add claim

2025-12-08 11:48:55 -03:00
parent 0f48db75c0
commit 807df116cf
4 changed files with 41 additions and 41 deletions
--- a/id.saladeaula.digital/app/oauth2.py
+++ b/id.saladeaula.digital/app/oauth2.py
@@ -1,9 +1,12 @@
+from functools import reduce
+
 from authlib.common.security import generate_token
 from authlib.common.urls import add_params_to_uri
 from authlib.jose import JsonWebKey
 from authlib.oauth2 import OAuth2Request, rfc7009, rfc9207
 from authlib.oauth2.rfc6749 import ClientMixin, TokenMixin, grants
 from authlib.oauth2.rfc6749.hooks import hooked
+from authlib.oauth2.rfc6749.util import scope_to_list
 from authlib.oauth2.rfc6750 import BearerTokenGenerator
 from authlib.oauth2.rfc7636 import CodeChallenge
 from authlib.oauth2.rfc9068 import JWTBearerTokenGenerator as JWTBearerTokenGenerator_
@@ -46,6 +49,15 @@ GRANT_TYPES_EXPIRES_IN = {
 }


+def get_user_scope(user_id: str) -> set:
+    items = dyn.collection.query(
+        KeyPair(pk=user_id, sk='SCOPE#'),
+    ).get('items', [])
+    scope = reduce(lambda acc, cur: acc + scope_to_list(cur['scope']), items, [])
+
+    return OAUTH2_DEFAULT_SCOPES | set(scope)
+
+
 class OpenIDCode(OpenIDCode_):
    def exists_nonce(self, nonce: str, request: OAuth2Request) -> bool:
        if not request.payload:
@@ -182,16 +194,10 @@ class AuthorizationCodeGrant(grants.AuthorizationCodeGrant):
        authorization_code: OAuth2AuthorizationCode,
    ) -> User:
        """Authenticate the user related to this authorization_code."""
-        user = dyn.collection.get_items(
-            TransactKey(authorization_code.user_id)
-            + SortKey('0')
-            + SortKey(
-                sk='SCOPE',
-                path_spec='scope',
-                rename_key='scope',
-            ),
+        user = dyn.collection.get_item(
+            KeyPair(pk=authorization_code.user_id, sk='0'),
        )
-        scope = set(user.get('scope', [])) | OAUTH2_DEFAULT_SCOPES
+        scope = get_user_scope(authorization_code.user_id)

        return User(
            **pick(('id', 'name', 'email', 'email_verified'), user),
@@ -395,6 +401,13 @@ class JWTBearerTokenGenerator(JWTBearerTokenGenerator_):
            ]
        }

+    def get_extra_claims(self, client, grant_type, user, scope):
+        return {
+            'name': user.name,
+            'email': user.email,
+            'email_verified': user.email_verified,
+        }
+

 server = AuthorizationServer(
    persistence_layer=dyn,