OpenID: Fix get_additional_claims API

* always propagate request
* have get_additional_claims return a dict again
* allow get_additional_claims to return plain data instead of callables

Author: Natureshadow

CHANGELOG.md

@@ -20,6 +20,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 * #651 Batch expired token deletions in `cleartokens` management command
 * Added pt-BR translations.
 * #1070 Add a Celery task for clearing expired tokens, e.g. to be scheduled as a [periodic task](https://docs.celeryproject.org/en/stable/userguide/periodic-tasks.html)
+* #1069 OIDC: Re-introduce [additional claims](https://django-oauth-toolkit.readthedocs.io/en/latest/oidc.html#adding-claims-to-the-id-token) beyond `sub` to the id_token.
 
 ### Fixed
 * #1012 Return status for introspecting a nonexistent token from 401 to the correct value of 200 per [RFC 7662](https://datatracker.ietf.org/doc/html/rfc7662#section-2.2).

docs/oidc.rst

@@ -245,17 +245,22 @@ required claims, eg ``iss``, ``aud``, ``exp``, ``iat``, ``auth_time`` etc),
 and the ``sub`` claim will use the primary key of the user as the value.
 You'll probably want to customize this and add additional claims or change
 what is sent for the ``sub`` claim. To do so, you will need to add a method to
-our custom validator.
+our custom validator. It should return a dictionary mapping a claim name to
+either the claim data, or a callable that will be called with the request to
+produce the claim data.
 Standard claim ``sub`` is included by default, to remove it override ``get_claim_list``::
     class CustomOAuth2Validator(OAuth2Validator):
-        def get_additional_claims(self):
+        def get_additional_claims(self, request):
             def get_user_email(request):
-                return request.user.get_full_name()
+                return request.user.get_user_email()
 
+            claims = {}
             # Element name, callback to obtain data
-            claims_list = [ ("email", get_sub_cod),
-                        ("username", get_user_email) ]
-            return claims_list
+            claims["email"] = get_user_email
+            # Element name, plain data returned
+            claims["username"] = request.user.get_full_name()
+
+            return claims
 
 .. note::
     This ``request`` object is not a ``django.http.Request`` object, but an

oauth2_provider/oauth2_validators.py

@@ -728,24 +728,24 @@ def _save_id_token(self, jti, request, expires, *args, **kwargs):
     def get_jwt_bearer_token(self, token, token_handler, request):
         return self.get_id_token(token, token_handler, request)
 
-    def get_claim_list(self):
-        def get_sub_code(request):
-            return str(request.user.id)
+    def get_claim_dict(self, request):
+        def get_sub_code(inner_request):
+            return str(inner_request.user.id)
 
-        list = [ ("sub", get_sub_code) ]
+        claims = {"sub": get_sub_code}
 
         # https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
-        add = self.get_additional_claims()
-        list.extend(add)
+        add = self.get_additional_claims(request)
+        claims.update(add)
 
-        return list
+        return claims
 
     def get_oidc_claims(self, token, token_handler, request):
-        data = self.get_claim_list()
+        data = self.get_claim_dict(request)
         claims = {}
 
-        for k, call in data:
-            claims[k] = call(request)
+        for k, v in data.items():
+            claims[k] = v(request) if callable(v) else v
         return claims
 
     def get_id_token_dictionary(self, token, token_handler, request):
@@ -898,5 +898,5 @@ def get_userinfo_claims(self, request):
         """
         return self.get_oidc_claims(None, None, request)
 
-    def get_additional_claims(self):
-        return []
+    def get_additional_claims(self, request):
+        return {}

oauth2_provider/views/oidc.py

@@ -48,9 +48,7 @@ def get(self, request, *args, **kwargs):
 
         validator_class = oauth2_settings.OAUTH2_VALIDATOR_CLASS
         validator = validator_class()
-        oidc_claims = []
-        for el, _ in validator.get_claim_list():
-            oidc_claims.append(el)
+        oidc_claims = list(validator.get_claim_dict(request).keys())
 
         data = {
             "issuer": issuer_url,

tests/test_oidc_views.py

@@ -156,13 +156,39 @@ def claim_user_email(request):
 
 
 @pytest.mark.django_db
-def test_userinfo_endpoint_custom_claims(oidc_tokens, client, oauth2_settings):
+def test_userinfo_endpoint_custom_claims_callable(oidc_tokens, client, oauth2_settings):
     class CustomValidator(OAuth2Validator):
-        def get_additional_claims(self):
-            return [
-                ("username", claim_user_email),
-                ("email", claim_user_email),
-            ]
+        def get_additional_claims(self, request):
+            return {
+                "username": claim_user_email,
+                "email": claim_user_email,
+            }
+
+    oidc_tokens.oauth2_settings.OAUTH2_VALIDATOR_CLASS = CustomValidator
+    auth_header = "Bearer %s" % oidc_tokens.access_token
+    rsp = client.get(
+        reverse("oauth2_provider:user-info"),
+        HTTP_AUTHORIZATION=auth_header,
+    )
+    data = rsp.json()
+    assert "sub" in data
+    assert data["sub"] == str(oidc_tokens.user.pk)
+
+    assert "username" in data
+    assert data["username"] == EXAMPLE_EMAIL
+
+    assert "email" in data
+    assert data["email"] == EXAMPLE_EMAIL
+
+
+@pytest.mark.django_db
+def test_userinfo_endpoint_custom_claims_plain(oidc_tokens, client, oauth2_settings):
+    class CustomValidator(OAuth2Validator):
+        def get_additional_claims(self, request):
+            return {
+                "username": EXAMPLE_EMAIL,
+                "email": EXAMPLE_EMAIL,
+            }
 
     oidc_tokens.oauth2_settings.OAUTH2_VALIDATOR_CLASS = CustomValidator
     auth_header = "Bearer %s" % oidc_tokens.access_token