stop using the oidc standard claim address for profile location, use bornhack:v2:location custom claim instead, require location:read scope to get the claim

tykling · tykling · commit b5cb8332af47 · 2025-04-27T21:58:59.000+02:00
diff --git a/src/bornhack/oauth_validators.py b/src/bornhack/oauth_validators.py
@@ -21,6 +21,7 @@ class BornhackOAuth2Validator(OAuth2Validator):
             # the custom user claims we support, and the (mostly custom) scopes they require
             "bornhack:v2:description": "profile",
             "bornhack:v2:groups": "groups:read",
+            "bornhack:v2:location": "location:read",
             "bornhack:v2:permissions": "permissions:read",
             "bornhack:v2:public_credit_name": "profile",
             "bornhack:v2:teams": "teams:read",
@@ -78,7 +79,7 @@ def get_additional_claims(self, request) -> dict[str, str | list[dict[str, str]]
 
         # include location?
         if request.user.profile.location:
-            claims["address"] = {"formatted": request.user.profile.location}
+            claims["bornhack:v2:location"] = request.user.profile.location
 
         # include phonenumber?
         if request.user.profile.phonenumber:
@@ -97,7 +98,6 @@ def get_discovery_claims(self, request) -> list[str]:
         """
         return [
             # OIDC standard claims
-            "address",
             "email",
             "email_verified",
             "nickname",
@@ -108,6 +108,7 @@ def get_discovery_claims(self, request) -> list[str]:
             # custom user claims
             "bornhack:v2:description",
             "bornhack:v2:groups",
+            "bornhack:v2:location",
             "bornhack:v2:permissions",
             "bornhack:v2:public_credit_name",
             "bornhack:v2:teams",
diff --git a/src/bornhack/settings.py b/src/bornhack/settings.py
@@ -221,17 +221,22 @@
     "SCOPES": {
         # required
         "openid": "OpenID Connect scope",
+
         # deprecated api scope, remove after 2025 camp
         "profile:read": "Allow the remote site to read your bornhack.dk username (uuid), user id, profile public credit name, profile description, and a list of team memberships using the profile API endpoint (scope profile:read). NOTE: This scope is being deprecated soon! Ask the BornHack website team for more info.",
+
         # standard OIDC claim scopes
         "profile": "Allow the remote site to read your profile public_credit_name, description, and update time (scope: profile)",
         "email": "Allow the remote site to read your email address (scope: email)",
         "address": "Allow the remote site to read your profile location (scope: address)",
         "phone": "Allow the remote site to read your profile phonenumber (scope: phone)",
+
         # custom bornhack user claim scopes
         "groups:read": "Allow the remote site to read a list of your group memberships (scope: groups:read).",
+        "location:read": "Allow the remote site to read your profile location (scope: loocation:read)",
         "permissions:read": "Allow the remote site to read a list of your assigned permissions (scope: permissions:read).",
-        "teams:read": "Allow the remote site to read a list of your team memberships and team lead status (scope: teams)",
+        "teams:read": "Allow the remote site to read a list of your team memberships and team lead status (scope: teams:read)",
+
         # api scopes
         "phonebook:admin": "Allow the remote site to read the camp phonebook, including service numbers and unlisted numbers. Also allow the remote site to use to the POC API. This scope is only relevant for POC team leads (scope: phonebook:admin).",
         "phonebook:read": "Allow the remote site to read the camp phonebook (scope: phonebook:read).",
