Scope field in getting user info process.

[tahaatrian30]

I use two functions that customize the claims and userinfo which is mentioned in https://django-oauth-toolkit.readthedocs.io/en/latest/oidc.html#customizing-the-oidc-responses.
But I just add claims that the client needs in request[scopes]. when the client calls userinfo the bellow function will be executed.(this lib uses oauthlib/openid/core/endpoints/userinfo.py)

 @catch_errors_and_unavailability
 def create_userinfo_response(self, uri, http_method='GET', body=None, headers=None):
 """Validate BearerToken and return userinfo from RequestValidator
 
 The UserInfo Endpoint MUST return a
 content-type header to indicate which format is being returned. The
 content-type of the HTTP response MUST be application/json if the
 response body is a text JSON object; the response body SHOULD be encoded
 using UTF-8.
 """
 request = Request(uri, http_method, body, headers)
 request.scopes = ["openid"]
 self.validate_userinfo_request(request)
 
 claims = self.request_validator.get_userinfo_claims(request)
 if claims is None:
 log.error('Userinfo MUST have claims for %r.', request)
 raise errors.ServerError(status_code=500)
 
 if isinstance(claims, dict):
 resp_headers ={
 'Content-Type': 'application/json'
 }
 if "sub" not in claims:
 log.error('Userinfo MUST have "sub" for %r.', request)
 raise errors.ServerError(status_code=500)
 body = json.dumps(claims)
 elif isinstance(claims, str):
 resp_headers ={
 'Content-Type': 'application/jwt'
 }
 body = claims
 else:
 log.error('Userinfo return unknown response for %r.', request)
 raise errors.ServerError(status_code=500)
 log.debug('Userinfo access valid for %r.', request)
 return resp_headers, body, 200

In this function first, the request object will be created and then scopes field will be added to the request with just openid value. After that, the get_userinfo_claims will be called. in this process, my customized functions will be called and because of the incomplete scope in request, the needed claims will not return.(note: the needed scopes are in request[access_token][scope] after executing line self.validate_userinfo_request(request) )
Can somebody help me how can I fix this?

[n2ygk]

Just a quick response without reading the code: scopes and claims are not the same thing, however scopes can be used to request that certain claims will be provided. For example, scope openid plus email will return an email address claim.
This might be helpful: https://columbia-it-django-jsonapi-training.readthedocs.io/en/latest/using_dot/

[tahaatrian30]

As mentioned in the link, this is like a bug. I think it can be fixed with the request[access_token][scope] to be added to request[scopes].

[n2ygk]

Take a look at #1108. This might fix the problem.

[dopry]

@tahaatrian30 do you need to send the appropriate scopes with your auth request? If you were able to resolve this, please add a comment explaining how. If not, reopen with more detail about the scopes you're sending with the requestion what you're doing, the response you expect to get and what you're actually getting.