OpenID: Transform get_additional_claims into two forms

Natureshadow · Natureshadow · commit 57535b42cda3 · 2022-01-04T23:52:11.000+01:00
See documentation change for rationale.
diff --git a/docs/oidc.rst b/docs/oidc.rst
@@ -245,23 +245,41 @@ required claims, eg ``iss``, ``aud``, ``exp``, ``iat``, ``auth_time`` etc),
 and the ``sub`` claim will use the primary key of the user as the value.
 You'll probably want to customize this and add additional claims or change
 what is sent for the ``sub`` claim. To do so, you will need to add a method to
-our custom validator. It should return a dictionary mapping a claim name to
-either the claim data, or a callable that will be called with the request to
-produce the claim data.
-Standard claim ``sub`` is included by default, for remove it override ``get_claim_list``::
+our custom validator. It takes one of two forms:
+
+The first form gets passed a request object, and should return a dictionary
+mapping a claim name to claim data::
     class CustomOAuth2Validator(OAuth2Validator):
         def get_additional_claims(self, request):
+            claims = {}
+            claims["email"] = request.user.get_user_email()
+            claims["username"] = request.user.get_full_name()
+
+            return claims
+
+The second form gets no request object, and should return a dictionary
+mapping a claim name to a callable, accepting a request and producing
+the claim data::
+    class CustomOAuth2Validator(OAuth2Validator):
+        def get_additional_claims(self):
             def get_user_email(request):
                 return request.user.get_user_email()
 
             claims = {}
-            # Element name, callback to obtain data
             claims["email"] = get_user_email
-            # Element name, plain data returned
-            claims["username"] = request.user.get_full_name()
+            claims["username"] = lambda r: r.user.get_full_name()
 
             return claims
 
+Standard claim ``sub`` is included by default, for remove it override ``get_claim_list``.
+
+In order to help lcients discover claims early, they can be advertised in the discovery
+info, under the ``claims_supported`` key. In order for the discovery info view to automatically
+add all claims your validator returns, you need to use the second form (producing callables),
+because the discovery info views are requested with an unauthenticated request, so directly
+producing claim data would fail. If you use the first form, producing claim data directly,
+your claims will not be added to discovery info.
+
 .. note::
     This ``request`` object is not a ``django.http.Request`` object, but an
     ``oauthlib.common.Request`` object. This has a number of attributes that
diff --git a/oauth2_provider/oauth2_validators.py b/oauth2_provider/oauth2_validators.py
@@ -1,6 +1,7 @@
 import base64
 import binascii
 import http.client
+import inspect
 import json
 import logging
 import uuid
@@ -737,21 +738,34 @@ def _save_id_token(self, jti, request, expires, *args, **kwargs):
         )
         return id_token
 
+    @classmethod
+    def _get_additional_claims_is_request_agnostic(cls):
+        return len(inspect.signature(cls.get_additional_claims).parameters) == 1
+
     def get_jwt_bearer_token(self, token, token_handler, request):
         return self.get_id_token(token, token_handler, request)
 
     def get_claim_dict(self, request):
-        def get_sub_code(inner_request):
-            return str(inner_request.user.id)
-
-        claims = {"sub": get_sub_code}
+        if self._get_additional_claims_is_request_agnostic():
+            claims = {"sub": lambda r: str(r.user.id)}
+        else:
+            claims = {"sub": str(request.user.id)}
 
         # https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
-        add = self.get_additional_claims(request)
+        if self._get_additional_claims_is_request_agnostic():
+            add = self.get_additional_claims()
+        else:
+            add = self.get_additional_claims(request)
         claims.update(add)
 
         return claims
 
+    def get_discovery_claims(self, request):
+        claims = ["sub"]
+        if self._get_additional_claims_is_request_agnostic():
+            claims += list(self.get_claim_dict(request).keys())
+        return claims
+
     def get_oidc_claims(self, token, token_handler, request):
         data = self.get_claim_dict(request)
         claims = {}
diff --git a/oauth2_provider/views/oidc.py b/oauth2_provider/views/oidc.py
@@ -48,7 +48,9 @@ def get(self, request, *args, **kwargs):
 
         validator_class = oauth2_settings.OAUTH2_VALIDATOR_CLASS
         validator = validator_class()
-        oidc_claims = list(validator.get_claim_dict(request).keys())
+        oidc_claims = validator.get_discovery_claims(request)
+        if "sub" not in oidc_claims:
+            oidc_claims.append("sub")
 
         data = {
             "issuer": issuer_url,
diff --git a/tests/test_oidc_views.py b/tests/test_oidc_views.py
@@ -155,7 +155,7 @@ def claim_user_email(request):
 @pytest.mark.django_db
 def test_userinfo_endpoint_custom_claims_callable(oidc_tokens, client, oauth2_settings):
     class CustomValidator(OAuth2Validator):
-        def get_additional_claims(self, request):
+        def get_additional_claims(self):
             return {
                 "username": claim_user_email,
                 "email": claim_user_email,
