Merge pull request #202 from c00kiemon5ter/feature-pyop-multiple-scopes

Support multiple scopes

Author: c00kiemon5ter

example/plugins/frontends/openid_connect_frontend.yaml.example

@@ -9,3 +9,7 @@ config:
     response_types_supported: ["code", "id_token token"]
     subject_types_supported: ["pairwise"]
     scopes_supported: ["openid", "email"]
+    extra_scopes:
+      foo_scope:
+	  - bar_claim
+	  - baz_claim

setup.py

@@ -15,7 +15,7 @@
     packages=find_packages('src/'),
     package_dir={'': 'src'},
     install_requires=[
-        "pyop",
+        "pyop >= 2.1.0",
         "pysaml2",
         "pycryptodomex",
         "requests",

src/satosa/frontends/openid_connect.py

@@ -121,7 +121,12 @@ def handle_authn_response(self, context, internal_resp, extra_id_token_claims=No
 
         attributes = self.converter.from_internal("openid", internal_resp.attributes)
         self.user_db[internal_resp.subject_id] = {k: v[0] for k, v in attributes.items()}
-        auth_resp = self.provider.authorize(auth_req, internal_resp.subject_id, extra_id_token_claims)
+        auth_resp = self.provider.authorize(
+            auth_req,
+            internal_resp.subject_id,
+            extra_id_token_claims=extra_id_token_claims,
+            extra_scopes=self.config.get("extra_scopes"),
+        )
 
         del context.state[self.name]
         http_response = auth_resp.request(auth_req["redirect_uri"], should_fragment_encode(auth_req))
@@ -352,7 +357,11 @@ def userinfo_endpoint(self, context):
         headers = {"Authorization": context.request_authorization}
 
         try:
-            response = self.provider.handle_userinfo_request(urlencode(context.request), headers)
+            response = self.provider.handle_userinfo_request(
+                request=urlencode(context.request),
+                http_headers=headers,
+                extra_scopes=self.config.get("extra_scopes"),
+            )
             return Response(response.to_json(), content="application/json")
         except (BearerTokenError, InvalidAccessToken) as e:
             error_resp = UserInfoErrorResponse(error='invalid_token', error_description=str(e))

tests/satosa/backends/test_openid_connect.py

@@ -192,7 +192,11 @@ def test_entire_flow(self, context, backend_config, internal_attributes, userinf
         auth_params = dict(parse_qsl(urlparse(auth_response.message).query))
 
         access_token = 12345
-        context.request = {"state": auth_params["state"], "access_token": access_token}
+        context.request = {
+            "state": auth_params["state"],
+            "access_token": access_token,
+            "token_type": "Bearer",
+        }
         self.oidc_backend.response_endpoint(context)
         assert self.oidc_backend.name not in context.state
         args = self.oidc_backend.auth_callback_func.call_args[0]