✨ Add strict/lax mode for claim processing

In non-strict (lax) mode, absent required claims don't lead to ValueError being raised so that the caller can handle this data appropriately. Required for some backwards-compatibility in Open Forms.
maykinmedia · Jun 24, 2024 · 0b17cfe · 0b17cfe
1 parent 2495107
commit 0b17cfe
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 1 deletion.
diff --git a/digid_eherkenning/oidc/claims.py b/digid_eherkenning/oidc/claims.py
@@ -12,7 +12,11 @@ class NoLOAClaim(Exception):
     pass
 
 
-def process_claims(claims: JSONObject, config: BaseConfig) -> JSONObject:
+def process_claims(
+    claims: JSONObject,
+    config: BaseConfig,
+    strict: bool = True,
+) -> JSONObject:
     """
     Given the raw claims, process them using the provided config.
 
@@ -27,6 +31,17 @@ def process_claims(claims: JSONObject, config: BaseConfig) -> JSONObject:
     The return value SHOULD include the ``loa_claim`` key, but if no value is available
     (not in the claims and no default specified -> then it's omitted), the key will be
     absent.
+
+    :arg claims: The raw claims as received from the Identity Provider.
+    :arg config: The OIDC Configuration instance that specifies which claims should be
+      extracted and processed.
+    :arg strict: In strict mode, absent claims that are required (according) to the
+      configuration raise an error. In non-strict mode, these claims are simply skipped
+      and omitted.
+    :returns: A (JSON-serializable) dictionary where the keys are the claim config
+      field names, taken from ``config.CLAIMS_CONFIGURATION``, and the values their
+      extracted values from the raw claims. Extracted values have been post-processed
+      if post-processing configuration was available.
     """
     processed_claims = {}
 
@@ -39,6 +54,10 @@ def process_claims(claims: JSONObject, config: BaseConfig) -> JSONObject:
         except PathAccessError as exc:
             if not claim_config["required"]:
                 continue
+            # in non-strict mode, do not raise but instead omit the claim. Up to the
+            # caller to handle missing claims.
+            if not strict:
+                continue
             claim_repr = " > ".join(path_bits)
             raise ValueError(f"Required claim '{claim_repr}' not found") from exc
 

diff --git a/tests/oidc/test_claim_processing.py b/tests/oidc/test_claim_processing.py
@@ -91,6 +91,14 @@ def test_digid_claim_processing_with_defaults():
     assert result == {"bsn_claim": "XXXXXXX54"}
 
 
+def test_lax_mode():
+    config = DigiDConfig(bsn_claim=["sub"], loa_claim=["authsp_level"])
+
+    result = process_claims({"bsn": "XXXXXXX54"}, config, strict=False)
+
+    assert result == {}
+
+
 ### DIGID MACHTIGEN