Refactored.

Author: rohe

src/oidcop/oidc/userinfo.py

@@ -141,11 +141,8 @@ def process_request(self, request=None, **kwargs):
                 user_id=_session_info["user_id"], claims_restriction=_claims
             )
             info["sub"] = _grant.sub
-            if _claims:
-                _acr_request = _claims.get("acr")
-                if _acr_request:
-                    if claims_match(_grant.authentication_event["authn_info"], _acr_request):
-                        info["acr"] = _grant.authentication_event["authn_info"]
+            if _grant.add_acr_value("userinfo"):
+                info["acr"] = _grant.authentication_event["authn_info"]
         else:
             info = {
                 "error": "invalid_request",

src/oidcop/session/grant.py

@@ -181,6 +181,14 @@ def find_scope(self, based_on):
 
         return self.scope
 
+    def add_acr_value(self, claims_release_point):
+        _release = self.claims.get(claims_release_point)
+        if _release:
+            _acr_request = _release.get("acr")
+            _used_acr = self.authentication_event.get("authn_info")
+            return claims_match(_used_acr, _acr_request)
+        return False
+
     def payload_arguments(
             self,
             session_id: str,
@@ -223,11 +231,8 @@ def payload_arguments(
         payload.update(user_info)
 
         # Should I add the acr value
-        _release = self.claims.get(claims_release_point)
-        if _release:
-            _acr_request = _release.get("acr")
-            if claims_match(self.authentication_event["authn_info"], _acr_request):
-                payload["acr"] = self.authentication_event["authn_info"]
+        if self.add_acr_value(claims_release_point):
+            payload["acr"] = self.authentication_event["authn_info"]
 
         return payload
 

tests/test_26_oidc_userinfo_endpoint.py

@@ -382,10 +382,11 @@ def test_invalid_token(self):
         assert args["error_description"] == "Invalid Token"
 
     def test_userinfo_claims(self):
+        _acr = "https://refeds.org/profile/mfa"
         _auth_req = AUTH_REQ.copy()
-        _auth_req["claims"] = {"userinfo": {"acr": {"value": "https://refeds.org/profile/mfa"}}}
+        _auth_req["claims"] = {"userinfo": {"acr": {"value": _acr}}}
 
-        session_id = self._create_session(_auth_req, authn_info="https://refeds.org/profile/mfa")
+        session_id = self._create_session(_auth_req, authn_info=_acr)
         grant = self.session_manager[session_id]
         code = self._mint_code(grant, session_id)
         access_token = self._mint_token("access_token", grant, session_id, code)
@@ -396,4 +397,24 @@ def test_userinfo_claims(self):
         args = self.endpoint.process_request(_req)
         assert args
         res = self.endpoint.do_response(request=_req, **args)
-        assert res
+        _response = json.loads(res["response"])
+        assert _response["acr"] == _acr
+
+    def test_userinfo_claims_acr_none(self):
+        _acr = "https://refeds.org/profile/mfa"
+        _auth_req = AUTH_REQ.copy()
+        _auth_req["claims"] = '{"userinfo": {"acr": null}}'
+
+        session_id = self._create_session(_auth_req, authn_info=_acr)
+        grant = self.session_manager[session_id]
+        code = self._mint_code(grant, session_id)
+        access_token = self._mint_token("access_token", grant, session_id, code)
+
+        http_info = {"headers": {"authorization": "Bearer {}".format(access_token.value)}}
+        _req = self.endpoint.parse_request({}, http_info=http_info)
+
+        args = self.endpoint.process_request(_req)
+        assert args
+        res = self.endpoint.do_response(request=_req, **args)
+        _response = json.loads(res["response"])
+        assert _response["acr"] == _acr