diff --git a/app/controllers/api/openid_connect/discovery_controller.rb b/app/controllers/api/openid_connect/discovery_controller.rb
index 4d4b56bb595cb332da9ed5057f7428ac108bdfc2..15ce387387debdeb14a339a13782e746ee6550ff 100644
--- a/app/controllers/api/openid_connect/discovery_controller.rb
+++ b/app/controllers/api/openid_connect/discovery_controller.rb
@@ -25,8 +25,8 @@ module Api
request_object_signing_alg_values_supported: %i(HS256 HS384 HS512),
subject_types_supported: %w(public pairwise),
id_token_signing_alg_values_supported: %i(RS256),
- token_endpoint_auth_methods_supported: %w(client_secret_basic client_secret_post)
- # TODO: claims_supported: ["sub", "iss", "name", "email"]
+ token_endpoint_auth_methods_supported: %w(client_secret_basic client_secret_post),
+ claims_supported: %w(sub nickname profile picture zoneinfo)
)
end
end
diff --git a/app/controllers/api/openid_connect/user_info_controller.rb b/app/controllers/api/openid_connect/user_info_controller.rb
new file mode 100644
index 0000000000000000000000000000000000000000..9fb79226d5c0365a936b3861fc465755804cab9e
--- /dev/null
+++ b/app/controllers/api/openid_connect/user_info_controller.rb
@@ -0,0 +1,19 @@
+module Api
+ module OpenidConnect
+ class UserInfoController < ApplicationController
+ include Api::OpenidConnect::ProtectedResourceEndpoint
+
+ before_action do
+ require_access_token Api::OpenidConnect::Scope.find_by(name: "openid")
+ end
+
+ def show
+ render json: current_user, serializer: UserInfoSerializer
+ end
+
+ def current_user
+ current_token ? current_token.authorization.user : nil
+ end
+ end
+ end
+end
diff --git a/app/serializers/user_info_serializer.rb b/app/serializers/user_info_serializer.rb
new file mode 100644
index 0000000000000000000000000000000000000000..3f042380de394836930b7589857aa52c6f06c5a2
--- /dev/null
+++ b/app/serializers/user_info_serializer.rb
@@ -0,0 +1,23 @@
+class UserInfoSerializer < ActiveModel::Serializer
+ attributes :sub, :nickname, :profile, :picture, :zoneinfo
+
+ def sub
+ object.diaspora_handle # TODO: Change to proper sub
+ end
+
+ def nickname
+ object.name
+ end
+
+ def profile
+ File.join(AppConfig.environment.url, "people", object.guid).to_s
+ end
+
+ def picture
+ File.join(AppConfig.environment.url, object.image_url).to_s
+ end
+
+ def zoneinfo
+ object.language
+ end
+end
diff --git a/app/serializers/user_serializer.rb b/app/serializers/user_serializer.rb
deleted file mode 100644
index b0d134815c5510818a38a63f3556790631b9f4dd..0000000000000000000000000000000000000000
--- a/app/serializers/user_serializer.rb
+++ /dev/null
@@ -1,3 +0,0 @@
-class UserSerializer < ActiveModel::Serializer
- attributes :name, :email, :language, :username
-end
diff --git a/config/routes.rb b/config/routes.rb
index a9739b73ad256cda5cbacd01bb8fcff18e4bb6a4..683e1da17a994e0999f1704542e19f15867514c1 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -250,6 +250,8 @@ Diaspora::Application.routes.draw do
get ".well-known/webfinger", to: "discovery#webfinger"
get ".well-known/openid-configuration", to: "discovery#configuration"
get "jwks.json", to: "id_tokens#jwks"
+
+ get "user_info", to: "user_info#show"
end
end
end
diff --git a/features/step_definitions/auth_code_steps.rb b/features/step_definitions/auth_code_steps.rb
index 8f690a23d10c9fbfa8ffd9ef0ae76a40bdeca56b..a34c284d959f6e51505e73ac3616377de7e5d63e 100644
--- a/features/step_definitions/auth_code_steps.rb
