Merge pull request #138 from nsklikas/feature-allowed-scope

peppelinux · web-flow · commit 635dd24fa037 · 2021-10-07T21:24:22.000+02:00
Use filter_scopes in check_unknown_scopes_policy
diff --git a/src/oidcop/oauth2/authorization.py b/src/oidcop/oauth2/authorization.py
@@ -250,14 +250,16 @@ def check_unknown_scopes_policy(request_info, client_id, endpoint_context):
     if not endpoint_context.conf["capabilities"].get("deny_unknown_scopes"):
         return
 
-    allowed_scopes = endpoint_context.scopes_handler.get_allowed_scopes(client_id=client_id)
-
+    scope = request_info["scope"]
+    filtered_scopes = set(
+        endpoint_context.scopes_handler.filter_scopes(scope, client_id=client_id)
+    )
+    scopes = set(scope)
     # this prevents that authz would be released for unavailable scopes
-    for scope in request_info["scope"]:
-        if scope not in allowed_scopes:
-            _msg = "{} requested an unauthorized scope ({})"
-            logger.warning(_msg.format(client_id, scope))
-            raise UnAuthorizedClientScope()
+    if scopes != filtered_scopes:
+        diff = " ".join(scopes - filtered_scopes)
+        logger.warning(f"{client_id} requested unauthorized scopes: {diff}")
+        raise UnAuthorizedClientScope()
 
 
 class Authorization(Endpoint):
diff --git a/src/oidcop/scopes.py b/src/oidcop/scopes.py
@@ -31,12 +31,12 @@ def convert_scopes2claims(scopes, allowed_claims=None, scope2claim_map=None):
     res = {}
     if allowed_claims is None:
         for scope in scopes:
-            claims = {name: None for name in scope2claim_map[scope]}
+            claims = {name: None for name in scope2claim_map.get(scope, [])}
             res.update(claims)
     else:
         for scope in scopes:
             try:
-                claims = {name: None for name in scope2claim_map[scope] if name in allowed_claims}
+                claims = {name: None for name in scope2claim_map.get(scope, []) if name in allowed_claims}
                 res.update(claims)
             except KeyError:
                 continue
diff --git a/tests/test_26_oidc_userinfo_endpoint.py b/tests/test_26_oidc_userinfo_endpoint.py
@@ -360,9 +360,10 @@ def test_scopes_to_claims_per_client(self):
                 "eduperson_scoped_affiliation",
             ],
         }
+        self.endpoint_context.cdb["client_1"]["allowed_scopes"] = list(self.endpoint_context.cdb["client_1"]["scopes_to_claims"].keys()) + ["aba"]
 
         _auth_req = AUTH_REQ.copy()
-        _auth_req["scope"] = ["openid", "research_and_scholarship_2"]
+        _auth_req["scope"] = ["openid", "research_and_scholarship_2", "aba"]
 
         session_id = self._create_session(_auth_req)
         grant = self.session_manager[session_id]
