Ensure user_id is not null for in-memory userinfo storage (#925)

esune · web-flow · commit d3bee1ca75e1 · 2025-12-01T15:14:51.000+01:00
* Fix userinfo flow for in-memory storage

Signed-off-by: Emiliano Suñé &lt;emiliano.sune@gmail.com&gt;

* Use in-memory storage for single pod mode

Signed-off-by: Emiliano Suñé &lt;emiliano.sune@gmail.com&gt;

* Bump project version

Signed-off-by: Emiliano Suñé &lt;emiliano.sune@gmail.com&gt;

* Update tests

Signed-off-by: Emiliano Suñé &lt;emiliano.sune@gmail.com&gt;

* Fix linting errors

Signed-off-by: Emiliano Suñé &lt;emiliano.sune@gmail.com&gt;

---------

Signed-off-by: Emiliano Suñé &lt;emiliano.sune@gmail.com&gt;
diff --git a/docker/manage b/docker/manage
@@ -518,6 +518,7 @@ single-pod)
 
   configureEnvironment $@
   export CONTROLLER_REPLICAS=1
+  export USE_REDIS_ADAPTER=false
   echo "Running single pod setup..."
   docker-compose up -d ${DEFAULT_CONTAINERS} ${ACAPY_CONTAINERS} ${PROD_CONTAINERS}
   docker-compose logs -f
diff --git a/oidc-controller/api/core/models.py b/oidc-controller/api/core/models.py
@@ -143,20 +143,33 @@ def get_claims_for(self, user_id, requested_claims, userinfo=None):
         Return stored claims for the given user_id.
         PyOP calls this method when generating ID tokens.
 
+        For StatelessWrapper (in-memory): PyOP passes user_id=None and
+        userinfo contains the claims from the authorization code.
+
+        For RedisWrapper (multi-pod): PyOP passes user_id and userinfo=None,
+        and we look up claims from Redis storage.
+
         Args:
-            user_id: The user identifier to look up
+            user_id: The user identifier to look up (None for StatelessWrapper)
             requested_claims: Claims requested by the client (ignored)
-            userinfo: Additional userinfo (ignored)
+            userinfo: Claims dict from authz code (for StatelessWrapper only)
 
         Returns:
             Dictionary of claims for this user, including custom claims
             from VC presentation
         """
         try:
+            # StatelessWrapper case: claims are passed in userinfo parameter
             if user_id is None:
-                raise ValueError("user_id cannot be None when retrieving claims")
+                claims = userinfo or {}
+                logger.debug(
+                    "VCUserinfo.get_claims_for called with user_id=None (StatelessWrapper mode)",
+                    storage_type="stateless",
+                    claims_keys=list(claims.keys()),
+                )
+                return claims
 
-            # RedisWrapper doesn't support .get(), use [] with KeyError
+            # RedisWrapper case: look up claims from storage
             try:
                 claims = self._claims_storage[user_id]
             except KeyError:
@@ -171,8 +184,6 @@ def get_claims_for(self, user_id, requested_claims, userinfo=None):
             logger.debug(f"  Returning claims keys: {list(claims.keys())}")
 
             return claims
-        except ValueError:
-            raise
         except Exception as e:
             logger.error(f"VCUserinfo.get_claims_for ERROR: {e}")
             raise
diff --git a/oidc-controller/api/core/tests/test_models.py b/oidc-controller/api/core/tests/test_models.py
@@ -152,11 +152,23 @@ def test_set_claims_for_user_with_none_user_id_raises_error(self, dict_storage):
         with pytest.raises(ValueError, match="user_id cannot be None"):
             userinfo.set_claims_for_user(None, {"claim": "value"})
 
