            "issuer",
+            "sso_ttl",
+            "symkey",
+            "client_authn",
+            "id_token_schema",
         ]:
             try:
                 setattr(self, param, conf[param])
@@ -223,7 +224,7 @@ def __init__(
             self.keyjar = init_key_jar(**args)
 
         for item in ['cookie_dealer', "sub_func", "authz", "authentication",
-                     "id_token"]:
+                     "id_token", "scope2claims"]:
             _func = getattr(self, "do_{}".format(item), None)
             if _func:
                 _func(self.conf)
@@ -393,11 +394,11 @@ def package_capabilities(self):
         _provider_info["version"] = "3.0"
 
         _claims = []
-        for _cl in SCOPE2CLAIMS.values():
+        for _cl in self.scope2claims.values():
             _claims.extend(_cl)
         _provider_info["claims_supported"] = list(set(_claims))
 
-        _scopes = list(SCOPE2CLAIMS.keys())
+        _scopes = list(self.scope2claims.keys())
         _provider_info["scopes_supported"] = _scopes
 
         # Sort order RS, ES, HS, PS

src/oidcendpoint/id_token.py

@@ -8,7 +8,6 @@
 
 logger = logging.getLogger(__name__)
 
-
 DEF_SIGN_ALG = {
     "id_token": "RS256",
     "userinfo": "RS256",
@@ -20,7 +19,7 @@
 
 
 def get_sign_and_encrypt_algorithms(
-    endpoint_context, client_info, payload_type, sign=False, encrypt=False
+        endpoint_context, client_info, payload_type, sign=False, encrypt=False
 ):
     args = {"sign": sign, "encrypt": encrypt}
     if sign:
@@ -76,18 +75,19 @@ class IDToken(object):
     def __init__(self, endpoint_context, **kwargs):
         self.endpoint_context = endpoint_context
         self.kwargs = kwargs
+        self.scope_to_claims = None
 
     def payload(
-        self,
-        session,
-        acr="",
-        alg="RS256",
-        code=None,
-        access_token=None,
-        user_info=None,
-        auth_time=0,
-        lifetime=None,
-        extra_claims=None,
+            self,
+            session,
+            acr="",
+            alg="RS256",
+            code=None,
+            access_token=None,
+            user_info=None,
+            auth_time=0,
+            lifetime=None,
+            extra_claims=None,
     ):
         """
 
@@ -148,16 +148,16 @@ def payload(
         return {"payload": _args, "lifetime": lifetime}
 
     def sign_encrypt(
-        self,
-        session_info,
-        client_id,
-        code=None,
-        access_token=None,
-        user_info=None,
-        sign=True,
-        encrypt=False,
-        lifetime=None,
-        extra_claims=None,
+            self,
+            session_info,
+            client_id,
+            code=None,
+            access_token=None,
+            user_info=None,
+            sign=True,
+            encrypt=False,
+            lifetime=None,
+            extra_claims=None,
     ):
         """
         Signed and or encrypt a IDToken
@@ -222,7 +222,8 @@ def make(self, req, sess_info, authn_req=None, user_claims=False, **kwargs):
         )
 
         if user_claims:
-            info = collect_user_info(_context, sess_info)
+            info = collect_user_info(_context, sess_info,
+                                     scope_to_claims=self.scope_to_claims)
             if userinfo is None:
                 userinfo = info
             else:

src/oidcendpoint/jwt_token.py

@@ -1,29 +1,28 @@
 from typing import Any
 from typing import Dict
-from typing import List
 from typing import Optional
 
 from cryptojwt import JWT
-from oidcmsg.oidc import scope2claims
 
 from oidcendpoint.exception import ToOld
 from oidcendpoint.token_handler import Token
 from oidcendpoint.token_handler import is_expired
+from oidcendpoint.user_info import scope2claims
 
 
 class JWTToken(Token):
     def __init__(
-        self,
-        typ,
-        black_list=None,
-        keyjar=None,
-        issuer=None,
-        aud=None,
-        alg="ES256",
-        lifetime=300,
-        ec=None,
-        token_type="Bearer",
-        **kwargs
+            self,
+            typ,
+            black_list=None,
+            keyjar=None,
+            issuer=None,
+            aud=None,
+            alg="ES256",
+            lifetime=300,
+            ec=None,
+            token_type="Bearer",
+            **kwargs
     ):
         Token.__init__(self, typ, black_list, **kwargs)
         self.token_type = token_type
@@ -35,6 +34,10 @@ def __init__(
 
         self.def_aud = aud or []
         self.alg = alg
+        if 'scope_claims_map' in kwargs:
+            self.scope_claims_map = kwargs['scope_claims_map']
+        else:
+            self.scope_claims_map = None
 
     def add_claims(self, payload, uinfo, claims):
         for attr in claims:
@@ -46,13 +49,13 @@ def add_claims(self, payload, uinfo, claims):
                 pass
 
