From 092cc37320a996aabf865412d5fe6d812c66c2c7 Mon Sep 17 00:00:00 2001
From: quark <your_email_adress@example.com>
Date: Tue, 17 Jun 2025 00:26:13 +0200
Subject: [PATCH] OIDC 0 Quark 1
---
apps/permission/scopes.py | 29 ++++++++++++++++++++---------
apps/permission/signals.py | 1 +
apps/permission/views.py | 2 +-
3 files changed, 22 insertions(+), 10 deletions(-)
diff --git a/apps/permission/scopes.py b/apps/permission/scopes.py
index 29b04217..7d2619c1 100644
--- a/apps/permission/scopes.py
+++ b/apps/permission/scopes.py
@@ -18,22 +18,27 @@ class PermissionScopes(BaseScopes):
"""
def get_all_scopes(self):
- return {f"{p.id}_{club.id}": f"{p.description} (club {club.name})"
- for p in Permission.objects.all() for club in Club.objects.all()}
+ scopes = {f"{p.id}_{club.id}": f"{p.description} (club {club.name})"
+ for p in Permission.objects.all() for club in Club.objects.all()}
+ scopes['openid'] = "OpenID Connect"
+ return scopes
def get_available_scopes(self, application=None, request=None, *args, **kwargs):
if not application:
return []
- return [f"{p.id}_{p.membership.club.id}"
- for t in Permission.PERMISSION_TYPES
- for p in PermissionBackend.get_raw_permissions(get_current_request(), t[0])]
+ scopes = [f"{p.id}_{p.membership.club.id}"
+ for t in Permission.PERMISSION_TYPES
+ for p in PermissionBackend.get_raw_permissions(get_current_request(), t[0])]
+ scopes.append('openid')
+ return scopes
def get_default_scopes(self, application=None, request=None, *args, **kwargs):
if not application:
return []
- return [f"{p.id}_{p.membership.club.id}"
- for p in PermissionBackend.get_raw_permissions(get_current_request(), 'view')]
-
+ scopes = [f"{p.id}_{p.membership.club.id}"
+ for p in PermissionBackend.get_raw_permissions(get_current_request(), 'view')]
+ scopes.append('openid')
+ return scopes
class PermissionOAuth2Validator(OAuth2Validator):
oidc_claim_scope = OAuth2Validator.oidc_claim_scope
@@ -49,6 +54,10 @@ class PermissionOAuth2Validator(OAuth2Validator):
"email": request.user.email,
}
+ def get_discovery_claims(self, request):
+ claims = super().get_discovery_claims(self)
+ return claims + ["name", "normalized_name", "email"]
+
def validate_scopes(self, client_id, scopes, client, request, *args, **kwargs):
"""
User can request as many scope as he wants, including invalid scopes,
@@ -65,7 +74,9 @@ class PermissionOAuth2Validator(OAuth2Validator):
scope = f"{p.id}_{p.membership.club.id}"
if scope in scopes:
valid_scopes.add(scope)
+
+ if 'openid' in scopes:
+ valid_scopes.add('openid')
request.scopes = valid_scopes
-
return valid_scopes
diff --git a/apps/permission/signals.py b/apps/permission/signals.py
index b2394c6f..5ea04113 100644
--- a/apps/permission/signals.py
+++ b/apps/permission/signals.py
@@ -19,6 +19,7 @@ EXCLUDED = [
'oauth2_provider.accesstoken',
'oauth2_provider.grant',
'oauth2_provider.refreshtoken',
+ 'oauth2_provider.idtoken',
'sessions.session',
]
diff --git a/apps/permission/views.py b/apps/permission/views.py
index e7de920e..39e1f98c 100644
--- a/apps/permission/views.py
+++ b/apps/permission/views.py
@@ -171,7 +171,7 @@ class ScopesView(LoginRequiredMixin, TemplateView):
available_scopes = scopes.get_available_scopes(app)
context["scopes"][app] = OrderedDict()
items = [(k, v) for (k, v) in all_scopes.items() if k in available_scopes]
- items.sort(key=lambda x: (int(x[0].split("_")[1]), int(x[0].split("_")[0])))
+ # items.sort(key=lambda x: (int(x[0].split("_")[1]), int(x[0].split("_")[0])))
for k, v in items:
context["scopes"][app][k] = v