Stateless and Extra Token Claim Config does not work together

[shaardie]

During responding to the token request, satosa tries to get the configured extra troken claims from the provider.userinfo, see https://github.com/IdentityPython/SATOSA/blob/master/src/satosa/frontends/openid_connect.py#L367, but since the informations are not in the database (or the dict) , but in the token, this fails with a Traceback.

Code Version

v8.4.0

Expected Behavior

Get the token and no Traceback.

Current Behavior

Traceback

Possible Solution

The provider already hat logic to get the get the extra token claims from the request. So the solution is simply not set extra_token_claims at this point:

SATOSA/src/satosa/frontends/openid_connect.py

Lines 363 to 368 in 83ad073

	try:
	response = self.provider.handle_token_request(
	urlencode(context.request),
	headers,
	lambda user_id, client_id: self._get_extra_id_token_claims(user_id, client_id))
	return Response(response.to_json(), content="application/json")

and simply call

response = self.provider.handle_token_request(urlencode(context.request), headers)

Steps to Reproduce

1. Configure Stateless and extra Token Claims for a Client in the OIDC Frontend.
2. Try to authenticate
3. Traceback

[c00kiemon5ter]

@smalihaider would you have a look into this?

[smalihaider]

@smalihaider would you have a look into this?

Sure @c00kiemon5ter

[fredericoschardong]

I confirm @shaardie's suggestion fixes the error. Should I create a PR for this?

[smalihaider]

@shaardie @fredericoschardong Apologies for reverting late on this. Thank you for your analysis, however, the suggested fix does not consider non-stateless flows. In the case of non-stateless flows, the extra_id_token_claims should be retrieved via the user info (db or dict) just like it was done before the introduction of the stateless code flow.

I have created this PR to fix this issue in rather pyop: IdentityPython/pyop#55

[c00kiemon5ter]

Fixed with v3.4.2