Merge branch 'main' into 'wei'

# Conflicts:
#   locale/fr/LC_MESSAGES/django.po

apps/permission/scopes.py

@@ -1,8 +1,10 @@
 # Copyright (C) 2018-2025 by BDE ENS Paris-Saclay
 # SPDX-License-Identifier: GPL-3.0-or-later
+
 from oauth2_provider.oauth2_validators import OAuth2Validator
 from oauth2_provider.scopes import BaseScopes
 from member.models import Club
+from note.models import Alias
 from note_kfet.middlewares import get_current_request
 
 from .backends import PermissionBackend
@@ -16,26 +18,58 @@ class PermissionScopes(BaseScopes):
     and can be useful to make queries through the API with limited privileges.
     """
 
-    def get_all_scopes(self):
-        return {f"{p.id}_{club.id}": f"{p.description} (club {club.name})"
-                for p in Permission.objects.all() for club in Club.objects.all()}
+    def get_all_scopes(self, **kwargs):
+        scopes = {}
+        if 'scopes' in kwargs:
+            for scope in kwargs['scopes']:
+                if scope == 'openid':
+                    scopes['openid'] = "OpenID Connect"
+                else:
+                    p = Permission.objects.get(id=scope.split('_')[0])
+                    club = Club.objects.get(id=scope.split('_')[1])
+                    scopes[scope] = f"{p.description} (club {club.name})"
+            return scopes
+
+        scopes = {f"{p.id}_{club.id}": f"{p.description} (club {club.name})"
+                  for p in Permission.objects.all() for club in Club.objects.all()}
+        scopes['openid'] = "OpenID Connect"
+        return scopes
 
     def get_available_scopes(self, application=None, request=None, *args, **kwargs):
         if not application:
             return []
-        return [f"{p.id}_{p.membership.club.id}"
-                for t in Permission.PERMISSION_TYPES
-                for p in PermissionBackend.get_raw_permissions(get_current_request(), t[0])]
+        scopes = [f"{p.id}_{p.membership.club.id}"
+                  for t in Permission.PERMISSION_TYPES
+                  for p in PermissionBackend.get_raw_permissions(get_current_request(), t[0])]
+        scopes.append('openid')
+        return scopes
 
     def get_default_scopes(self, application=None, request=None, *args, **kwargs):
         if not application:
             return []
-        return [f"{p.id}_{p.membership.club.id}"
-                for p in PermissionBackend.get_raw_permissions(get_current_request(), 'view')]
+        scopes = [f"{p.id}_{p.membership.club.id}"
+                  for p in PermissionBackend.get_raw_permissions(get_current_request(), 'view')]
+        scopes.append('openid')
+        return scopes
 
 
 class PermissionOAuth2Validator(OAuth2Validator):
-    oidc_claim_scope = None  # fix breaking change of django-oauth-toolkit 2.0.0
+    oidc_claim_scope = OAuth2Validator.oidc_claim_scope
+    oidc_claim_scope.update({"name": 'openid',
+                             "normalized_name": 'openid',
+                             "email": 'openid',
+                             })
+
+    def get_additional_claims(self, request):
+        return {
+            "name": request.user.username,
+            "normalized_name": Alias.normalize(request.user.username),
+            "email": request.user.email,
+        }
+
+    def get_discovery_claims(self, request):
+        claims = super().get_discovery_claims(self)
+        return claims + ["name", "normalized_name", "email"]
 
     def validate_scopes(self, client_id, scopes, client, request, *args, **kwargs):
         """
@@ -54,6 +88,8 @@ class PermissionOAuth2Validator(OAuth2Validator):
                 if scope in scopes:
                     valid_scopes.add(scope)
 
-        request.scopes = valid_scopes
+        if 'openid' in scopes:
+            valid_scopes.add('openid')
 
+        request.scopes = valid_scopes
         return valid_scopes

apps/permission/signals.py

@@ -13,12 +13,14 @@ EXCLUDED = [
     'cas_server.serviceticket',
     'cas_server.user',
     'cas_server.userattributes',
+    'constance.constance',
     'contenttypes.contenttype',
     'logs.changelog',
     'migrations.migration',
     'oauth2_provider.accesstoken',
     'oauth2_provider.grant',
     'oauth2_provider.refreshtoken',
+    'oauth2_provider.idtoken',
     'sessions.session',
 ]
 

apps/permission/views.py

@@ -164,14 +164,24 @@ class ScopesView(LoginRequiredMixin, TemplateView):
         from oauth2_provider.models import Application
         from .scopes import PermissionScopes
 
-        scopes = PermissionScopes()
+        oidc = False
         context["scopes"] = {}
-        all_scopes = scopes.get_all_scopes()
         for app in Application.objects.filter(user=self.request.user).all():
-            available_scopes = scopes.get_available_scopes(app)
+            available_scopes = PermissionScopes().get_available_scopes(app)
             context["scopes"][app] = OrderedDict()
-            items = [(k, v) for (k, v) in all_scopes.items() if k in available_scopes]
+            all_scopes = PermissionScopes().get_all_scopes(scopes=available_scopes)
+            scopes = {}
+            for scope in available_scopes:
+                scopes[scope] = all_scopes[scope]
+            # remove OIDC scope for sort
+            if 'openid' in scopes:
+                del scopes['openid']
+                oidc = True
+            items = [(k, v) for (k, v) in scopes.items()]
             items.sort(key=lambda x: (int(x[0].split("_")[1]), int(x[0].split("_")[0])))
+            # add oidc if necessary
+            if oidc:
+                items.append(('openid', PermissionScopes().get_all_scopes(scopes=['openid'])['openid']))
             for k, v in items:
                 context["scopes"][app][k] = v