From 7947f648a44ca6682872ae18200212d35692d115 Mon Sep 17 00:00:00 2001
From: Alan Crosswell <alan@columbia.edu>
Date: Tue, 4 Jan 2022 14:20:47 -0500
Subject: [PATCH 1/2] #1066: Revert #967 which incorrectly breaks API.

---
 AUTHORS                              |  1 -
 docs/oidc.rst                        | 19 +++++++++----------
 oauth2_provider/oauth2_validators.py | 25 ++++++++-----------------
 oauth2_provider/views/oidc.py        |  8 --------
 tests/test_oidc_views.py             | 24 ++++--------------------
 5 files changed, 21 insertions(+), 56 deletions(-)

diff --git a/AUTHORS b/AUTHORS
index ad93ff75d..92f65ed6e 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -65,6 +65,5 @@ pySilver
 Łukasz Skarżyński
 Shaheed Haque
 Peter Karman
-Andrea Greco
 Vinay Karanam
 Eduardo Oliveira
diff --git a/docs/oidc.rst b/docs/oidc.rst
index eae9a67d4..ba69e984f 100644
--- a/docs/oidc.rst
+++ b/docs/oidc.rst
@@ -245,17 +245,16 @@ required claims, eg ``iss``, ``aud``, ``exp``, ``iat``, ``auth_time`` etc),
 and the ``sub`` claim will use the primary key of the user as the value.
 You'll probably want to customize this and add additional claims or change
 what is sent for the ``sub`` claim. To do so, you will need to add a method to
-our custom validator.
-Standard claim ``sub`` is included by default, for remove it override ``get_claim_list``::
+our custom validator::
+
     class CustomOAuth2Validator(OAuth2Validator):
-        def get_additional_claims(self):
-            def get_user_email(request):
-                return request.user.get_full_name()
-
-            # Element name, callback to obtain data
-            claims_list = [ ("email", get_sub_cod),
-                        ("username", get_user_email) ]
-            return claims_list
+
+        def get_additional_claims(self, request):
+            return {
+                "sub": request.user.email,
+                "first_name": request.user.first_name,
+                "last_name": request.user.last_name,
+            }
 
 .. note::
     This ``request`` object is not a ``django.http.Request`` object, but an
diff --git a/oauth2_provider/oauth2_validators.py b/oauth2_provider/oauth2_validators.py
index c4f3ec8a9..06ef64f09 100644
--- a/oauth2_provider/oauth2_validators.py
+++ b/oauth2_provider/oauth2_validators.py
@@ -740,24 +740,15 @@ def _save_id_token(self, jti, request, expires, *args, **kwargs):
     def get_jwt_bearer_token(self, token, token_handler, request):
         return self.get_id_token(token, token_handler, request)
 
-    def get_claim_list(self):
-        def get_sub_code(request):
-            return str(request.user.id)
-
-        list = [("sub", get_sub_code)]
+    def get_oidc_claims(self, token, token_handler, request):
+        # Required OIDC claims
+        claims = {
+            "sub": str(request.user.id),
+        }
 
         # https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
-        add = self.get_additional_claims()
-        list.extend(add)
-
-        return list
+        claims.update(**self.get_additional_claims(request))
 
-    def get_oidc_claims(self, token, token_handler, request):
-        data = self.get_claim_list()
-        claims = {}
-
-        for k, call in data:
-            claims[k] = call(request)
         return claims
 
     def get_id_token_dictionary(self, token, token_handler, request):
@@ -910,5 +901,5 @@ def get_userinfo_claims(self, request):
         """
         return self.get_oidc_claims(None, None, request)
 
