Merge branch 'master' into css_do_over_2

Author: zarya

README.md

@@ -166,12 +166,16 @@ Enjoy!
 The BornHack website can act as an OIDC IDP. You are welcome to use it for your projects.
 
 
-### OIDC User Claims
+### OIDC Scopes and User Claims
+The website has a view to inspect which OIDC user claims are returned when using the various claim scopes. It can be accessed at https://bornhack.dk/profile/oidc/
+
+
+### OIDC User Claims Source Code
 
 The supported standard and custom OIDC user claims can be seen in `bornhack/oauth_validators.py` https://github.com/bornhack/bornhack-website/blob/master/src/bornhack/oauth_validators.py
 
 
-### OIDC Scopes
+### OIDC Scopes Source Code
 
 Supported oauth2 scopes are divided into standard OIDC claim scopes, custom OIDC claim scopes, and API scopes. The current list of supported scopes can be seen in the `OAUTH2_PROVIDER["SCOPES"]` dict in `bornhack/settings.py` https://github.com/bornhack/bornhack-website/blob/master/src/bornhack/settings.py
 

src/bornhack/oauth_validators.py

@@ -8,26 +8,22 @@ class BornhackOAuth2Validator(OAuth2Validator):
 
     # supported user claims and the scopes they require
     # https://django-oauth-toolkit.readthedocs.io/en/latest/oidc.html#using-oidc-scopes-to-determine-which-claims-are-returned
-    oidc_claim_scope = OAuth2Validator.oidc_claim_scope
-    oidc_claim_scope.update(
-        {
-            # the OIDC standard user claims we support, and the OIDC standard scopes they require
-            "address": "address",
-            "email": "email",
-            "email_verified": "email",
-            "phone_number": "phone",
-            "phone_number_verified": "phone",
-            "preferred_username": "profile",
-            "updated_at": "profile",
-            # the custom user claims we support, and the (mostly custom) scopes they require
-            "bornhack:v2:description": "profile",
-            "bornhack:v2:groups": "groups:read",
-            "bornhack:v2:location": "location:read",
-            "bornhack:v2:permissions": "permissions:read",
-            "bornhack:v2:public_credit_name": "profile",
-            "bornhack:v2:teams": "teams:read",
-        },
-    )
+    oidc_claim_scope = {
+        # the OIDC standard user claims we support, and the OIDC standard scopes they require
+        "email": "email",
+        "email_verified": "email",
+        "phone_number": "phone",
+        "preferred_username": "profile",
+        "updated_at": "profile",
+        # the custom user claims available under standard OIDC scopes
+        "bornhack:v2:description": "profile",
+        "bornhack:v2:public_credit_name": "profile",
+        # the custom user claims we support under custom OIDC scopes
+        "bornhack:v2:groups": "groups:read",
+        "bornhack:v2:location": "location:read",
+        "bornhack:v2:permissions": "permissions:read",
+        "bornhack:v2:teams": "teams:read",
+    }
 
     def get_claim_dict(self, request) -> dict[str, str]:
         """Return username (usually a uuid) instead of user pk in the 'sub' claim."""

src/profiles/forms.py

@@ -0,0 +1,12 @@
+from django import forms
+from bornhack.oauth_validators import BornhackOAuth2Validator
+
+def get_scopes() -> list[str]:
+    validator = BornhackOAuth2Validator()
+    return ((claim, claim) for claim in sorted(set(validator.oidc_claim_scope.values())))
+
+class OIDCForm(forms.Form):
+    scopes = forms.MultipleChoiceField(
+        choices=get_scopes,
+        help_text="Select the scopes to simulate",
+    )

