add oidc->userclaim testing view in profile

Author: tykling

src/bornhack/oauth_validators.py

@@ -8,26 +8,22 @@ class BornhackOAuth2Validator(OAuth2Validator):
 
     # supported user claims and the scopes they require
     # https://django-oauth-toolkit.readthedocs.io/en/latest/oidc.html#using-oidc-scopes-to-determine-which-claims-are-returned
-    oidc_claim_scope = OAuth2Validator.oidc_claim_scope
-    oidc_claim_scope.update(
-        {
-            # the OIDC standard user claims we support, and the OIDC standard scopes they require
-            "address": "address",
-            "email": "email",
-            "email_verified": "email",
-            "phone_number": "phone",
-            "phone_number_verified": "phone",
-            "preferred_username": "profile",
-            "updated_at": "profile",
-            # the custom user claims we support, and the (mostly custom) scopes they require
-            "bornhack:v2:description": "profile",
-            "bornhack:v2:groups": "groups:read",
-            "bornhack:v2:location": "location:read",
-            "bornhack:v2:permissions": "permissions:read",
-            "bornhack:v2:public_credit_name": "profile",
-            "bornhack:v2:teams": "teams:read",
-        },
-    )
+    oidc_claim_scope = {
+        # the OIDC standard user claims we support, and the OIDC standard scopes they require
+        "email": "email",
+        "email_verified": "email",
+        "phone_number": "phone",
+        "preferred_username": "profile",
+        "updated_at": "profile",
+        # the custom user claims available under standard OIDC scopes
+        "bornhack:v2:description": "profile",
+        "bornhack:v2:public_credit_name": "profile",
+        # the custom user claims we support under custom OIDC scopes
+        "bornhack:v2:groups": "groups:read",
+        "bornhack:v2:location": "location:read",
+        "bornhack:v2:permissions": "permissions:read",
+        "bornhack:v2:teams": "teams:read",
+    }
 
     def get_claim_dict(self, request) -> dict[str, str]:
         """Return username (usually a uuid) instead of user pk in the 'sub' claim."""

src/profiles/forms.py

@@ -0,0 +1,12 @@
+from django import forms
+from bornhack.oauth_validators import BornhackOAuth2Validator
+
+def get_scopes() -> list[str]:
+    validator = BornhackOAuth2Validator()
+    return ((claim, claim) for claim in sorted(set(validator.oidc_claim_scope.values())))
+
+class OIDCForm(forms.Form):
+    scopes = forms.MultipleChoiceField(
+        choices=get_scopes,
+        help_text="Select the scopes to simulate",
+    )

src/profiles/templates/oidc.html

@@ -0,0 +1,64 @@
+{% extends 'profile_base.html' %}
+{% load django_bootstrap5 %}
+
+{% block title %}
+  OIDC Claims | {{ block.super }}
+{% endblock %}
+
+{% block profile_content %}
+  <div class="card">
+    <div class="card-header">
+      <h4>OIDC Claims</h4>
+    </div>
+    <div class="card-body">
+        <p class="lead">When using BornHack as an IDP (logging into other sites using your BornHack account) you can control which user claims are returned by asking for one or more of the following claim scopes:</p>
+      <p><ul>
+        {% for scope in all_scopes %}
+        <li><code>{{ scope }}</code></li>
+        {% endfor %}
+      </ul></p>
+      <p>Note: In addition to this list the default <code>openid</code> scope is available (it is part of the standard) and must always be included when asking for a jwt.</p>
+      <p class="lead">This form allows you to see which OIDC user claims are returned for your user with any combination of scopes.</p>
+      <form method="GET">
+      {% bootstrap_form form %}
+      <button class="btn btn-primary" type="submit">Submit</button>
+      </form>
+      <hr>
+      {% if not active_scopes %}
+      <p class="lead">Select scopes in the form to see user claims</p>
+      {% else %}
+      <p class="lead">The following user claims will be returned in a jwt with these scopes:</p>
+      <p>
+      <ul>
+      {% for scope in active_scopes %}
+      <li><code>{{ scope }}</code></li>
+      {% endfor %}
+      </ul>
+      </p>
+      <table class="table table-striped">
+        <tr>
+          <th>Claim Name</th>
+          <th>Required Scope</th>
+          <th>Claim Value (JSON)</th>
+        </tr>
+        <tr>
+          <td><code>sub</code></td>
+          <td><code>openid</code></td>
+          <td>{{ request.user.username }}</td>
+        </tr>
+        {% for claim, value in claims.items %}
+        {% for claimname, scope in scopes.items %}
+        {% if claimname == claim %}
+          <tr>
+            <td><code>{{ claim }}</code></td>
+            <td><code>{{ scope }}</code></td>
+            <td>{{ value }}</td>
+          </tr>
+        {% endif %}
+        {% endfor %}
+        {% endfor %}
+      </table>
+      {% endif %}
+    </div>
+  </div>
+{% endblock profile_content %}