     def __call__(
-        self,
-        sid: str,
-        uinfo: Dict,
-        sinfo: Dict,
-        *args,
-        aud: Optional[Any],
-        **kwargs
+            self,
+            sid: str,
+            uinfo: Dict,
+            sinfo: Dict,
+            *args,
+            aud: Optional[Any],
+            **kwargs
     ):
         """
         Return a token.
@@ -69,7 +72,9 @@ def __call__(
             self.add_claims(payload, uinfo, self.args["add_claims"])
         if "add_claims_by_scope":
             self.add_claims(
-                payload, uinfo, scope2claims(sinfo["authn_req"]["scope"]).keys()
+                payload, uinfo,
+                scope2claims(sinfo["authn_req"]["scope"],
+                             map=self.scope_claims_map).keys()
             )
 
         payload.update(kwargs)

src/oidcendpoint/oidc/userinfo.py

@@ -2,8 +2,8 @@
 import logging
 
 from cryptojwt.exception import MissingValue
-from oidcmsg import oidc
 from cryptojwt.jwt import JWT
+from oidcmsg import oidc
 from oidcmsg.message import Message
 from oidcmsg.oauth2 import ResponseMessage
 from oidcmsg.time_util import time_sans_frac
@@ -24,6 +24,10 @@ class UserInfo(Endpoint):
     endpoint_name = "userinfo_endpoint"
     name = "userinfo"
 
+    def __init__(self, endpoint_context, **kwargs):
+        Endpoint.__init__(self, endpoint_context, **kwargs)
+        self.scope_to_claims = None
+
     def get_client_id_from_token(self, endpoint_context, token, request=None):
         sinfo = self.endpoint_context.sdb[token]
         return sinfo["authn_req"]["client_id"]
@@ -104,7 +108,8 @@ def process_request(self, request=None, **kwargs):
 
         if allowed:
             # Scope can translate to userinfo_claims
-            info = collect_user_info(self.endpoint_context, session)
+            info = collect_user_info(self.endpoint_context, session,
+                                     scope_to_claims=self.scope_to_claims)
         else:
             info = {
                 "error": "invalid_request",

src/oidcendpoint/user_info/__init__.py

@@ -77,3 +77,30 @@ def search(self, **kwargs):
                 return uid
 
         raise KeyError("No matching user")
+
+
+SCOPE2CLAIMS = {
+    "openid": ["sub"],
+    "profile": ["name", "given_name", "family_name", "middle_name",
+                "nickname", "profile", "picture", "website", "gender",
+                "birthdate", "zoneinfo", "locale", "updated_at",
+                "preferred_username"],
+    "email": ["email", "email_verified"],
+    "address": ["address"],
+    "phone": ["phone_number", "phone_number_verified"],
+    "offline_access": []
+    }
+
+
+def scope2claims(scopes, map=None):
+    if map is None:
+        map = SCOPE2CLAIMS
+
+    res = {}
+    for scope in scopes:
+        try:
+            claims = dict([(name, None) for name in map[scope]])
+            res.update(claims)
+        except KeyError:
+            continue
+    return res

src/oidcendpoint/userinfo.py

@@ -2,9 +2,9 @@
 
 from oidcservice import sanitize
 from oidcmsg.oidc import Claims
-from oidcmsg.oidc import scope2claims
 
 from oidcendpoint.exception import FailedAuthentication
+from oidcendpoint.user_info import scope2claims
 
 logger = logging.getLogger(__name__)
 
@@ -102,7 +102,8 @@ def by_schema(cls, **kwa):
     return dict([(key, val) for key, val in kwa.items() if key in cls.c_param])
 
 
-def collect_user_info(endpoint_context, session, userinfo_claims=None):
+def collect_user_info(endpoint_context, session, userinfo_claims=None,
+                      scope_to_claims=None):
     """
     Collect information about a user.
     This can happen in two cases, either when constructing an IdToken or
@@ -115,7 +116,7 @@ def collect_user_info(endpoint_context, session, userinfo_claims=None):
     authn_req = session["authn_req"]
 
     if userinfo_claims is None:
-        uic = scope2claims(authn_req["scope"])
+        uic = scope2claims(authn_req["scope"], map=scope_to_claims)
 
         # Get only keys allowed by user and update the dict if such info
         # is stored in session
@@ -155,7 +156,8 @@ def collect_user_info(endpoint_context, session, userinfo_claims=None):
     return info
 
 
-def userinfo_in_id_token_claims(endpoint_context, session, def_itc=None):
+def userinfo_in_id_token_claims(endpoint_context, session, def_itc=None,
+                                scope_to_claims=None):
     """
     Collect user info claims that are to be placed in the id token.
 
@@ -177,6 +179,7 @@ def userinfo_in_id_token_claims(endpoint_context, session, def_itc=None):
     _claims = by_schema(endpoint_context.id_token_schema, **itc)
 
     if _claims:
-        return collect_user_info(endpoint_context, session, _claims)
+        return collect_user_info(endpoint_context, session, _claims,
+                                 scope_to_claims=scope_to_claims)
     else:
         return None