Clarify that request.claims is the *requested* claims.

n2ygk · n2ygk · commit 302c6864023a · 2022-01-30T13:06:31.000-05:00
diff --git a/docs/oidc.rst b/docs/oidc.rst
@@ -143,7 +143,7 @@ scopes in your ``settings.py``::
         # ... any other settings you want
     }
 
-.. info::
+.. note::
     If you want to enable ``RS256`` at a later date, you can do so - just add
     the private key as described above.
 
@@ -267,8 +267,10 @@ The second form gets no request object, and should return a dictionary
 mapping a claim name to a callable, accepting a request and producing
 the claim data::
     class CustomOAuth2Validator(OAuth2Validator):
-	# Set `oidc_claim_scope = None` to ignore scopes that limit which claims to return,
-	# otherwise the OIDC standard scopes are used.
+	# Extend the standard scopes to add a new "permissions" scope
+	# which returns a "permissions" claim:
+	oidc_claim_scope = OAuth2Validator.oidc_claim_scope
+	oidc_claim_scope.update({"permissions": "permissions"})
 
 	def get_additional_claims(self):
 	    return {
@@ -277,6 +279,7 @@ the claim data::
 		"name": lambda request: ' '.join([request.user.first_name, request.user.last_name]),
 		"preferred_username": lambda request: request.user.username,
 		"email": lambda request: request.user.email,
+		"permissions": lambda request: list(request.user.get_group_permissions()),
 	    }
 
 
@@ -313,30 +316,21 @@ The following example adds instructions to return the ``foo`` claim when the ``b
 
 Set ``oidc_claim_scope = None`` to return all claims irrespective of the granted scopes.
 
-You have to make sure you've added addtional claims via ``get_aditional_claims``
+You have to make sure you've added addtional claims via ``get_additional_claims``
 and defined the ``OAUTH2_PROVIDER["SCOPES"]`` in your settings in order for this functionality to work.
 
-
-Using the OIDC "claims" request parameter to determine which claims are returned
---------------------------------------------------------------------------------
-
-Besides using standard OIDC scopes, you can use OIDC's
-`5.5 Requesting Claims using the "claims" Request Parameter`_ feature.
-
-TODO - confirm that this works and document so and whether it interferes with the scope stuff.
-
-
 .. note::
     This ``request`` object is not a ``django.http.Request`` object, but an
     ``oauthlib.common.Request`` object. This has a number of attributes that
     you can use to decide what claims to put in to the ID token:
 
     * ``request.scopes`` - the list of granted scopes.
-    * ``request.claims`` - a dictionary of the claims.
-    * ``request.user`` - the django user object.
+    * ``request.claims`` - the requested claims per OIDC's `5.5 Requesting Claims using the "claims" Request Parameter`_
+    * ``request.user`` - the `Django User`_ object.
 
 .. _5.4 Requesting Claims using Scope Values: https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
 .. _5.5 Requesting Claims using the "claims" Request Parameter: https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter
+.. _Django User: https://docs.djangoproject.com/en/stable/ref/contrib/auth/#user-model
 
 What claims you decide to put in to the token is up to you to determine based
 upon what the scopes and / or claims means to your provider.
