Implements basic claims request parameter (Closes #11)

[zedtux]

This PR closes #11 by implementing the basics of the OpenID claims request parameter allowing a consumer to request more claims in the id_token JWT by passing a JSON in the claims parameter in the Authorization creation request.

The requested claim(s) must be part of the requested scopes so that requested claims belonging to non-requested scopes are logged as a warning and ignored.

This PR implements this parameter for both id_token and userinfo but only the id_token has been tested.

This PR doesn't support the { essential: true } but supports hard coded value or nil.

Here is one of my Rspec test showcasing what this PR does:

  context 'when requesting the "email" claim in the id_token and requesting the "email" scope' do
    let(:claims) { build_claims_from(id_token: { email: nil }) }
    let(:scopes) { ERB::Util.url_encode(%w[openid profile email].join(' ')) }

    before do
      login_and_logout_with_warden do
        get "#{host}/accounts/oauth/authorizations?client_id=#{client.identifier}&response_type=code&redirect_uri=#{client.redirect_uri}&scope=#{scopes}&claims=#{claims}&nonce=#{nonce}"

        authorization_code = response.body.scan(
          %r{<a href="#{client.redirect_uri}\?code=([a-z0-9]+)">redirected</a>}
        ).flatten.first

        post create_token_url(authorization_code)
      end
    end

    it 'returns a 200' do
      expect(response).to have_http_status(:ok)
    end

    it 'responds with an id_token' do
      expect(response.body).to match(/"id_token":"[A-z0-9\-_.]+"/)
    end

    it 'responds with an id_token containing the client_it as aud' do
      expect(decoded_id_token).to include('aud' => client.identifier)
    end

    it 'responds with an id_token containing the issuer URL as iss' do
      expect(decoded_id_token).to include('iss' => host)
    end

    it 'responds with an id_token containing the nonce as nonce' do
      expect(decoded_id_token).to include('nonce' => nonce)
    end

    it 'responds with an id_token containing the "email" claim' do
      expect(decoded_id_token.keys).to include('email')
    end
  end

[zedtux]

@willtcarey I have solved the conflict in this PR, sorry about that I missed it, could you please have a look?

[zedtux]

@willtcarey sorry for pinging you again, but this code runs on our production since 2 months without any issues, I really would love to see this PR merged 😊.

Could you please have a look?

[zedtux]

Please @willtcarey could you have a look at my PR?

[nathancolgate]

@zedtux Not sure how this slipped under our radar for so long. We'll take a look ASAP.

[zedtux]

@nathancolgate or @willtcarey will you have a look soon please? 😇

[willtcarey]

Oh hey, I had a pending review on this.

A few code cleanups for things we aren't using.

[willtcarey]

This needs to happen in a new migration, which it does. So we should remove it here

[zedtux]

Completely agreed

[zedtux]

Oh, sorry, checking my code again and I see that here it will apply for new projects, while the new migration script db/migrate/20230721112432_add_claims_to_oidc_provider_authorization_if_missing.rb will add that column for existing projects when the column doesn't exist already, so that it works in both cases.

We could keep it like this, but if you really want it I can remove it.

[zedtux]

What about Rspec tests? Would you like them? In a separated PR maybe?

[willtcarey]

Does this make it so that we can add scopes for arbitrary data that doesn't already exist on the UserInfo object?

[willtcarey]

That's a weakness we've identified where we sometimes need to allow for scopes that have data that exists outsides of what's available on the UserInfo object

[zedtux]

Yes that's the goal of this ResponseObjectBuilder thanks to its method_missing method usage.

[zedtux]

@willtcarey would like to have a look at my code please?