-
Notifications
You must be signed in to change notification settings - Fork 9
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
✨(backend) add option to configure list of required OIDC claims
We want to be able to refuse connection for users who have missing claims from a list of required keys.
- Loading branch information
1 parent
02a4740
commit dca001e
Showing
4 changed files
with
100 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -365,3 +365,87 @@ def get_userinfo_mocked(*args): | |
klass.get_or_create_user(access_token="test-token", id_token=None, payload=None) | ||
|
||
assert models.User.objects.count() == 1 | ||
|
||
|
||
# Required claims | ||
|
||
|
||
@override_settings( | ||
OIDC_OP_USER_ENDPOINT="http://oidc.endpoint.test/userinfo", | ||
USER_OIDC_REQUIRED_CLAIMS=["email", "sub", "address"], | ||
) | ||
@responses.activate | ||
def test_authentication_get_userinfo_required_claims_missing(): | ||
"""Ensure SuspiciousOperation is raised if required claims are missing.""" | ||
|
||
responses.add( | ||
responses.GET, | ||
re.compile(r".*/userinfo"), | ||
json={ | ||
"last_name": "Doe", | ||
"email": "[email protected]", | ||
}, | ||
status=200, | ||
) | ||
|
||
oidc_backend = OIDCAuthenticationBackend() | ||
|
||
with pytest.raises( | ||
SuspiciousOperation, match="Missing required claims in user info: sub, address" | ||
): | ||
oidc_backend.get_userinfo("fake_access_token", None, None) | ||
|
||
|
||
@override_settings( | ||
OIDC_OP_USER_ENDPOINT="http://oidc.endpoint.test/userinfo", | ||
USER_OIDC_REQUIRED_CLAIMS=["email", "Sub"], | ||
) | ||
@responses.activate | ||
def test_authentication_get_userinfo_required_claims_case_sensitivity(): | ||
"""Ensure the system respects case sensitivity for required claims.""" | ||
|
||
responses.add( | ||
responses.GET, | ||
re.compile(r".*/userinfo"), | ||
json={ | ||
"sub": "123", | ||
"last_name": "Doe", | ||
"email": "[email protected]", | ||
}, | ||
status=200, | ||
) | ||
|
||
oidc_backend = OIDCAuthenticationBackend() | ||
|
||
with pytest.raises( | ||
SuspiciousOperation, match="Missing required claims in user info: Sub" | ||
): | ||
oidc_backend.get_userinfo("fake_access_token", None, None) | ||
|
||
|
||
@override_settings( | ||
OIDC_OP_USER_ENDPOINT="http://oidc.endpoint.test/userinfo", | ||
USER_OIDC_REQUIRED_CLAIMS=["email", "sub"], | ||
) | ||
@responses.activate | ||
def test_authentication_get_userinfo_required_claims_success(): | ||
"""Ensure user is authenticated when required claims are present.""" | ||
|
||
responses.add( | ||
responses.GET, | ||
re.compile(r".*/userinfo"), | ||
json={ | ||
"sub": "123", | ||
"last_name": "Doe", | ||
"email": "[email protected]", | ||
}, | ||
status=200, | ||
) | ||
|
||
oidc_backend = OIDCAuthenticationBackend() | ||
result = oidc_backend.get_userinfo("fake_access_token", None, None) | ||
|
||
assert result["sub"] == "123" | ||
assert result.get("first_name") is None | ||
assert result["last_name"] == "Doe" | ||
assert result["email"] == "[email protected]" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters