OIDC 0 Quark 1

apps/permission/scopes.py

@@ -18,22 +18,27 @@ class PermissionScopes(BaseScopes):
     """
 
     def get_all_scopes(self):
-        return {f"{p.id}_{club.id}": f"{p.description} (club {club.name})"
-                for p in Permission.objects.all() for club in Club.objects.all()}
+        scopes = {f"{p.id}_{club.id}": f"{p.description} (club {club.name})"
+            for p in Permission.objects.all() for club in Club.objects.all()}
+        scopes['openid'] = "OpenID Connect"
+        return scopes
 
     def get_available_scopes(self, application=None, request=None, *args, **kwargs):
         if not application:
             return []
-        return [f"{p.id}_{p.membership.club.id}"
-                for t in Permission.PERMISSION_TYPES
-                for p in PermissionBackend.get_raw_permissions(get_current_request(), t[0])]
+        scopes = [f"{p.id}_{p.membership.club.id}"
+            for t in Permission.PERMISSION_TYPES
+            for p in PermissionBackend.get_raw_permissions(get_current_request(), t[0])]
+        scopes.append('openid')
+        return scopes
 
     def get_default_scopes(self, application=None, request=None, *args, **kwargs):
         if not application:
             return []
-        return [f"{p.id}_{p.membership.club.id}"
-                for p in PermissionBackend.get_raw_permissions(get_current_request(), 'view')]
-
+        scopes = [f"{p.id}_{p.membership.club.id}"
+            for p in PermissionBackend.get_raw_permissions(get_current_request(), 'view')]
+        scopes.append('openid')
+        return scopes
 
 class PermissionOAuth2Validator(OAuth2Validator):
     oidc_claim_scope = OAuth2Validator.oidc_claim_scope
@@ -49,6 +54,10 @@ class PermissionOAuth2Validator(OAuth2Validator):
             "email": request.user.email,
         }
 
+    def get_discovery_claims(self, request):
+        claims = super().get_discovery_claims(self)
+        return claims + ["name", "normalized_name", "email"]
+
     def validate_scopes(self, client_id, scopes, client, request, *args, **kwargs):
         """
         User can request as many scope as he wants, including invalid scopes,
@@ -65,7 +74,9 @@ class PermissionOAuth2Validator(OAuth2Validator):
                 scope = f"{p.id}_{p.membership.club.id}"
                 if scope in scopes:
                     valid_scopes.add(scope)
+        
+        if 'openid' in scopes:
+            valid_scopes.add('openid')
 
         request.scopes = valid_scopes
-
         return valid_scopes

apps/permission/signals.py

@@ -19,6 +19,7 @@ EXCLUDED = [
     'oauth2_provider.accesstoken',
     'oauth2_provider.grant',
     'oauth2_provider.refreshtoken',
+    'oauth2_provider.idtoken',
     'sessions.session',
 ]
 

apps/permission/views.py

@@ -171,7 +171,7 @@ class ScopesView(LoginRequiredMixin, TemplateView):
             available_scopes = scopes.get_available_scopes(app)
             context["scopes"][app] = OrderedDict()
             items = [(k, v) for (k, v) in all_scopes.items() if k in available_scopes]
-            items.sort(key=lambda x: (int(x[0].split("_")[1]), int(x[0].split("_")[0])))
+            # items.sort(key=lambda x: (int(x[0].split("_")[1]), int(x[0].split("_")[0])))
             for k, v in items:
                 context["scopes"][app][k] = v