oidc authorization is using access token instead of id_token

Author: evgenyfadeev

askbot/deps/django_authopenid/protocols/__init__.py

@@ -13,6 +13,7 @@ def get_protocol(provider_name):
                             client_secret=params['oidc_client_secret'],
                             provider_url=params['oidc_provider_url'],
                             authorization_function=params['oidc_authorization_function'],
+                            custom_scopes=params['oidc_custom_scopes'],
                             trust_email=params['trust_email'])
 
     raise NotImplementedError(f'Not implemented for  protocol {protocol_type}')

askbot/deps/django_authopenid/protocols/oidc/protocol.py

@@ -24,13 +24,15 @@ def __init__(self, # pylint: disable=too-many-arguments
                  provider_url=None,
                  trust_email=False,
                  authorization_function=None,
+                 custom_scopes=None,
                  audience=None):
         self.protocol_type = 'oidc'
         self.audience = audience
         self.client_id = client_id
         self.client_secret = client_secret
         self.provider_url = provider_url
         self.authorization_function = authorization_function
+        self.custom_scopes = custom_scopes
         self.trust_email = trust_email
         discovery = self.load_discovery_data()
         self.authenticate_url = discovery['authorization_endpoint']
@@ -48,12 +50,23 @@ def load_discovery_data(self):
         return discovery_data
 
 
+    def get_scopes(self):
+        """Merges the default scopes with the custom scopes"""
+        scopes = ['openid', 'email', 'profile']
+        if self.custom_scopes:
+            for scope in self.custom_scopes:
+                if scope not in scopes:
+                    scopes.append(scope)
+
+        return ' '.join(scopes)
+
+
     def get_authentication_url(self, redirect_url, csrf_token=None):
         """Returns url at which OpenId-Connect service starts the user authentication"""
         query_params = {
             'client_id': self.client_id,
             'redirect_uri': redirect_url,
-            'scope': 'openid email profile',
+            'scope': self.get_scopes(),
             'nonce': csrf_token,
             'response_type': 'code',
             'response_mode': 'query',

askbot/deps/django_authopenid/protocols/oidc/views.py

@@ -42,15 +42,15 @@ def complete_oidc_signin(request): #pylint: disable=too-many-return-statements
 
     id_token = token_info["id_token"]
 
-    #access_token = token_info["access_token"]
     #if not oidc.is_access_token_valid(access_token):
     #    return HttpResponseBadRequest("Access token is invalid")
 
     auth_csrf_token = request.session.pop('auth_csrf_token')
     if not oidc.is_id_token_valid(id_token, auth_csrf_token):
         return HttpResponseBadRequest("ID token is invalid")
 
-    if not oidc.is_user_authorized(id_token):
+    access_token = token_info["access_token"]
+    if not oidc.is_user_authorized(access_token):
         return HttpResponseBadRequest("You do not have access to this resource")
 
     user_id = oidc.get_user_id(id_token)

askbot/deps/django_authopenid/util.py

@@ -337,6 +337,11 @@ def read_params(self):
             else:
                 self.oidc_authorization_function = lambda parsed_token: True
 
+            if hasattr(self.mode, 'OIDC_CUSTOM_SCOPES'):
+                self.oidc_custom_scopes = self.mod.OIDC_CUSTOM_SCOPES
+            else:
+                self.oidc_custom_scopes = []
+
         if self.login_type.startswith('openid'):
             self.openid_endpoint = self.get_required_attr('OPENID_ENDPOINT', 'custom OpenID login')
             if self.login_type == 'openid-username':
@@ -361,7 +366,8 @@ def as_dict(self):
             'check_password', 'auth_endpoint', 'token_endpoint',
             'resource_endpoint', 'response_parser', 'token_transport',
             'trust_email', 'oidc_provider_url', 'oidc_client_id',
-            'oidc_client_secret', 'oidc_audience', 'oidc_authorization_function'
+            'oidc_client_secret', 'oidc_audience', 'oidc_authorization_function',
+            'oidc_custom_scopes'
         )
         #some parameters in the class have different names from those
         #in the dictionary