Add option to disable claims per client

nsklikas · nsklikas · commit ffd419c34f16 · 2020-03-24T12:28:57.000+02:00
diff --git a/src/oidcendpoint/id_token.py b/src/oidcendpoint/id_token.py
@@ -112,6 +112,7 @@ class IDToken(object):
     def __init__(self, endpoint_context, **kwargs):
         self.endpoint_context = endpoint_context
         self.kwargs = kwargs
+        self.enable_claims_per_client = kwargs.get('enable_claims_per_client')
         self.scope_to_claims = None
         self.provider_info = construct_endpoint_info(
             self.default_capabilities, **kwargs
@@ -250,10 +251,9 @@ def make(self, req, sess_info, authn_req=None, user_claims=False, **kwargs):
 
         _cinfo = _context.cdb[_client_id]
 
-        idtoken_claims = dict(
-            self.kwargs.get("default_claims", {}),
-            **_cinfo.get("id_token_claims", {})
-        )
+        idtoken_claims = dict(self.kwargs.get("default_claims", {}))
+        if self.enable_claims_per_client:
+            idtoken_claims.update(_cinfo.get("id_token_claims", {}))
         lifetime = self.kwargs.get("lifetime")
 
         userinfo = userinfo_in_id_token_claims(
diff --git a/tests/test_03_id_token.py b/tests/test_03_id_token.py
@@ -311,6 +311,7 @@ def test_client_claims(self):
                 "uid": "diana"
             },
         }
+        self.endpoint_context.idtoken.enable_claims_per_client = True
         self.endpoint_context.cdb["client_1"]['id_token_claims'] = {
             "address": None
         }
@@ -341,6 +342,7 @@ def test_client_claims_with_default(self):
         self.endpoint_context.idtoken.kwargs['default_claims'] = {
             "nickname": {"essential": True}
         }
+        self.endpoint_context.idtoken.enable_claims_per_client = True
         req = {"client_id": "client_1"}
         _token = self.endpoint_context.idtoken.make(req, session_info)
         assert _token
@@ -351,3 +353,27 @@ def test_client_claims_with_default(self):
         res = _jwt.unpack(_token)
         assert "address" in res
         assert "nickname" in res
+
+    def test_client_claims_disabled(self):
+        session_info = {
+            "authn_req": AREQN,
+            "sub": "sub",
+            "authn_event": {
+                "authn_info": "loa2",
+                "authn_time": time.time(),
+                "uid": "diana"
+            },
+        }
+        self.endpoint_context.cdb["client_1"]['id_token_claims'] = {
+            "address": None
+        }
+        req = {"client_id": "client_1"}
+        _token = self.endpoint_context.idtoken.make(req, session_info)
+        assert _token
+        client_keyjar = KeyJar()
+        _jwks = self.endpoint_context.keyjar.export_jwks()
+        client_keyjar.import_jwks(_jwks, self.endpoint_context.issuer)
+        _jwt = JWT(key_jar=client_keyjar, iss="client_1")
+        res = _jwt.unpack(_token)
+        assert "address" not in res
+        assert "nickname" not in res