-    def test_get_claims_for_with_none_user_id_raises_error(self, dict_storage):
-        """Test that get_claims_for raises ValueError for None user_id."""
+    def test_get_claims_for_with_none_user_id_stateless_mode(self, dict_storage):
+        """Test that get_claims_for handles None user_id for StatelessWrapper."""
         userinfo = VCUserinfo({}, claims_storage=dict_storage)
-        with pytest.raises(ValueError, match="user_id cannot be None"):
-            userinfo.get_claims_for(None, {}, None)
+        # StatelessWrapper mode: user_id=None, claims passed in userinfo param
+        userinfo_claims = {
+            "pres_req_conf_id": "test_config",
+            "vc_presented_attributes": '{"email": "test@example.com"}',
+        }
+        result = userinfo.get_claims_for(None, {}, userinfo=userinfo_claims)
+        assert result == userinfo_claims
+        assert result["pres_req_conf_id"] == "test_config"
+
+    def test_get_claims_for_stateless_mode_with_empty_userinfo(self, dict_storage):
+        """Test StatelessWrapper mode returns empty dict when userinfo is None."""
+        userinfo = VCUserinfo({}, claims_storage=dict_storage)
+        result = userinfo.get_claims_for(None, {}, userinfo=None)
+        assert result == {}
 
     def test_getitem_with_none_user_id_raises_error(self, dict_storage):
         """Test that __getitem__ raises ValueError for None user_id."""
@@ -282,3 +294,42 @@ def test_get_claims_for_storage_exception_handling(self):
 
         with pytest.raises(RuntimeError, match="Storage read failed"):
             userinfo.get_claims_for("user_id", {}, None)
+
+    def test_stateless_mode_with_custom_vc_claims(self, dict_storage):
+        """Test StatelessWrapper mode properly returns all VC claims."""
+        userinfo = VCUserinfo({}, claims_storage=dict_storage)
+        vc_claims = {
+            "pres_req_conf_id": "showcase-person",
+            "vc_presented_attributes": '{"given_names": "John", "family_name": "Doe"}',
+            "acr": "vc_authn",
+            "nonce": "test_nonce_123",
+        }
+
+        # Simulate StatelessWrapper calling get_claims_for
+        result = userinfo.get_claims_for(None, {}, userinfo=vc_claims)
+
+        assert result == vc_claims
+        assert result["pres_req_conf_id"] == "showcase-person"
+        assert "vc_presented_attributes" in result
+        assert result["acr"] == "vc_authn"
+        assert result["nonce"] == "test_nonce_123"
+
+    def test_redis_mode_vs_stateless_mode(self, dict_storage):
+        """Test that Redis mode and StatelessWrapper mode work correctly."""
+        userinfo = VCUserinfo({}, claims_storage=dict_storage)
+
+        # Redis mode: store claims with user_id
+        redis_claims = {"redis_claim": "redis_value"}
+        userinfo.set_claims_for_user("redis_user_id", redis_claims)
+
+        # Redis mode: retrieve with user_id, userinfo=None
+        result_redis = userinfo.get_claims_for("redis_user_id", {}, None)
+        assert result_redis == redis_claims
+
+        # StatelessWrapper mode: retrieve with user_id=None, claims in userinfo
+        stateless_claims = {"stateless_claim": "stateless_value"}
+        result_stateless = userinfo.get_claims_for(None, {}, userinfo=stateless_claims)
+        assert result_stateless == stateless_claims
+
+        # Verify they're independent
+        assert result_redis != result_stateless
diff --git a/oidc-controller/api/routers/oidc.py b/oidc-controller/api/routers/oidc.py
@@ -408,6 +408,13 @@ async def post_token(request: Request, db: Database = Depends(get_db)):
             # Update our local reference to the new user_id
             user_id = presentation_sub
 
+            # CRITICAL: For StatelessWrapper (in-memory storage), claims are
+            # stored INSIDE the authorization code in authz_info["user_info"].
+            # We must update this with the actual claims before repacking,
+            # otherwise PyOP will retrieve empty claims when generating the ID token.
+            # For RedisWrapper, this field is not used (claims are in Redis).
+            authz_info["user_info"] = claims
+
             # Create subject identifier mapping: subject -> user_id
             # This is needed because PyOP will look up the user_id for this
             # subject. Store the public subject identifier with Redis-aware
@@ -432,6 +439,7 @@ async def post_token(request: Request, db: Database = Depends(get_db)):
                 original_user_id=auth_session.pyop_user_id,
                 new_user_id=presentation_sub,
                 updated_auth_session=True,
+                updated_user_info_in_code=True,
             )
 
