add scope to id

id.saladeaula.digital/app/config.py

@@ -9,14 +9,9 @@ OAUTH2_SCOPES_SUPPORTED: list[str] = [
     'profile',
     'email',
     'offline_access',
-    'read:users',
-    'write:users',
-    'read:enrollments',
-    'write:enrollments',
-    'read:orders',
-    'write:orders',
-    'read:courses',
-    'write:courses',
+    'apps:admin',
+    'apps:studio',
+    'apps:insights',
 ]
 
 SESSION_EXPIRES_IN = 86400 * 30  # 30 days

id.saladeaula.digital/app/integrations/apigateway_oauth2/resource_protector.py

@@ -1,4 +1,19 @@
 from authlib.oauth2 import ResourceProtector as _ResourceProtector
+from aws_lambda_powertools.event_handler import APIGatewayHttpResolver
+from aws_lambda_powertools.event_handler.middlewares import NextMiddleware
+
+from .requests import APIGatewayJsonRequest
 
 
-class ResourceProtector(_ResourceProtector): ...
+class ResourceProtector(_ResourceProtector):
+    def __call__(self, scopes=None, optional=False, **kwargs):
+        claims = kwargs
+        # backward compatibility
+        claims['scopes'] = scopes
+
+        def wrapper(app: APIGatewayHttpResolver, next_middleware: NextMiddleware):
+            request = APIGatewayJsonRequest(app.current_event)
+            print(request)
+            return next_middleware(app)
+
+        return wrapper

id.saladeaula.digital/app/integrations/apigateway_oauth2/tokens.py

@@ -1,5 +1,5 @@
 import time
-from dataclasses import dataclass
+from dataclasses import dataclass, field
 
 from authlib.oauth2.rfc6749 import (
     AuthorizationCodeMixin,
@@ -15,6 +15,7 @@ class User:
     name: str
     email: str
     email_verified: bool = False
+    scope: list[str] | None = None
 
     def get_user_id(self):
         return self.id

id.saladeaula.digital/app/oauth2.py

@@ -1,3 +1,5 @@
+from os import rename
+
 from authlib.common.security import generate_token
 from authlib.common.urls import add_params_to_uri
 from authlib.jose import JsonWebKey
@@ -26,6 +28,7 @@ from config import ISSUER, OAUTH2_SCOPES_SUPPORTED, OAUTH2_TABLE
 from integrations.apigateway_oauth2.authorization_server import (
     AuthorizationServer,
 )
+from integrations.apigateway_oauth2.resource_protector import ResourceProtector
 from integrations.apigateway_oauth2.tokens import (
     OAuth2AuthorizationCode,
     OAuth2Token,
@@ -65,15 +68,18 @@ class OpenIDCode(OpenIDCode_):
         }
 
     def generate_user_info(self, user: User, scope: str) -> UserInfo:
-        print(scope)
-        print('--' * 100)
-        return UserInfo(
+        user_info = UserInfo(
             sub=user.id,
             name=user.name,
             email=user.email,
             email_verified=user.email_verified,
         ).filter(scope)
 
+        if user.scope:
+            user_info['scope'] = ' '.join(user.scope)
+
+        return user_info
+
 
 class AuthorizationCodeGrant(grants.AuthorizationCodeGrant):
     TOKEN_ENDPOINT_AUTH_METHODS = [
@@ -166,20 +172,22 @@ class AuthorizationCodeGrant(grants.AuthorizationCodeGrant):
         authorization_code: OAuth2AuthorizationCode,
     ) -> User:
         """Authenticate the user related to this authorization_code."""
-        user = dyn.get_item(
-            KeyPair(
-                pk=authorization_code.user_id,
-                sk='0',
-            ),
+        user = dyn.collection.get_items(
+            TransactKey(authorization_code.user_id)
+            + SortKey('0')
+            + SortKey('SCOPE', path_spec='scope', rename_key='scope'),
         )
 
