From 34783d0557e0bb26f75c988161be3ac7c0dc52ed Mon Sep 17 00:00:00 2001
From: Quentin BEY <quentin.bey@mail.numerique.gouv.fr>
Date: Thu, 13 Mar 2025 11:22:35 +0100
Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9B(oauth2)=20add=20ProConnect=20scope?=
 =?UTF-8?q?s?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add missing scopes required by ProConnect evenif we don't fill them.
---
 CHANGELOG.md                             |  1 +
 src/backend/mailbox_oauth2/validators.py | 26 +++++++++++++++++++++++-
 src/backend/people/settings.py           |  7 +++++++
 3 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c9883b0..489e50b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -22,6 +22,7 @@ and this project adheres to
 
 ### Fixed
 
+- 🐛(oauth2) add ProConnect scopes #802
 - 🐛(domains) use a dedicated mail to invite user to manage domain
 - 🐛(mailbox) fix mailbox creation email language
 
diff --git a/src/backend/mailbox_oauth2/validators.py b/src/backend/mailbox_oauth2/validators.py
index 3f1d425..4ecece8 100644
--- a/src/backend/mailbox_oauth2/validators.py
+++ b/src/backend/mailbox_oauth2/validators.py
@@ -115,7 +115,13 @@ class ProConnectValidator(BaseValidator):
     oidc_claim_scope = OAuth2Validator.oidc_claim_scope | {
         "given_name": "given_name",
         "usual_name": "usual_name",
-        "siret": "profile",
+        "siret": "siret",
+        "uid": "uid",
+        "siren": "siren",
+        "organizational_unit": "organizational_unit",
+        "belonging_population": "belonging_population",
+        "phone": "phone",
+        "chorusdt": "chorusdt",
     }
 
     def get_additional_claims(self, request):
@@ -137,12 +143,30 @@ class ProConnectValidator(BaseValidator):
         if "usual_name" in request.scopes:
             additional_claims["usual_name"] = request.user.last_name
 
+        if "uid" in request.scopes:
+            additional_claims["uid"] = str(request.user.pk)
+
         if "siret" in request.scopes:
             # The following line will fail on purpose if we don't have the proper information
             additional_claims["siret"] = (
                 request.user.domain.organization.registration_id_list[0]
             )
 
+        if "siren" in request.scopes:
+            # The following line will fail on purpose if we don't have the proper information
+            additional_claims["siren"] = (
+                request.user.domain.organization.registration_id_list[0][:9]
+            )
+
+        for empty_claim in [
+            "organizational_unit",
+            "belonging_population",
+            "phone",
+            "chorusdt",
+        ]:
+            if empty_claim in request.scopes:
+                additional_claims[empty_claim] = ""
+
         # Include 'acr' claim if it is present in the request claims and equals 'eidas1'
         # see _create_authorization_code method for more details
         if request.claims and request.claims.get("acr") == "eidas1":
diff --git a/src/backend/people/settings.py b/src/backend/people/settings.py
index c45e224..00d07b3 100755
--- a/src/backend/people/settings.py
+++ b/src/backend/people/settings.py
@@ -667,6 +667,13 @@ class Base(Configuration):
             SCOPES["given_name"] = "First name"
             SCOPES["usual_name"] = "Last name"
             SCOPES["siret"] = "SIRET number"
+            SCOPES["siren"] = "SIREN number"
+            SCOPES["uid"] = "UID"
+            # available but not filled
+            SCOPES["organizational_unit"] = "Organizational unit"
+            SCOPES["belonging_population"] = "Belonging population"
+            SCOPES["phone"] = "Phone number"
+            SCOPES["chorusdt"] = "Chorus DT"
 
         return {
             "OIDC_ENABLED": OIDC_ENABLED,