🐛(oauth2) add ProConnect scopes

Add missing scopes required by ProConnect evenif we don't fill them.
2025-03-13 11:22:35 +01:00
parent 5cc8108e7b
commit 34783d0557
3 changed files with 33 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -22,6 +22,7 @@ and this project adheres to

 ### Fixed

+- 🐛(oauth2) add ProConnect scopes #802
 - 🐛(domains) use a dedicated mail to invite user to manage domain
 - 🐛(mailbox) fix mailbox creation email language

--- a/src/backend/mailbox_oauth2/validators.py
+++ b/src/backend/mailbox_oauth2/validators.py
@@ -115,7 +115,13 @@ class ProConnectValidator(BaseValidator):
    oidc_claim_scope = OAuth2Validator.oidc_claim_scope | {
        "given_name": "given_name",
        "usual_name": "usual_name",
-        "siret": "profile",
+        "siret": "siret",
+        "uid": "uid",
+        "siren": "siren",
+        "organizational_unit": "organizational_unit",
+        "belonging_population": "belonging_population",
+        "phone": "phone",
+        "chorusdt": "chorusdt",
    }

    def get_additional_claims(self, request):
@@ -137,12 +143,30 @@ class ProConnectValidator(BaseValidator):
        if "usual_name" in request.scopes:
            additional_claims["usual_name"] = request.user.last_name

+        if "uid" in request.scopes:
+            additional_claims["uid"] = str(request.user.pk)
+
        if "siret" in request.scopes:
            # The following line will fail on purpose if we don't have the proper information
            additional_claims["siret"] = (
                request.user.domain.organization.registration_id_list[0]
            )

+        if "siren" in request.scopes:
+            # The following line will fail on purpose if we don't have the proper information
+            additional_claims["siren"] = (
+                request.user.domain.organization.registration_id_list[0][:9]
+            )
+
+        for empty_claim in [
+            "organizational_unit",
+            "belonging_population",
+            "phone",
+            "chorusdt",
+        ]:
+            if empty_claim in request.scopes:
+                additional_claims[empty_claim] = ""
+
        # Include 'acr' claim if it is present in the request claims and equals 'eidas1'
        # see _create_authorization_code method for more details
        if request.claims and request.claims.get("acr") == "eidas1":
--- a/src/backend/people/settings.py
+++ b/src/backend/people/settings.py
@@ -667,6 +667,13 @@ class Base(Configuration):
            SCOPES["given_name"] = "First name"
            SCOPES["usual_name"] = "Last name"
            SCOPES["siret"] = "SIRET number"
+            SCOPES["siren"] = "SIREN number"
+            SCOPES["uid"] = "UID"
+            # available but not filled
+            SCOPES["organizational_unit"] = "Organizational unit"
+            SCOPES["belonging_population"] = "Belonging population"
+            SCOPES["phone"] = "Phone number"
+            SCOPES["chorusdt"] = "Chorus DT"

        return {
            "OIDC_ENABLED": OIDC_ENABLED,