         # Store claims in VCUserinfo so PyOP can retrieve them when
diff --git a/oidc-controller/api/routers/tests/test_oidc_token.py b/oidc-controller/api/routers/tests/test_oidc_token.py
@@ -225,6 +225,14 @@ async def test_claims_stored_with_presentation_sub_as_user_id(
                         # Critical: no duplicate sub
                         assert "sub" not in stored_claims
 
+                        # Verify authz_info["user_info"] was updated for StatelessWrapper
+                        authz_codes = (
+                            mock_provider.provider.authz_state.authorization_codes
+                        )
+                        pack_call_args = authz_codes.pack.call_args[0][0]
+                        assert "user_info" in pack_call_args
+                        assert pack_call_args["user_info"] == stored_claims
+
     @pytest.mark.asyncio
     async def test_sub_not_included_in_userinfo_claims(
         self, mock_db, mock_auth_session, mock_ver_config, mock_provider
@@ -490,3 +498,181 @@ async def test_claims_storage_exception_raises_http_exception(
                         assert exc_info.value.status_code == 500
                         assert "Failed to store claims" in exc_info.value.detail
                         assert "Redis connection failed" in exc_info.value.detail
+
+
+class TestPostTokenStatelessWrapper:
+    """Test StatelessWrapper-specific behavior in post_token endpoint."""
+
+    @pytest.mark.asyncio
+    async def test_authz_info_user_info_updated_before_pack(
+        self, mock_db, mock_auth_session, mock_ver_config, mock_provider
+    ):
+        """Test that authz_info['user_info'] is updated with claims before packing."""
+        from api.authSessions.crud import AuthSessionCRUD
+        from api.routers.oidc import post_token
+        from api.verificationConfigs.crud import VerificationConfigCRUD
+
+        with patch.object(
+            AuthSessionCRUD,
+            "get_by_pyop_auth_code",
+            return_value=mock_auth_session,
+        ):
+            with patch.object(
+                VerificationConfigCRUD, "get", return_value=mock_ver_config
+            ):
+                with patch.object(
+                    AuthSessionCRUD,
+                    "update_pyop_user_id",
+                    new_callable=AsyncMock,
+                ):
+                    with patch("jwt.decode") as mock_decode:
+                        mock_decode.return_value = {"sub": "John@showcase-person"}
+
+                        mock_request = MagicMock()
+                        mock_form = MagicMock()
+                        mock_form._dict = {
+                            "code": "test-auth-code",
+                            "grant_type": "authorization_code",
+                        }
+                        mock_request.form = MagicMock(
+                            return_value=MagicMock(
+                                __aenter__=AsyncMock(return_value=mock_form),
+                                __aexit__=AsyncMock(return_value=None),
+                            )
+                        )
+                        mock_request.headers = {}
+
+                        await post_token(mock_request, mock_db)
+
+                        # Verify authz_info was packed with user_info field
+                        authz_codes = (
+                            mock_provider.provider.authz_state.authorization_codes
+                        )
+                        authz_codes.pack.assert_called_once()
+
+                        packed_authz_info = authz_codes.pack.call_args[0][0]
+
+                        # Critical: user_info field must be present and contain claims
+                        assert "user_info" in packed_authz_info
+                        user_info = packed_authz_info["user_info"]
+
+                        # Verify user_info contains the presentation claims
+                        assert "pres_req_conf_id" in user_info
+                        assert user_info["pres_req_conf_id"] == "showcase-person"
+                        assert "vc_presented_attributes" in user_info
+                        assert "acr" in user_info
+
+                        # Verify sub is NOT in user_info (it goes in authz_info["sub"])
+                        assert "sub" not in user_info
+
+    @pytest.mark.asyncio
+    async def test_authz_info_sub_updated_with_presentation_sub(
+        self, mock_db, mock_auth_session, mock_ver_config, mock_provider
+    ):
+        """Test that authz_info['sub'] is updated with presentation subject."""
+        from api.authSessions.crud import AuthSessionCRUD
+        from api.routers.oidc import post_token
+        from api.verificationConfigs.crud import VerificationConfigCRUD
+
+        with patch.object(
+            AuthSessionCRUD,
+            "get_by_pyop_auth_code",
