From cdfa5e5326b240bc9c3b1330bd29e41b22ce4708 Mon Sep 17 00:00:00 2001
From: Nikos Sklikas <nsklikas@admin.grnet.gr>
Date: Wed, 6 Oct 2021 14:11:51 +0300
Subject: [PATCH 1/3] Use filter_scopes in check_unknown_scopes_policy

---
 src/oidcop/oauth2/authorization.py | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/oidcop/oauth2/authorization.py b/src/oidcop/oauth2/authorization.py
index dd689f60..23625261 100755
--- a/src/oidcop/oauth2/authorization.py
+++ b/src/oidcop/oauth2/authorization.py
@@ -253,11 +253,12 @@ def check_unknown_scopes_policy(request_info, client_id, endpoint_context):
     allowed_scopes = endpoint_context.scopes_handler.get_allowed_scopes(client_id=client_id)
 
     # this prevents that authz would be released for unavailable scopes
-    for scope in request_info["scope"]:
-        if scope not in allowed_scopes:
-            _msg = "{} requested an unauthorized scope ({})"
-            logger.warning(_msg.format(client_id, scope))
-            raise UnAuthorizedClientScope()
+    if set(request_info["scope"]) != set(
+        endpoint_context.scopes_handler.filter_scopes(request_info["scope"], client_id=client_id)
+    ):
+        _msg = "{} requested an unauthorized scope ({})"
+        logger.warning(_msg.format(client_id, scope))
+        raise UnAuthorizedClientScope()
 
 
 class Authorization(Endpoint):

From 82cb13aecc4022638c8a50a2589d478c956c8327 Mon Sep 17 00:00:00 2001
From: Nikos Sklikas <nsklikas@admin.grnet.gr>
Date: Wed, 6 Oct 2021 15:33:54 +0300
Subject: [PATCH 2/3] Fix log

---
 src/oidcop/oauth2/authorization.py | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/src/oidcop/oauth2/authorization.py b/src/oidcop/oauth2/authorization.py
index 23625261..2d13ad50 100755
--- a/src/oidcop/oauth2/authorization.py
+++ b/src/oidcop/oauth2/authorization.py
@@ -250,14 +250,15 @@ def check_unknown_scopes_policy(request_info, client_id, endpoint_context):
     if not endpoint_context.conf["capabilities"].get("deny_unknown_scopes"):
         return
 
-    allowed_scopes = endpoint_context.scopes_handler.get_allowed_scopes(client_id=client_id)
-
+    scope = request_info["scope"]
+    filtered_scopes = set(
+        endpoint_context.scopes_handler.filter_scopes(scope, client_id=client_id)
+    )
+    scopes = set(scope)
     # this prevents that authz would be released for unavailable scopes
-    if set(request_info["scope"]) != set(
-        endpoint_context.scopes_handler.filter_scopes(request_info["scope"], client_id=client_id)
-    ):
-        _msg = "{} requested an unauthorized scope ({})"
-        logger.warning(_msg.format(client_id, scope))
+    if scopes != filtered_scopes:
+        diff = " ".join(scopes - filtered_scopes)
+        logger.warning(f"{client_id} requested unauthorized scopes: {diff}")
         raise UnAuthorizedClientScope()
 
 

From 49c6cec0b0a28942619875be5221ca02ba491a1d Mon Sep 17 00:00:00 2001
From: Nikos Sklikas <nsklikas@admin.grnet.gr>
Date: Wed, 22 Sep 2021 11:51:56 +0300
Subject: [PATCH 3/3] Don't require a scope to be defined

Scopes that don't map to claims shouldn't have to be defined in the
scopes to claims mapping
---
 src/oidcop/scopes.py                    | 4 ++--
 tests/test_26_oidc_userinfo_endpoint.py | 3 ++-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/oidcop/scopes.py b/src/oidcop/scopes.py
index a42a93ce..8a15bf97 100644
--- a/src/oidcop/scopes.py
+++ b/src/oidcop/scopes.py
@@ -31,12 +31,12 @@ def convert_scopes2claims(scopes, allowed_claims=None, scope2claim_map=None):
     res = {}
     if allowed_claims is None:
         for scope in scopes:
-            claims = {name: None for name in scope2claim_map[scope]}
+            claims = {name: None for name in scope2claim_map.get(scope, [])}
             res.update(claims)
     else:
         for scope in scopes:
             try:
-                claims = {name: None for name in scope2claim_map[scope] if name in allowed_claims}
+                claims = {name: None for name in scope2claim_map.get(scope, []) if name in allowed_claims}
                 res.update(claims)
             except KeyError:
                 continue
diff --git a/tests/test_26_oidc_userinfo_endpoint.py b/tests/test_26_oidc_userinfo_endpoint.py
index 288530e8..372d5261 100755
--- a/tests/test_26_oidc_userinfo_endpoint.py
+++ b/tests/test_26_oidc_userinfo_endpoint.py
@@ -360,9 +360,10 @@ def test_scopes_to_claims_per_client(self):
                 "eduperson_scoped_affiliation",
             ],
         }
+        self.endpoint_context.cdb["client_1"]["allowed_scopes"] = list(self.endpoint_context.cdb["client_1"]["scopes_to_claims"].keys()) + ["aba"]
 
         _auth_req = AUTH_REQ.copy()
-        _auth_req["scope"] = ["openid", "research_and_scholarship_2"]
+        _auth_req["scope"] = ["openid", "research_and_scholarship_2", "aba"]
 
         session_id = self._create_session(_auth_req)
         grant = self.session_manager[session_id]