Update tests to check with and without oidc_claim_scope.

Author: n2ygk

tests/conftest.py

@@ -158,3 +158,43 @@ def oidc_tokens(oauth2_settings, application, test_user, client):
         id_token=token_data["id_token"],
         oauth2_settings=oauth2_settings,
     )
+
+
+@pytest.fixture
+def oidc_email_scope_tokens(oauth2_settings, application, test_user, client):
+    oauth2_settings.update(presets.OIDC_SETTINGS_EMAIL_SCOPE)
+    client.force_login(test_user)
+    auth_rsp = client.post(
+        reverse("oauth2_provider:authorize"),
+        data={
+            "client_id": application.client_id,
+            "state": "random_state_string",
+            "scope": "openid email",
+            "redirect_uri": "http://example.org",
+            "response_type": "code",
+            "allow": True,
+        },
+    )
+    assert auth_rsp.status_code == 302
+    code = parse_qs(urlparse(auth_rsp["Location"]).query)["code"]
+    client.logout()
+    token_rsp = client.post(
+        reverse("oauth2_provider:token"),
+        data={
+            "grant_type": "authorization_code",
+            "code": code,
+            "redirect_uri": "http://example.org",
+            "client_id": application.client_id,
+            "client_secret": CLEARTEXT_SECRET,
+            "scope": "openid email",
+        },
+    )
+    assert token_rsp.status_code == 200
+    token_data = token_rsp.json()
+    return SimpleNamespace(
+        user=test_user,
+        application=application,
+        access_token=token_data["access_token"],
+        id_token=token_data["id_token"],
+        oauth2_settings=oauth2_settings,
+    )

tests/presets.py

@@ -22,6 +22,8 @@
 }
 OIDC_SETTINGS_RO = deepcopy(OIDC_SETTINGS_RW)
 OIDC_SETTINGS_RO["DEFAULT_SCOPES"] = ["read"]
+OIDC_SETTINGS_EMAIL_SCOPE = deepcopy(OIDC_SETTINGS_RW)
+OIDC_SETTINGS_EMAIL_SCOPE["SCOPES"].update({"email": "return email address"})
 OIDC_SETTINGS_HS256_ONLY = deepcopy(OIDC_SETTINGS_RW)
 del OIDC_SETTINGS_HS256_ONLY["OIDC_RSA_PRIVATE_KEY"]
 REST_FRAMEWORK_SCOPES = {

tests/test_oidc_views.py

@@ -160,6 +160,8 @@ def claim_user_email(request):
 @pytest.mark.django_db
 def test_userinfo_endpoint_custom_claims_callable(oidc_tokens, client, oauth2_settings):
     class CustomValidator(OAuth2Validator):
+        oidc_claim_scope = None
+
         def get_additional_claims(self):
             return {
                 "username": claim_user_email,
@@ -183,9 +185,38 @@ def get_additional_claims(self):
     assert data["email"] == EXAMPLE_EMAIL
 
 
+@pytest.mark.django_db
+def test_userinfo_endpoint_custom_claims_email_scope_callable(
+    oidc_email_scope_tokens, client, oauth2_settings
+):
+    class CustomValidator(OAuth2Validator):
+        def get_additional_claims(self):
+            return {
+                "username": claim_user_email,
+                "email": claim_user_email,
+            }
+
+    oidc_email_scope_tokens.oauth2_settings.OAUTH2_VALIDATOR_CLASS = CustomValidator
+    auth_header = "Bearer %s" % oidc_email_scope_tokens.access_token
+    rsp = client.get(
+        reverse("oauth2_provider:user-info"),
+        HTTP_AUTHORIZATION=auth_header,
+    )
+    data = rsp.json()
+    assert "sub" in data
+    assert data["sub"] == str(oidc_email_scope_tokens.user.pk)
+
+    assert "username" not in data
+
+    assert "email" in data
+    assert data["email"] == EXAMPLE_EMAIL
+
+
 @pytest.mark.django_db
 def test_userinfo_endpoint_custom_claims_plain(oidc_tokens, client, oauth2_settings):
     class CustomValidator(OAuth2Validator):
+        oidc_claim_scope = None
+
         def get_additional_claims(self, request):
             return {
                 "username": EXAMPLE_EMAIL,
@@ -207,3 +238,28 @@ def get_additional_claims(self, request):
 
     assert "email" in data
     assert data["email"] == EXAMPLE_EMAIL
+
+
+@pytest.mark.django_db
+def test_userinfo_endpoint_custom_claims_email_scopeplain(oidc_email_scope_tokens, client, oauth2_settings):
+    class CustomValidator(OAuth2Validator):
+        def get_additional_claims(self, request):
+            return {
+                "username": EXAMPLE_EMAIL,
+                "email": EXAMPLE_EMAIL,
+            }
+
+    oidc_email_scope_tokens.oauth2_settings.OAUTH2_VALIDATOR_CLASS = CustomValidator
+    auth_header = "Bearer %s" % oidc_email_scope_tokens.access_token
+    rsp = client.get(
+        reverse("oauth2_provider:user-info"),
+        HTTP_AUTHORIZATION=auth_header,
+    )
+    data = rsp.json()
+    assert "sub" in data
+    assert data["sub"] == str(oidc_email_scope_tokens.user.pk)
+
+    assert "username" not in data
+
+    assert "email" in data
+    assert data["email"] == EXAMPLE_EMAIL