oidc: use bornhack:v2:public_credit_name claim instead of the standard nickname claim (#1838)

zarya · tykling · pre-commit-ci[bot] · web-flow · commit 5e28118f8c3c · 2025-04-27T20:52:26.000+02:00
* set username same as sub, set nickname and prefered_username to public_credit_name but only show if there is a approved public name * Only set nickname / prefered_username if the public name is available * stop using nickname claim, start using custom bornhack:v2:public_credit_name claim instead * update scope description a bit * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --------- Co-authored-by: Thomas Steen Rasmussen <tykling@bornhack.org> Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
diff --git a/src/bornhack/oauth_validators.py b/src/bornhack/oauth_validators.py
@@ -11,18 +11,18 @@ class BornhackOAuth2Validator(OAuth2Validator):
     oidc_claim_scope = OAuth2Validator.oidc_claim_scope
     oidc_claim_scope.update(
         {
-            # the OIDC standard user claims we support, and the OIDC stanard scopes they require
+            # the OIDC standard user claims we support, and the OIDC standard scopes they require
             "address": "address",
             "email": "email",
             "email_verified": "email",
-            "nickname": "profile",
             "phone_number": "phone",
             "phone_number_verified": "phone",
             "updated_at": "profile",
-            # the custom user claims we support, and the (mostly cusom) scopes they require
+            # the custom user claims we support, and the (mostly custom) scopes they require
             "bornhack:v2:description": "profile",
             "bornhack:v2:groups": "groups:read",
             "bornhack:v2:permissions": "permissions:read",
+            "bornhack:v2:public_credit_name": "profile",
             "bornhack:v2:teams": "teams:read",
         },
     )
@@ -50,7 +50,6 @@ def get_additional_claims(self, request) -> dict[str, str | list[dict[str, str]]
                 # standard OIDC claims
                 "email": request.user.email,
                 "email_verified": True,
-                "nickname": request.user.profile.get_public_credit_name,
                 "updated_at": int(request.user.profile.updated.timestamp()),
                 # bornhack custom claims
                 "bornhack:v2:teams": [
@@ -68,13 +67,25 @@ def get_additional_claims(self, request) -> dict[str, str | list[dict[str, str]]
             },
         )
 
+        # include bornhack:v2:public_credit_name?
+        if (
+            request.user.profile.public_credit_name_approved
+            and request.user.profile.public_credit_name
+        ):
+            claims["bornhack:v2:public_credit_name"] = (
+                request.user.profile.public_credit_name
+            )
+
+        # include location?
         if request.user.profile.location:
             claims["address"] = {"formatted": request.user.profile.location}
 
+        # include phonenumber?
         if request.user.profile.phonenumber:
             claims["phone_number"] = request.user.profile.phonenumber
             claims["phone_number_verified"] = True
 
+        # include profile description?
         if request.user.profile.description:
             claims["bornhack:v2:description"] = request.user.profile.description
         return claims
@@ -98,5 +109,6 @@ def get_discovery_claims(self, request) -> list[str]:
             "bornhack:v2:description",
             "bornhack:v2:groups",
             "bornhack:v2:permissions",
+            "bornhack:v2:public_credit_name",
             "bornhack:v2:teams",
         ]
diff --git a/src/bornhack/settings.py b/src/bornhack/settings.py
@@ -233,7 +233,7 @@
         "permissions:read": "Allow the remote site to read a list of your assigned permissions (scope: permissions:read).",
         "teams:read": "Allow the remote site to read a list of your team memberships and team lead status (scope: teams)",
         # api scopes
-        "phonebook:admin": "Allow the remote site to read the camp phonebook including service numbers and unlisted numbers. Also allows access to the POC API. Only relevant for POC team leads (scope: phonebook:admin).",
+        "phonebook:admin": "Allow the remote site to read the camp phonebook, including service numbers and unlisted numbers. Also allow the remote site to use to the POC API. This scope is only relevant for POC team leads (scope: phonebook:admin).",
         "phonebook:read": "Allow the remote site to read the camp phonebook (scope: phonebook:read).",
     },
     "PKCE_REQUIRED": True,