src/profiles/templates/oidc.html

@@ -0,0 +1,64 @@
+{% extends 'profile_base.html' %}
+{% load django_bootstrap5 %}
+
+{% block title %}
+  OIDC Claims | {{ block.super }}
+{% endblock %}
+
+{% block profile_content %}
+  <div class="card">
+    <div class="card-header">
+      <h4>OIDC Claims</h4>
+    </div>
+    <div class="card-body">
+        <p class="lead">When using BornHack as an IDP (logging into other sites using your BornHack account) you can control which user claims are returned by asking for one or more of the following claim scopes:</p>
+      <p><ul>
+        {% for scope in all_scopes %}
+        <li><code>{{ scope }}</code></li>
+        {% endfor %}
+      </ul></p>
+      <p>Note: In addition to this list the default <code>openid</code> scope is available (it is part of the standard) and must always be included when asking for a jwt.</p>
+      <p class="lead">This form allows you to see which OIDC user claims are returned for your user with any combination of scopes.</p>
+      <form method="GET">
+      {% bootstrap_form form %}
+      <button class="btn btn-primary" type="submit">Submit</button>
+      </form>
+      <hr>
+      {% if not active_scopes %}
+      <p class="lead">Select scopes in the form to see user claims</p>
+      {% else %}
+      <p class="lead">The following user claims will be returned in a jwt with these scopes:</p>
+      <p>
+      <ul>
+      {% for scope in active_scopes %}
+      <li><code>{{ scope }}</code></li>
+      {% endfor %}
+      </ul>
+      </p>
+      <table class="table table-striped">
+        <tr>
+          <th>Claim Name</th>
+          <th>Required Scope</th>
+          <th>Claim Value (JSON)</th>
+        </tr>
+        <tr>
+          <td><code>sub</code></td>
+          <td><code>openid</code></td>
+          <td>{{ request.user.username }}</td>
+        </tr>
+        {% for claim, value in claims.items %}
+        {% for claimname, scope in scopes.items %}
+        {% if claimname == claim %}
+          <tr>
+            <td><code>{{ claim }}</code></td>
+            <td><code>{{ scope }}</code></td>
+            <td>{{ value }}</td>
+          </tr>
+        {% endif %}
+        {% endfor %}
+        {% endfor %}
+      </table>
+      {% endif %}
+    </div>
+  </div>
+{% endblock profile_content %}

src/profiles/templates/profile_base.html

@@ -91,6 +91,13 @@ <h2>Your BornHack Account</h2>
           </a>
         </li>
 
+        {% url 'profiles:oidc' as profile_oidc_url %}
+        <li class="nav-item">
+          <a class="nav-link{% if request.path == profile_oidc_url %} active{% endif %}" href="{{ profile_oidc_url }}">
+              OIDC Scope<i class="fas fa-arrow-right"></i>Claim
+          </a>
+        </li>
+
         <hr />
         <p class="text-break">You are logged in as username <b>{{ request.user.username }}</b> with email <b>{{ request.user.email }}</b></p>
 

src/profiles/urls.py

@@ -5,6 +5,7 @@
 from .views import ProfileUpdate
 from .views import ProfilePermissionList
 from .views import ProfileSessionThemeSwitchView
+from .views import ProfileOIDCView
 
 app_name = "profiles"
 urlpatterns = [
@@ -13,4 +14,5 @@
     path("edit/", ProfileUpdate.as_view(), name="update"),
     path("api/", ProfileApiView.as_view(), name="api"),
     path("permissions/", ProfilePermissionList.as_view(), name="permissions_list"),
+    path("oidc/", ProfileOIDCView.as_view(), name="oidc"),
 ]

src/profiles/views.py

@@ -7,13 +7,16 @@
 from django.shortcuts import redirect
 from django.views.generic import DetailView
 from django.views.generic import ListView
+from django.views.generic import FormView
 from django.views.generic import UpdateView
 from django.views import View
 from jsonview.views import JsonView
 from oauth2_provider.views.generic import ScopedProtectedResourceView
 from leaflet.forms.widgets import LeafletWidget
 
 from .models import Profile
+from .forms import OIDCForm
+from bornhack.oauth_validators import BornhackOAuth2Validator
 
 
 class ProfileDetail(LoginRequiredMixin, DetailView):
@@ -126,3 +129,32 @@ def get(self, request, *args, **kwargs):
             return redirect(next_url)
         else:
             return HttpResponseForbidden()
+
+          
+class ProfileOIDCView(LoginRequiredMixin, FormView):
+    template_name = "oidc.html"
+    form_class = OIDCForm
+
+    def setup(self, *args, **kwargs):
+        super().setup(*args, **kwargs)
+        validator = BornhackOAuth2Validator()
+        self.scopes = validator.oidc_claim_scope
+        self.claims = validator.get_additional_claims(request=self.request)
+
+    def get_form(self, form_class=None):
+        if form_class is None:
+            form_class = self.get_form_class()
+            self.initial['scopes'] = self.request.GET.getlist(key="scopes")
+        return form_class(**self.get_form_kwargs())
+
+    def get_context_data(self, **kwargs):
+        context = super().get_context_data(**kwargs)
+        context["claims"] = {}
+        for claim, value in self.claims.items():
+            scope = self.scopes[claim]
+            if scope in self.request.GET.getlist(key="scopes"):
+                context["claims"][claim] = value
+        context["scopes"] = self.scopes
+        context["active_scopes"] = ["openid"] + sorted(list(set(self.request.GET.getlist(key="scopes"))))
+        context["all_scopes"] = sorted(list(set(self.scopes.values())))
+        return context