+            return_value=mock_auth_session,
+        ):
+            with patch.object(
+                VerificationConfigCRUD, "get", return_value=mock_ver_config
+            ):
+                with patch.object(
+                    AuthSessionCRUD,
+                    "update_pyop_user_id",
+                    new_callable=AsyncMock,
+                ):
+                    with patch("jwt.decode") as mock_decode:
+                        mock_decode.return_value = {"sub": "John@showcase-person"}
+
+                        mock_request = MagicMock()
+                        mock_form = MagicMock()
+                        mock_form._dict = {
+                            "code": "test-auth-code",
+                            "grant_type": "authorization_code",
+                        }
+                        mock_request.form = MagicMock(
+                            return_value=MagicMock(
+                                __aenter__=AsyncMock(return_value=mock_form),
+                                __aexit__=AsyncMock(return_value=None),
+                            )
+                        )
+                        mock_request.headers = {}
+
+                        await post_token(mock_request, mock_db)
+
+                        # Verify authz_info["sub"] was updated before packing
+                        authz_codes = (
+                            mock_provider.provider.authz_state.authorization_codes
+                        )
+                        packed_authz_info = authz_codes.pack.call_args[0][0]
+
+                        assert packed_authz_info["sub"] == "John@showcase-person"
+
+    @pytest.mark.asyncio
+    async def test_user_info_contains_all_presentation_attributes(
+        self, mock_db, mock_auth_session, mock_ver_config, mock_provider
+    ):
+        """Test that user_info in authz_info contains all presentation attributes."""
+        from api.authSessions.crud import AuthSessionCRUD
+        from api.routers.oidc import post_token
+        from api.verificationConfigs.crud import VerificationConfigCRUD
+
+        with patch.object(
+            AuthSessionCRUD,
+            "get_by_pyop_auth_code",
+            return_value=mock_auth_session,
+        ):
+            with patch.object(
+                VerificationConfigCRUD, "get", return_value=mock_ver_config
+            ):
+                with patch.object(
+                    AuthSessionCRUD,
+                    "update_pyop_user_id",
+                    new_callable=AsyncMock,
+                ):
+                    with patch("jwt.decode") as mock_decode:
+                        mock_decode.return_value = {"sub": "John@showcase-person"}
+
+                        mock_request = MagicMock()
+                        mock_form = MagicMock()
+                        mock_form._dict = {
+                            "code": "test-auth-code",
+                            "grant_type": "authorization_code",
+                        }
+                        mock_request.form = MagicMock(
+                            return_value=MagicMock(
+                                __aenter__=AsyncMock(return_value=mock_form),
+                                __aexit__=AsyncMock(return_value=None),
+                            )
+                        )
+                        mock_request.headers = {}
+
+                        await post_token(mock_request, mock_db)
+
+                        # Get the user_info that was packed into authz_info
+                        authz_codes = (
+                            mock_provider.provider.authz_state.authorization_codes
+                        )
+                        packed_authz_info = authz_codes.pack.call_args[0][0]
+                        user_info = packed_authz_info["user_info"]
+
+                        # Verify all expected attributes are present
+                        expected_keys = [
+                            "pres_req_conf_id",
+                            "vc_presented_attributes",
+                            "acr",
+                        ]
+                        for key in expected_keys:
+                            assert key in user_info, f"Missing expected key: {key}"
+
+                        # Verify values
+                        assert user_info["pres_req_conf_id"] == "showcase-person"
+                        assert user_info["acr"] == "vc_authn"
+                        assert "given_names" in user_info["vc_presented_attributes"]
+                        assert "family_name" in user_info["vc_presented_attributes"]
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "acapy-vc-authn-oidc"
-version = "2.3.3"
+version = "2.3.4"
 description = "Verifiable Credential Identity Provider for OpenID Connect."
 authors = [ { name = "OpenWallet Foundation" } ]
 license = "Apache-2.0"
