Open matteo-s opened 9 months ago
yes
at time of the development of this toolchain the cie specifications was in progress, and the feature you have described is something that was defined later on
I'll keep this for the next milestones, thx
Thanks for the response. Until then I've got around with a quick&dirty implementation which maybe can help others
for scope in (
token.session.authz_request.get(
"scope", ""
).split()
):
if scope == 'profile':
jwt['name'] = token.session.user.attributes['username']
jwt['given_name'] = token.session.user.attributes['given_name']
jwt['family_name'] = token.session.user.attributes['family_name']
jwt['birthdate'] = token.session.user.attributes['birthdate']
jwt['https://attributes.eid.gov.it/fiscal_number'] = token.session.user.attributes['https://attributes.eid.gov.it/fiscal_number']
if scope == 'email':
jwt['email'] = token.session.user.attributes['email']
jwt['email_verified'] = token.session.user.attributes['email_verified']
please do that in a PR and I'll review, approve and we'll have a new release together
in a settings.py like this https://github.com/italia/spid-cie-oidc-django/blob/main/spid_cie_oidc/provider/settings.py
create a mapping of the scopes2claims
OIDC_SCOPES_CLAIMS_MAP = {
"profile": ["username", "given_name", "family_name", "birthdate", "https://attributes.eid.gov.it/fiscal_number"],
"email": ["email", "email_verified"]
}
then in the code do something like this
for scope in token.session.authz_request.get("scope", "").split():
_user_attrs = token.session.user.attributes
for i in OIDC_SCOPES_CLAIMS_MAP.get(scope, []):
jwt[i] = _user_attrs.get(settings.OIDCFED_PROVIDER_ATTRIBUTES_MAP[i][0])
try to use the local app settings defaults (overloadable also in the settings project) to reduce the constants in the code
It looks like the userInfo response supports only claims explicitly requested. When the authorization request contains
scope=openid profile
and noclaims
both idToken and userInfo should report the "standard" profile, as per specFrom https://docs.italia.it/italia/spid/spid-cie-oidc-docs/it/versione-corrente/authorization_endpoint.html#parametri-scope-e-claims
It looks like the code simply picks explicitly requested claims from attributes with matching names https://github.com/italia/spid-cie-oidc-django/blob/2b0c2eff271ef290f90f62ba8b7a3d508b887543/spid_cie_oidc/provider/views/userinfo_endpoint.py#L78
Maybe related #271