✨(backend) add option to configure list of required OIDC claims

[sampaccoud]

Purpose

We want to be able to refuse connection for users who have missing claims from a list of required keys.

Proposal

Add option to configure list of required OIDC claims: USER_OIDC_REQUIRED_CLAIMS.
Defaults to an empty list.

[lebaudantoine]

according to the spec, these claims should be referred as essential claims. Please take a look here https://openid.net/specs/openid-connect-core-1_0.html

Essential Claim
Claim specified by the Client as being necessary to ensure a smooth authorization experience for the specific task requested by the End-User.

[lebaudantoine]

You might prefer to override the base method, and call it in get_or_create_user, as proposed in the initial implementation. get_userinfo should have a single responsibility, getting the data.

    def verify_claims(self, claims):
        """Verify the provided claims to decide if authentication should be allowed."""

        # Verify claims required by default configuration
        scopes = self.get_settings("OIDC_RP_SCOPES", "openid email")
        if "email" in scopes.split():
            return "email" in claims

        LOGGER.warning(
            "Custom OIDC_RP_SCOPES defined. "
            "You need to override `verify_claims` for custom claims verification."
        )

        return True

https://github.com/mozilla/mozilla-django-oidc/blob/2c2334fdc9b2fc72a492b5f0e990b4c30de68363/mozilla_django_oidc/auth.py#L84

[lebaudantoine]

[sampaccoud]

Interesting! 🙏
Note that checking the presence of the "sub" claim was already wrong then 🤔
Let's fix that before it is released!

[sampaccoud]

@lebaudantoine Here you go: #531

[lebaudantoine]

Kind of, checking the presence of "sub" was naive and simple.
As soon as we introduce more complexity (a list check, a new setting, …) I would stick with the Mozilla django oidc philosophy