Fix token exchange claims on userinfo endpoint

Author: ctriant

src/oidcop/oidc/userinfo.py

@@ -141,11 +141,13 @@ def process_request(self, request=None, **kwargs):
             # if "offline_access" in session["authn_req"]["scope"]:
             #     pass
 
+        _cntxt = self.server_get("endpoint_context")
         if allowed:
-            _claims = _grant.claims.get("userinfo")
-            info = self.server_get("endpoint_context").claims_interface.get_user_claims(
-                user_id=_session_info["user_id"], claims_restriction=_claims
+            _claims_restriction = _cntxt.claims_interface.get_claims(
+                _session_info["session_id"], scopes=token.scope, claims_release_point="userinfo"
             )
+            info = _cntxt.claims_interface.get_user_claims(_session_info["user_id"],
+                                                           claims_restriction=_claims_restriction)
             info["sub"] = _grant.sub
             if _grant.add_acr_value("userinfo"):
                 info["acr"] = _grant.authentication_event["authn_info"]

tests/test_26_oidc_userinfo_endpoint.py

@@ -322,6 +322,7 @@ def test_scopes_to_claims(self):
 
         session_id = self._create_session(_auth_req)
         grant = self.session_manager[session_id]
+        grant.scope = _auth_req["scope"]
         access_token = self._mint_token("access_token", grant, session_id)
 
         self.endpoint.kwargs["add_claims_by_scope"] = True
@@ -366,6 +367,7 @@ def test_scopes_to_claims_per_client(self):
 
         session_id = self._create_session(_auth_req)
         grant = self.session_manager[session_id]
+        grant.scope = _auth_req["scope"]
         access_token = self._mint_token("access_token", grant, session_id)
 
         self.endpoint.kwargs["add_claims_by_scope"] = True