Merge branch 'fix-feature-extra-scopes'

Author: c00kiemon5ter

setup.py

@@ -15,7 +15,7 @@
     packages=find_packages('src/'),
     package_dir={'': 'src'},
     install_requires=[
-        "pyop >= 2.1.0",
+        "pyop >= 3.0.1",
         "pysaml2",
         "pycryptodomex",
         "requests",

src/satosa/frontends/openid_connect.py

@@ -50,6 +50,7 @@ def _create_provider(self, endpoint_baseurl):
         response_types_supported = self.config["provider"].get("response_types_supported", ["id_token"])
         subject_types_supported = self.config["provider"].get("subject_types_supported", ["pairwise"])
         scopes_supported = self.config["provider"].get("scopes_supported", ["openid"])
+        extra_scopes = self.config["provider"].get("extra_scopes")
         capabilities = {
             "issuer": self.base_url,
             "authorization_endpoint": "{}/{}".format(endpoint_baseurl, AuthorizationEndpoint.url),
@@ -85,7 +86,14 @@ def _create_provider(self, endpoint_baseurl):
         else:
             cdb = {}
         self.user_db = MongoWrapper(db_uri, "satosa", "authz_codes") if db_uri else {}
-        self.provider = Provider(self.signing_key, capabilities, authz_state, cdb, Userinfo(self.user_db))
+        self.provider = Provider(
+            self.signing_key,
+            capabilities,
+            authz_state,
+            cdb,
+            Userinfo(self.user_db),
+            extra_scopes=extra_scopes,
+        )
 
     def _init_authorization_state(self):
         sub_hash_salt = self.config.get("sub_hash_salt", rndstr(16))
@@ -125,7 +133,6 @@ def handle_authn_response(self, context, internal_resp, extra_id_token_claims=No
             auth_req,
             internal_resp.subject_id,
             extra_id_token_claims=extra_id_token_claims,
-            extra_scopes=self.config.get("extra_scopes"),
         )
 
         del context.state[self.name]
@@ -360,7 +367,6 @@ def userinfo_endpoint(self, context):
             response = self.provider.handle_userinfo_request(
                 request=urlencode(context.request),
                 http_headers=headers,
-                extra_scopes=self.config.get("extra_scopes"),
             )
             return Response(response.to_json(), content="application/json")
         except (BearerTokenError, InvalidAccessToken) as e:

tests/satosa/frontends/test_openid_connect.py

@@ -186,19 +186,21 @@ def test_provider_configuration_endpoint(self, context, frontend):
             "claims_parameter_supported": True,
             "request_parameter_supported": False,
             "request_uri_parameter_supported": False,
-            "scopes_supported": ["openid", "email"],
             "claims_supported": ["email"],
             "grant_types_supported": ["authorization_code", "implicit"],
             "issuer": BASE_URL,
-            "require_request_uri_registration": True,
+            "require_request_uri_registration": False,
             "token_endpoint_auth_methods_supported": ["client_secret_basic"],
             "version": "3.0"
         }
 
         http_response = frontend.provider_config(context)
         provider_config = ProviderConfigurationResponse().deserialize(http_response.message, "json")
 
-        assert provider_config.to_dict() == expected_capabilities
+        provider_config_dict = provider_config.to_dict()
+        scopes_supported = provider_config_dict.pop("scopes_supported")
+        assert all(scope in scopes_supported for scope in ["openid", "email"])
+        assert provider_config_dict == expected_capabilities
 
     def test_jwks(self, context, frontend):
         http_response = frontend.jwks(context)