implicit flow #137

apps/permission/scopes.py

@@ -72,6 +72,11 @@ class PermissionOAuth2Validator(OAuth2Validator):
             "email": request.user.email,
         }
 
+    def get_userinfo_claims(self, request):
+        claims = super().get_userinfo_claims(request)
+        claims['is_active'] = request.user.is_active
+        return claims
+
     def get_discovery_claims(self, request):
         claims = super().get_discovery_claims(self)
         return claims + ["name", "normalized_name", "email"]
@@ -162,6 +167,12 @@ class PermissionOAuth2Validator(OAuth2Validator):
         request.scopes = valid_scopes
         return valid_scopes
 
+    def validate_implicit_scopes(self, client_id, scopes, client, request, *args, **kwargs):
+        """
+        Implicit flow it's just degraded Authorization flow
+        """
+        return self.validate_code_scopes(client_id, scopes, client, request, args, kwargs)
+
     def validate_scopes(self, client_id, scopes, client, request, *args, **kwargs):
         """
         User can request as many scope as he wants, including invalid scopes,
@@ -179,6 +190,9 @@ class PermissionOAuth2Validator(OAuth2Validator):
         if hasattr(request, '_params') and request._params['response_type'] == 'code':
             return self.validate_code_scopes(client_id, scopes, client, request, args, kwargs)
 
+        if hasattr(request, '_params') and request._params['response_type'] == 'token':
+            return self.validate_implicit_scopes(client_id, scopes, client, request, args, kwargs)
+
         for t in Permission.PERMISSION_TYPES:
             for p in PermissionBackend.get_raw_permissions(get_current_request(), t[0]):
                 scope = f"{p.id}_{p.membership.club.id}"