+++ b/features/step_definitions/auth_code_steps.rb
@@ -28,5 +28,5 @@ end
When /^I parse the tokens and use it obtain user info$/ do
client_json = JSON.parse(last_response.body)
access_token = client_json["access_token"]
- get api_v0_user_path, access_token: access_token
+ get api_openid_connect_user_info_path, access_token: access_token
end
diff --git a/features/step_definitions/implicit_flow_steps.rb b/features/step_definitions/implicit_flow_steps.rb
index fad520faaa40293f465f18972fb443018be4185f..cb7394da1458826c9ffd814df94d068f1d5b6060 100644
--- a/features/step_definitions/implicit_flow_steps.rb
+++ b/features/step_definitions/implicit_flow_steps.rb
@@ -33,7 +33,7 @@ end
When /^I parse the bearer tokens and use it to access user info$/ do
access_token = current_url[/(?<=access_token=)[^&]+/]
- get api_v0_user_path, access_token: access_token
+ get api_openid_connect_user_info_path, access_token: access_token
end
Then /^I should see an "([^\"]*)" error$/ do |error_message|
diff --git a/features/step_definitions/oidc_common_steps.rb b/features/step_definitions/oidc_common_steps.rb
index 1519e26fccaa920fded87e8500133481ca5d7ecd..bcf8be96e382a93acdb33b91b3e63ac037d8a07b 100644
--- a/features/step_definitions/oidc_common_steps.rb
+++ b/features/step_definitions/oidc_common_steps.rb
@@ -9,19 +9,19 @@ end
When /^I use received valid bearer tokens to access user info$/ do
access_token_json = JSON.parse(last_response.body)
- get api_v0_user_path, access_token: access_token_json["access_token"]
+ get api_openid_connect_user_info_path, access_token: access_token_json["access_token"]
end
When /^I use invalid bearer tokens to access user info$/ do
- get api_v0_user_path, access_token: SecureRandom.hex(32)
+ get api_openid_connect_user_info_path, access_token: SecureRandom.hex(32)
end
Then /^I should receive "([^\"]*)"'s id, username, and email$/ do |username|
user_info_json = JSON.parse(last_response.body)
user = User.find_by_username(username)
- expect(user_info_json["username"]).to have_content(user.username)
- expect(user_info_json["language"]).to have_content(user.language)
- expect(user_info_json["email"]).to have_content(user.email)
+ user_profile_url = File.join(AppConfig.environment.url, "people", user.guid).to_s
+ expect(user_info_json["profile"]).to have_content(user_profile_url)
+ expect(user_info_json["zoneinfo"]).to have_content(user.language)
end
Then /^I should receive an "([^\"]*)" error$/ do |error_message|
diff --git a/spec/controllers/api/openid_connect/authorizations_controller_spec.rb b/spec/controllers/api/openid_connect/authorizations_controller_spec.rb
index a8d5e340581c479a0c3242daba2d6a2c28bf2b7d..6663f281e090f12292f3e4ddfc29f58f5a721406 100644
--- a/spec/controllers/api/openid_connect/authorizations_controller_spec.rb
+++ b/spec/controllers/api/openid_connect/authorizations_controller_spec.rb
@@ -94,8 +94,10 @@ describe Api::OpenidConnect::AuthorizationsController, type: :controller do
end
end
context "when already authorized" do
- let!(:auth) { Api::OpenidConnect::Authorization.find_or_create_by(o_auth_application: client, user: alice,
- redirect_uri: "http://localhost:3000/") }
+ let!(:auth) {
+ Api::OpenidConnect::Authorization.find_or_create_by(o_auth_application: client, user: alice,
+ redirect_uri: "http://localhost:3000/")
+ }
context "when valid parameters are passed" do
before do
diff --git a/spec/integration/api/users_controller_spec.rb b/spec/integration/api/users_controller_spec.rb
