refactor: OIDC token scopes are stored as lists

Author: azmeuk

canaille/oidc/endpoints.py

@@ -216,7 +216,7 @@ def jwks():
 @require_oauth("profile")
 def userinfo():
     current_app.logger.debug("userinfo endpoint request: %s", request.args)
-    response = generate_user_info(current_token.subject, current_token.scope[0])
+    response = generate_user_info(current_token.subject, current_token.scope)
     current_app.logger.debug("userinfo endpoint response: %s", response)
     return jsonify(response)
 

canaille/oidc/oauth.py

@@ -281,7 +281,7 @@ def save_token(token, request):
         access_token=token["access_token"],
         issue_date=now,
         lifetime=token["expires_in"],
-        scope=token["scope"],
+        scope=token["scope"].split(" "),
         client=request.client,
         refresh_token=token.get("refresh_token"),
         subject=request.user,

tests/oidc/test_authorization_code_flow.py

@@ -71,7 +71,7 @@ def test_authorization_code_flow(
     token = models.Token.get(access_token=access_token)
     assert token.client == client
     assert token.subject == logged_user
-    assert set(token.scope[0].split(" ")) == {
+    assert set(token.scope) == {
         "openid",
         "profile",
         "email",
@@ -760,7 +760,7 @@ def test_authorization_code_request_scope_too_large(
     token = models.Token.get(access_token=access_token)
     assert token.client == other_client
     assert token.subject == logged_user
-    assert set(token.scope[0].split(" ")) == {
+    assert set(token.scope) == {
         "openid",
         "profile",
     }

tests/oidc/test_userinfo.py

@@ -155,7 +155,7 @@ def test_userinfo(testclient, token, user, foo_group):
         status=403,
     )
 
-    token.scope = ["openid profile"]
+    token.scope = ["openid", "profile"]
     token.save()
     res = testclient.get(
         "/oauth/userinfo",
@@ -171,7 +171,7 @@ def test_userinfo(testclient, token, user, foo_group):
         "website": "https://john.example",
     }
 
-    token.scope = ["openid profile email"]
+    token.scope = ["openid", "profile", "email"]
     token.save()
     res = testclient.get(
         "/oauth/userinfo",
@@ -188,7 +188,7 @@ def test_userinfo(testclient, token, user, foo_group):
         "email": "[email protected]",
     }
 
-    token.scope = ["openid profile address"]
+    token.scope = ["openid", "profile", "address"]
     token.save()
     res = testclient.get(
         "/oauth/userinfo",
@@ -205,7 +205,7 @@ def test_userinfo(testclient, token, user, foo_group):
         "address": "1235, somewhere",
     }
 
-    token.scope = ["openid profile phone"]
+    token.scope = ["openid", "profile", "phone"]
     token.save()
     res = testclient.get(
         "/oauth/userinfo",
@@ -222,7 +222,7 @@ def test_userinfo(testclient, token, user, foo_group):
         "phone_number": "555-000-000",
     }
 
-    token.scope = ["openid profile groups"]
+    token.scope = ["openid", "profile", "groups"]
     token.save()
     res = testclient.get(
         "/oauth/userinfo",