-        return User(**pick(('id', 'name', 'email', 'email_verified'), user))
+        return User(**pick(('id', 'name', 'email', 'email_verified', 'scope'), user))
 
 
 class TokenExchangeGrant(grants.BaseGrant):
     GRANT_TYPE = 'urn:ietf:params:oauth:grant-type:token-exchange'
 
-    TOKEN_ENDPOINT_AUTH_METHODS = ['client_secret_basic', 'client_secret_post']
+    TOKEN_ENDPOINT_AUTH_METHODS = [
+        'client_secret_basic',
+        'client_secret_post',
+    ]
 
     @hooked
     def validate_token_request(self):
@@ -288,6 +296,17 @@ class RevocationEndpoint(rfc7009.RevocationEndpoint):
         token: OAuth2Token,
         request: OAuth2Request,
     ):
+        """
+        Mark token as revoked. Since token MUST be unique, it would be dangerous
+        to delete it. Consider this situation:
+
+        - Jane obtained a token XYZ
+        - Jane revoked (deleted) token XYZ
+        - Bob generated a new token XYZ
+        - Jane can use XYZ to access Bob’s resource
+
+        - https://docs.authlib.org/en/latest/specs/rfc7009.html#authlib.oauth2.rfc7009.RevocationEndpoint.revoke_token
+        """
         user_id = token.user['id']
         r = dyn.collection.query(KeyPair(pk=user_id, sk='SESSION'))
 
@@ -377,3 +396,5 @@ server.register_grant(TokenExchangeGrant)
 server.register_grant(RefreshTokenGrant)
 server.register_endpoint(RevocationEndpoint)
 server.register_extension(IssuerParameter())
+
+require_oauth = ResourceProtector()

id.saladeaula.digital/app/routes/userinfo.py

@@ -1,8 +1,10 @@
 from aws_lambda_powertools.event_handler.api_gateway import Router
 
+from oauth2 import require_oauth
+
 router = Router()
 
 
-@router.get('/userinfo')
+@router.get('/userinfo', middlewares=[require_oauth('profile')])
 def userinfo():
     return {'name': 'test'}

id.saladeaula.digital/tests/routes/test_authorize.py

@@ -17,6 +17,7 @@ def test_authorize(
     lambda_context: LambdaContext,
 ):
     session = new_session(USER_ID)
+    print(session)
 
     r = app.lambda_handler(
         http_api_proxy(
@@ -26,7 +27,7 @@ def test_authorize(
                 'response_type': 'code',
                 'client_id': 'd72d4005-1fa7-4430-9754-80d5e2487bb6',
                 'redirect_uri': 'https://localhost/callback',
-                'scope': 'openid offline_access read:users',
+                'scope': 'openid profile email offline_access apps:admin',
                 'nonce': '123',
                 'state': '456',
             },

