diff options
author | Jonathan Huot <JonathanHuot@users.noreply.github.com> | 2019-08-01 19:10:17 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-08-01 19:10:17 +0200 |
commit | f74922bace5a6d28b8020d1688c40d03c6bceafc (patch) | |
tree | c2a60453c842e6085a52538c1ec5e0ca3ae69dee /oauthlib/openid/connect/core/request_validator.py | |
parent | 3de7007c6885f0ac23ff2c56d6a65d8f258600a2 (diff) | |
parent | f516c1660e2608375bd6f65c1829caaf7301c426 (diff) | |
download | oauthlib-docs-flows-hooks.tar.gz |
Merge branch 'master' into docs-flows-hooksdocs-flows-hooks
Diffstat (limited to 'oauthlib/openid/connect/core/request_validator.py')
-rw-r--r-- | oauthlib/openid/connect/core/request_validator.py | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/oauthlib/openid/connect/core/request_validator.py b/oauthlib/openid/connect/core/request_validator.py index d96c9ef..e853d39 100644 --- a/oauthlib/openid/connect/core/request_validator.py +++ b/oauthlib/openid/connect/core/request_validator.py @@ -265,3 +265,45 @@ class RequestValidator(OAuth2RequestValidator): - OpenIDConnectHybrid """ raise NotImplementedError('Subclasses must implement this method.') + + def get_userinfo_claims(self, request): + """Return the UserInfo claims in JSON or Signed or Encrypted. + + The UserInfo Claims MUST be returned as the members of a JSON object + unless a signed or encrypted response was requested during Client + Registration. The Claims defined in Section 5.1 can be returned, as can + additional Claims not specified there. + + For privacy reasons, OpenID Providers MAY elect to not return values for + some requested Claims. + + If a Claim is not returned, that Claim Name SHOULD be omitted from the + JSON object representing the Claims; it SHOULD NOT be present with a + null or empty string value. + + The sub (subject) Claim MUST always be returned in the UserInfo + Response. + + Upon receipt of the UserInfo Request, the UserInfo Endpoint MUST return + the JSON Serialization of the UserInfo Response as in Section 13.3 in + the HTTP response body unless a different format was specified during + Registration [OpenID.Registration]. + + If the UserInfo Response is signed and/or encrypted, then the Claims are + returned in a JWT and the content-type MUST be application/jwt. The + response MAY be encrypted without also being signed. If both signing and + encryption are requested, the response MUST be signed then encrypted, + with the result being a Nested JWT, as defined in [JWT]. + + If signed, the UserInfo Response SHOULD contain the Claims iss (issuer) + and aud (audience) as members. The iss value SHOULD be the OP's Issuer + Identifier URL. The aud value SHOULD be or include the RP's Client ID + value. + + :param request: OAuthlib request. + :type request: oauthlib.common.Request + :rtype: Claims as a dict OR JWT/JWS/JWE as a string + + Method is used by: + UserInfoEndpoint + """ |