OpenID: Add get_discovery_claims

This splits get_additional_claims into two forms. See documentation change for rationale.

Author: Natureshadow

docs/oidc.rst

@@ -245,23 +245,46 @@ required claims, eg ``iss``, ``aud``, ``exp``, ``iat``, ``auth_time`` etc),
 and the ``sub`` claim will use the primary key of the user as the value.
 You'll probably want to customize this and add additional claims or change
 what is sent for the ``sub`` claim. To do so, you will need to add a method to
-our custom validator. It should return a dictionary mapping a claim name to
-either the claim data, or a callable that will be called with the request to
-produce the claim data.
-Standard claim ``sub`` is included by default, for remove it override ``get_claim_list``::
+our custom validator. It takes one of two forms:
+
+The first form gets passed a request object, and should return a dictionary
+mapping a claim name to claim data::
  class CustomOAuth2Validator(OAuth2Validator):
  def get_additional_claims(self, request):
+ claims ={}
+ claims["email"] = request.user.get_user_email()
+ claims["username"] = request.user.get_full_name()
+
+ return claims
+
+The second form gets no request object, and should return a dictionary
+mapping a claim name to a callable, accepting a request and producing
+the claim data::
+ class CustomOAuth2Validator(OAuth2Validator):
+ def get_additional_claims(self):
  def get_user_email(request):
  return request.user.get_user_email()
 
  claims ={}
- # Element name, callback to obtain data
  claims["email"] = get_user_email
- # Element name, plain data returned
- claims["username"] = request.user.get_full_name()
+ claims["username"] = lambda r: r.user.get_full_name()
 
  return claims
 
+Standard claim ``sub`` is included by default, for remove it override ``get_claim_dict``.
+
+In some cases, it might be desirable to not list all claims in discovery info. To customize
+which claims are advertised, you can override the ``get_discovery_claims`` method to return
+a list of claim names to advertise. If your ``get_additional_claims`` uses the first form
+and you still want to advertise claims, you can also override ``get_discovery_claims``.
+
+In order to help lcients discover claims early, they can be advertised in the discovery
+info, under the ``claims_supported`` key. In order for the discovery info view to automatically
+add all claims your validator returns, you need to use the second form (producing callables),
+because the discovery info views are requested with an unauthenticated request, so directly
+producing claim data would fail. If you use the first form, producing claim data directly,
+your claims will not be added to discovery info.
+
 .. note::
  This ``request`` object is not a ``django.http.Request`` object, but an
  ``oauthlib.common.Request`` object. This has a number of attributes that

oauth2_provider/oauth2_validators.py

@@ -1,6 +1,7 @@
 importbase64
 importbinascii
 importhttp.client
+importinspect
 importjson
 importlogging
 importuuid
@@ -737,21 +738,34 @@ def _save_id_token(self, jti, request, expires, *args, **kwargs):
  )
 returnid_token
 
+@classmethod
+def_get_additional_claims_is_request_agnostic(cls):
+returnlen(inspect.signature(cls.get_additional_claims).parameters) ==1
+
 defget_jwt_bearer_token(self, token, token_handler, request):
 returnself.get_id_token(token, token_handler, request)
 
 defget_claim_dict(self, request):
-defget_sub_code(inner_request):
-returnstr(inner_request.user.id)
-
-claims={"sub": get_sub_code}
+ifself._get_additional_claims_is_request_agnostic():
+claims={"sub": lambdar: str(r.user.id)}
+else:
+claims={"sub": str(request.user.id)}
 
 # https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
-add=self.get_additional_claims(request)
+ifself._get_additional_claims_is_request_agnostic():
+add=self.get_additional_claims()
+else:
+add=self.get_additional_claims(request)
 claims.update(add)
 
 returnclaims
 
+defget_discovery_claims(self, request):
+claims= ["sub"]
+ifself._get_additional_claims_is_request_agnostic():
+claims+=list(self.get_claim_dict(request).keys())
+returnclaims
+
 defget_oidc_claims(self, token, token_handler, request):
 data=self.get_claim_dict(request)
 claims={}

oauth2_provider/views/oidc.py

@@ -48,7 +48,9 @@ def get(self, request, *args, **kwargs):
 
 validator_class=oauth2_settings.OAUTH2_VALIDATOR_CLASS
 validator=validator_class()
-oidc_claims=list(validator.get_claim_dict(request).keys())
+oidc_claims=validator.get_discovery_claims(request)
+if"sub"notinoidc_claims:
+oidc_claims.append("sub")
 
 data={
 "issuer": issuer_url,

tests/test_oidc_views.py

@@ -158,7 +158,7 @@ def claim_user_email(request):
 @pytest.mark.django_db
 deftest_userinfo_endpoint_custom_claims_callable(oidc_tokens, client, oauth2_settings):
 classCustomValidator(OAuth2Validator):
-defget_additional_claims(self, request):
+defget_additional_claims(self):
 return{
 "username": claim_user_email,
 "email": claim_user_email,