id.saladeaula.digital/tests/seeds.jsonl

@@ -1,9 +1,9 @@
 // OAuth2
-{"id": "OAUTH2", "sk": "CLIENT_ID#d72d4005-1fa7-4430-9754-80d5e2487bb6", "client_secret": "1nFD8alDbGHgc3g1RLY960xyRJVee0SlMoIB0MUlSuiJy28W", "name": "pytest 1", "scope": "openid profile", "redirect_uris": ["https://localhost/callback"], "response_types": ["code"], "grant_types": ["authorization_code", "refresh_token"], "scope": "openid profile email offline_access read:users", "token_endpoint_auth_method": "client_secret_basic"}
-{"id": "OAUTH2", "sk": "CLIENT_ID#8c5e92b0-9ed4-451e-8935-66084d8544b1", "client_secret": "1nFD8alDbGHgc3g1RLY960xyRJVee0SlMoIB0MUlSuiJy28W", "name": "pytest 1", "scope": "openid profile", "redirect_uris": ["https://localhost/callback"], "response_types": ["code"], "grant_types": ["authorization_code", "refresh_token"], "scope": "openid profile email offline_access read:users", "token_endpoint_auth_method": "none"}
+{"id": "OAUTH2", "sk": "CLIENT_ID#d72d4005-1fa7-4430-9754-80d5e2487bb6", "client_secret": "1nFD8alDbGHgc3g1RLY960xyRJVee0SlMoIB0MUlSuiJy28W", "name": "pytest 1", "scope": "openid profile", "redirect_uris": ["https://localhost/callback"], "response_types": ["code"], "grant_types": ["authorization_code", "refresh_token"], "scope": "openid profile email offline_access apps:admin", "token_endpoint_auth_method": "client_secret_basic"}
+{"id": "OAUTH2", "sk": "CLIENT_ID#8c5e92b0-9ed4-451e-8935-66084d8544b1", "client_secret": "1nFD8alDbGHgc3g1RLY960xyRJVee0SlMoIB0MUlSuiJy28W", "name": "pytest 1", "scope": "openid profile", "redirect_uris": ["https://localhost/callback"], "response_types": ["code"], "grant_types": ["authorization_code", "refresh_token"], "scope": "openid profile email offline_access apps:admin", "token_endpoint_auth_method": "none"}
 {"id": "OAUTH2", "sk": "CLIENT_ID#6ebe1709-0831-455c-84c0-d4c753bf33c6", "client_secret": "1nFD8alDbGHgc3g1RLY960xyRJVee0SlMoIB0MUlSuiJy28W", "name": "pytest 2", "scope": "openid profile", "redirect_uris": ["https://localhost/callback"], "response_types": ["code"], "grant_types": ["authorization_code", "refresh_token"], "scope": "openid profile email offline_access", "token_endpoint_auth_method": "none"}
-{"id": "OAUTH2", "sk": "CLIENT_ID#1db63660-063d-4280-b2ea-388aca4a9459", "client_secret": "1nFD8alDbGHgc3g1RLY960xyRJVee0SlMoIB0MUlSuiJy28W", "name": "pytest 3", "scope": "openid profile", "redirect_uris": ["https://localhost/callback"], "response_types": ["code"], "grant_types": ["authorization_code", "refresh_token"], "scope": "openid profile email offline_access read:users", "token_endpoint_auth_method": "client_secret_basic"}
-{"id": "OAUTH2#CODE", "sk": "CODE#kyqp3oSuRFTfuBaCmq3XOgGWg67l42Kt3D6xPEj7Yd3MLdi9", "client_id": "d72d4005-1fa7-4430-9754-80d5e2487bb6", "redirect_uri": "https://localhost/callback", "user_id": "357db1c5-7442-4075-98a3-fbe5c938a419", "nonce": null, "scope": "openid profile email read:users", "response_type": "code", "code_challenge": "ejYEIGKQUgMnNh4eV0sftb0hXdLwkvKm6OHXRYvC--I", "code_challenge_method": "S256", "created_at": "2025-08-07T12:38:26.550431-03:00"}
+{"id": "OAUTH2", "sk": "CLIENT_ID#1db63660-063d-4280-b2ea-388aca4a9459", "client_secret": "1nFD8alDbGHgc3g1RLY960xyRJVee0SlMoIB0MUlSuiJy28W", "name": "pytest 3", "scope": "openid profile", "redirect_uris": ["https://localhost/callback"], "response_types": ["code"], "grant_types": ["authorization_code", "refresh_token"], "scope": "openid profile email offline_access apps:admin", "token_endpoint_auth_method": "client_secret_basic"}
+{"id": "OAUTH2#CODE", "sk": "CODE#kyqp3oSuRFTfuBaCmq3XOgGWg67l42Kt3D6xPEj7Yd3MLdi9", "client_id": "d72d4005-1fa7-4430-9754-80d5e2487bb6", "redirect_uri": "https://localhost/callback", "user_id": "357db1c5-7442-4075-98a3-fbe5c938a419", "nonce": null, "scope": "openid profile email apps:admins", "response_type": "code", "code_challenge": "ejYEIGKQUgMnNh4eV0sftb0hXdLwkvKm6OHXRYvC--I", "code_challenge_method": "S256", "created_at": "2025-08-07T12:38:26.550431-03:00"}
 