-    def get_additional_claims(self):
-        return []
+    def get_additional_claims(self, request):
+        return {}
diff --git a/oauth2_provider/views/oidc.py b/oauth2_provider/views/oidc.py
index 0cd24fc85..b4bb8869b 100644
--- a/oauth2_provider/views/oidc.py
+++ b/oauth2_provider/views/oidc.py
@@ -45,13 +45,6 @@ def get(self, request, *args, **kwargs):
         signing_algorithms = [Application.HS256_ALGORITHM]
         if oauth2_settings.OIDC_RSA_PRIVATE_KEY:
             signing_algorithms = [Application.RS256_ALGORITHM, Application.HS256_ALGORITHM]
-
-        validator_class = oauth2_settings.OAUTH2_VALIDATOR_CLASS
-        validator = validator_class()
-        oidc_claims = []
-        for el, _ in validator.get_claim_list():
-            oidc_claims.append(el)
-
         data = {
             "issuer": issuer_url,
             "authorization_endpoint": authorization_endpoint,
@@ -64,7 +57,6 @@ def get(self, request, *args, **kwargs):
             "token_endpoint_auth_methods_supported": (
                 oauth2_settings.OIDC_TOKEN_ENDPOINT_AUTH_METHODS_SUPPORTED
             ),
-            "claims_supported": oidc_claims,
         }
         response = JsonResponse(data)
         response["Access-Control-Allow-Origin"] = "*"
diff --git a/tests/test_oidc_views.py b/tests/test_oidc_views.py
index 719d10e98..46040f86d 100644
--- a/tests/test_oidc_views.py
+++ b/tests/test_oidc_views.py
@@ -29,7 +29,6 @@ def test_get_connect_discovery_info(self):
             "subject_types_supported": ["public"],
             "id_token_signing_alg_values_supported": ["RS256", "HS256"],
             "token_endpoint_auth_methods_supported": ["client_secret_post", "client_secret_basic"],
-            "claims_supported": ["sub"],
         }
         response = self.client.get(reverse("oauth2_provider:oidc-connect-discovery-info"))
         self.assertEqual(response.status_code, 200)
@@ -56,7 +55,6 @@ def test_get_connect_discovery_info_without_issuer_url(self):
             "subject_types_supported": ["public"],
             "id_token_signing_alg_values_supported": ["RS256", "HS256"],
             "token_endpoint_auth_methods_supported": ["client_secret_post", "client_secret_basic"],
-            "claims_supported": ["sub"],
         }
         response = self.client.get(reverse("oauth2_provider:oidc-connect-discovery-info"))
         self.assertEqual(response.status_code, 200)
@@ -148,21 +146,11 @@ def test_userinfo_endpoint_bad_token(oidc_tokens, client):
     assert rsp.status_code == 401
 
 
-EXAMPLE_EMAIL = "example.email@example.com"
-
-
-def claim_user_email(request):
-    return EXAMPLE_EMAIL
-
-
 @pytest.mark.django_db
 def test_userinfo_endpoint_custom_claims(oidc_tokens, client, oauth2_settings):
     class CustomValidator(OAuth2Validator):
-        def get_additional_claims(self):
-            return [
-                ("username", claim_user_email),
-                ("email", claim_user_email),
-            ]
+        def get_additional_claims(self, request):
+            return {"state": "very nice"}
 
     oidc_tokens.oauth2_settings.OAUTH2_VALIDATOR_CLASS = CustomValidator
     auth_header = "Bearer %s" % oidc_tokens.access_token
@@ -173,9 +161,5 @@ def get_additional_claims(self):
     data = rsp.json()
     assert "sub" in data
     assert data["sub"] == str(oidc_tokens.user.pk)
-
-    assert "username" in data
-    assert data["username"] == EXAMPLE_EMAIL
-
-    assert "email" in data
-    assert data["email"] == EXAMPLE_EMAIL
+    assert "state" in data
+    assert data["state"] == "very nice"

From 827db80ef199fda02e8df6d923b41783d2c65751 Mon Sep 17 00:00:00 2001
From: Alan Crosswell <alan@columbia.edu>
Date: Tue, 4 Jan 2022 14:23:30 -0500
Subject: [PATCH 2/2] Update CHANGELOG

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b087a48d7..95dd2d647 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -22,6 +22,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 * #1012 Return status for introspecting a nonexistent token from 401 to the correct value of 200 per [RFC 7662](https://datatracker.ietf.org/doc/html/rfc7662#section-2.2).
+* #1068 Revert #967 which incorrectly changed an API. See #1066.
 
 ## [1.6.1] 2021-12-23