index 53f9b46070d6e071ac1b43eb0a5084983b90e03c..7b13f738fee8f01e1bed34c984aa78656f35b727 100644
--- a/spec/integration/api/users_controller_spec.rb
+++ b/spec/integration/api/users_controller_spec.rb
@@ -8,20 +8,21 @@ describe Api::V0::UsersController do
end
let(:auth_with_read) do
auth = Api::OpenidConnect::Authorization.create!(o_auth_application: client, user: alice)
- auth.scopes << [Api::OpenidConnect::Scope.find_or_create_by(name: "read")]
+ auth.scopes << [Api::OpenidConnect::Scope.find_or_create_by(name: "openid"),
+ Api::OpenidConnect::Scope.find_or_create_by(name: "read")]
auth
end
let!(:access_token_with_read) { auth_with_read.create_access_token.to_s }
describe "#show" do
before do
- get api_v0_user_path, access_token: access_token_with_read
+ get api_openid_connect_user_info_path, access_token: access_token_with_read
end
it "shows the info" do
json_body = JSON.parse(response.body)
- expect(json_body["username"]).to eq(alice.username)
- expect(json_body["email"]).to eq(alice.email)
+ expect(json_body["nickname"]).to eq(alice.name)
+ expect(json_body["profile"]).to eq(File.join(AppConfig.environment.url, "people", alice.guid).to_s)
end
end
end
diff --git a/spec/lib/api/openid_connect/protected_resource_endpoint_spec.rb b/spec/lib/api/openid_connect/protected_resource_endpoint_spec.rb
index f3933a5ee873059863b5e16aa4401f28e3143735..219cf1c40a3c0093d25dd7428615ddd7df8f6ade 100644
--- a/spec/lib/api/openid_connect/protected_resource_endpoint_spec.rb
+++ b/spec/lib/api/openid_connect/protected_resource_endpoint_spec.rb
@@ -8,7 +8,8 @@ describe Api::OpenidConnect::ProtectedResourceEndpoint, type: :request do
end
let(:auth_with_read) do
auth = Api::OpenidConnect::Authorization.create!(o_auth_application: client, user: alice)
- auth.scopes << [Api::OpenidConnect::Scope.find_or_create_by(name: "read")]
+ auth.scopes << [Api::OpenidConnect::Scope.find_or_create_by(name: "openid"),
+ Api::OpenidConnect::Scope.find_or_create_by(name: "read")]
auth
end
let!(:access_token_with_read) { auth_with_read.create_access_token.to_s }
@@ -18,7 +19,7 @@ describe Api::OpenidConnect::ProtectedResourceEndpoint, type: :request do
context "when valid access token is provided" do
before do
- get api_v0_user_path, access_token: access_token_with_read
+ get api_openid_connect_user_info_path, access_token: access_token_with_read
end
it "includes private in the cache-control header" do
@@ -28,7 +29,7 @@ describe Api::OpenidConnect::ProtectedResourceEndpoint, type: :request do
context "when no access token is provided" do
before do
- get api_v0_user_path
+ get api_openid_connect_user_info_path
end
it "should respond with a 401 Unauthorized response" do
@@ -41,7 +42,7 @@ describe Api::OpenidConnect::ProtectedResourceEndpoint, type: :request do
context "when an invalid access token is provided" do
before do
- get api_v0_user_path, access_token: invalid_token
+ get api_openid_connect_user_info_path, access_token: invalid_token
end
it "should respond with a 401 Unauthorized response" do
@@ -60,7 +61,7 @@ describe Api::OpenidConnect::ProtectedResourceEndpoint, type: :request do
context "when authorization has been destroyed" do
before do
auth_with_read.destroy
- get api_v0_user_path, access_token: access_token_with_read
+ get api_openid_connect_user_info_path, access_token: access_token_with_read
end
it "should respond with a 401 Unauthorized response" do