 {"id": "OAUTH2#TOKEN", "sk": "REFRESH_TOKEN#CyF3Ik3b9hMIo3REVv27gZAHd7dvwZq6QrkhWr7qHEen4UVy", "client_id": "d72d4005-1fa7-4430-9754-80d5e2487bb6", "token_type": "Bearer", "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6ImF0K2p3dCIsImtpZCI6IlRjT0VuV3JGSUFEYlZJNjJlY1pzU28ydEI1eW5mbkZZNTZ0Uy05b0stNW8ifQ.eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0IiwiZXhwIjoxNzU5NTg2NzgzLCJjbGllbnRfaWQiOiJkNzJkNDAwNS0xZmE3LTQ0MzAtOTc1NC04MGQ1ZTI0ODdiYjYiLCJpYXQiOjE3NTg5ODE5ODMsImp0aSI6Ik9uVzRIZm1FdFl2a21CbE4iLCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIGVtYWlsIHJlYWQ6dXNlcnMiLCJzdWIiOiIzNTdkYjFjNS03NDQyLTQwNzUtOThhMy1mYmU1YzkzOGE0MTkiLCJhdWQiOiJkNzJkNDAwNS0xZmE3LTQ0MzAtOTc1NC04MGQ1ZTI0ODdiYjYifQ.i0NVgvPuf5jvl8JcYNsVCzjVUTDLihgQO4LmLeNijx9Ed3p_EgtVtcHFWFvEebe_LwTuDDtIJveH22Piyp4zresNSc_YNumnuvoY1aNd0ic2RIEtXaklRroq0xHwL_IVT-Dt6P9xL5Hyygx47Pvmci4U3wWK32a6Sb1Mm7ZZgXA00xWI1bJ_zwxFLvDkHDp9nrAa_vEWN6zRBcWc7JYNsgiaPMC0DoL8it0k48_g44zfsjGAZLcWFMoPlYt3wIcQQDeCKMsSJI0VPnqKK0pq4OOVs-pjkMyAU5aEMPvVOwdAL3VZY16RXt3eTzsmMH1XoRdCMP6UAx4ZS10RLGUPeA", "scope": "openid profile email read:users", "user": {"id": "357db1c5-7442-4075-98a3-fbe5c938a419", "name": "S\u00e9rgio R Siqueira", "email": "sergio@somosbeta.com.br", "email_verified": false}, "expires_in": 180, "issued_at": 1758981984, "ttl": 1759586784}
 
@@ -16,7 +16,7 @@
 // User data
 {"id": "357db1c5-7442-4075-98a3-fbe5c938a419", "sk": "0", "name": "Sérgio R Siqueira", "email": "sergio@somosbeta.com.br"}
 {"id": "357db1c5-7442-4075-98a3-fbe5c938a419", "sk": "PASSWORD", "hash": "$pbkdf2-sha256$29000$IuTcm7M2BiAEgPB.b.3dGw$d8xVCbx8zxg7MeQBrOvCOgniiilsIHEMHzoH/OXftLQ"}
-{"id": "357db1c5-7442-4075-98a3-fbe5c938a419", "sk": "SCOPE", "scope": ["openid", "profile", "email", "offline_access", "read:users", "read:courses", "impersonate:users"]}
+{"id": "357db1c5-7442-4075-98a3-fbe5c938a419", "sk": "SCOPE", "scope": ["openid", "profile", "email", "offline_access", "apps:admin"]}
 {"id": "357db1c5-7442-4075-98a3-fbe5c938a419", "sk": "SESSION#36af142e-9f6d-49d3-bfe9-6a6bd6ab2712", "created_at": "2025-09-17T13:44:34.544491-03:00", "ttl": 1760719474}
 
 {"id": "fd5914ec-fd37-458b-b6b9-8aeab38b666b", "sk": "0", "name": "Johnny Cash", "email": "johnny@johnnycash.com"}