src/profiles/templates/profile_base.html

@@ -91,6 +91,13 @@ <h2>Your BornHack Account</h2>
           </a>
         </li>
 
+        {% url 'profiles:oidc' as profile_oidc_url %}
+        <li class="nav-item">
+          <a class="nav-link{% if request.path == profile_oidc_url %} active{% endif %}" href="{{ profile_oidc_url }}">
+              OIDC Scope<i class="fas fa-arrow-right"></i>Claim
+          </a>
+        </li>
+
         <hr />
         <p class="text-break">You are logged in as username <b>{{ request.user.username }}</b> with email <b>{{ request.user.email }}</b></p>
 

src/profiles/urls.py

@@ -4,11 +4,13 @@
 from .views import ProfileDetail
 from .views import ProfileUpdate
 from .views import ProfilePermissionList
+from .views import ProfileOIDCView
 
 app_name = "profiles"
 urlpatterns = [
     path("", ProfileDetail.as_view(), name="detail"),
     path("edit/", ProfileUpdate.as_view(), name="update"),
     path("api/", ProfileApiView.as_view(), name="api"),
     path("permissions/", ProfilePermissionList.as_view(), name="permissions_list"),
+    path("oidc/", ProfileOIDCView.as_view(), name="oidc"),
 ]

src/profiles/views.py

@@ -5,12 +5,15 @@
 from django.urls import reverse_lazy
 from django.views.generic import DetailView
 from django.views.generic import ListView
+from django.views.generic import FormView
 from django.views.generic import UpdateView
 from jsonview.views import JsonView
 from oauth2_provider.views.generic import ScopedProtectedResourceView
 from leaflet.forms.widgets import LeafletWidget
 
 from .models import Profile
+from .forms import OIDCForm
+from bornhack.oauth_validators import BornhackOAuth2Validator
 
 
 class ProfileDetail(LoginRequiredMixin, DetailView):
@@ -103,3 +106,32 @@ def get_queryset(self, *args, **kwargs):
             )
         )
         return perms
+
+
+class ProfileOIDCView(LoginRequiredMixin, FormView):
+    template_name = "oidc.html"
+    form_class = OIDCForm
+
+    def setup(self, *args, **kwargs):
+        super().setup(*args, **kwargs)
+        validator = BornhackOAuth2Validator()
+        self.scopes = validator.oidc_claim_scope
+        self.claims = validator.get_additional_claims(request=self.request)
+
+    def get_form(self, form_class=None):
+        if form_class is None:
+            form_class = self.get_form_class()
+            self.initial['scopes'] = self.request.GET.getlist(key="scopes")
+        return form_class(**self.get_form_kwargs())
+
+    def get_context_data(self, **kwargs):
+        context = super().get_context_data(**kwargs)
+        context["claims"] = {}
+        for claim, value in self.claims.items():
+            scope = self.scopes[claim]
+            if scope in self.request.GET.getlist(key="scopes"):
+                context["claims"][claim] = value
+        context["scopes"] = self.scopes
+        context["active_scopes"] = ["openid"] + sorted(list(set(self.request.GET.getlist(key="scopes"))))
+        context["all_scopes"] = sorted(list(set(self.scopes.values())))
+        return context