REVMI-234 Include user id in jwt sent to ecommerce (#20743)

* REVMI-234 Include user id in jwt sent to ecommerce * Reorder params

REVMI-234 Include user id in jwt sent to ecommerce (#20743)
* REVMI-234 Include user id in jwt sent to ecommerce * Reorder params
b5d07783 · Christie Rice · GitHub · 74492907 · b5d07783 · b5d07783
Unverified Commit b5d07783 authored 5 years ago by Christie Rice Committed by GitHub 5 years ago
--- a/lms/djangoapps/commerce/tests/__init__.py
+++ b/lms/djangoapps/commerce/tests/__init__.py
@@ -29,6 +29,11 @@ class EdxRestApiClientTest(TestCase):
    """ Tests to ensure the client is initialized properly. """

    TEST_CLIENT_ID = 'test-client-id'
+    SCOPES = [
+        'user_id',
+        'email',
+        'profile'
+    ]

    def setUp(self):
        super(EdxRestApiClientTest, self).setUp()
@@ -64,7 +69,7 @@ class EdxRestApiClientTest(TestCase):
                    'lms_ip': '127.0.0.1',
                }
            }
-            expected_jwt = create_jwt_for_user(self.user, additional_claims=claims)
+            expected_jwt = create_jwt_for_user(self.user, additional_claims=claims, scopes=self.SCOPES)
            expected_header = u'JWT {}'.format(expected_jwt)
            self.assertEqual(actual_header, expected_header)


--- a/openedx/core/djangoapps/commerce/utils.py
+++ b/openedx/core/djangoapps/commerce/utils.py
@@ -34,7 +34,12 @@ def is_commerce_service_configured():
 def ecommerce_api_client(user, session=None):
    """ Returns an E-Commerce API client setup with authentication for the specified user. """
    claims = {'tracking_context': create_tracking_context(user)}
-    jwt = create_jwt_for_user(user, additional_claims=claims)
+    scopes = [
+        'user_id',
+        'email',
+        'profile'
+    ]
+    jwt = create_jwt_for_user(user, additional_claims=claims, scopes=scopes)

    return EdxRestApiClient(
        configuration_helpers.get_value('ECOMMERCE_API_URL', settings.ECOMMERCE_API_URL),

--- a/openedx/core/djangoapps/oauth_dispatch/jwt.py
+++ b/openedx/core/djangoapps/oauth_dispatch/jwt.py
@@ -14,7 +14,7 @@ from openedx.core.djangoapps.oauth_dispatch.toggles import ENFORCE_JWT_SCOPES
 from student.models import UserProfile, anonymous_id_for_user


-def create_jwt_for_user(user, secret=None, aud=None, additional_claims=None):
+def create_jwt_for_user(user, secret=None, aud=None, additional_claims=None, scopes=None):
    """
    Returns a JWT to identify the given user.

@@ -25,6 +25,8 @@ def create_jwt_for_user(user, secret=None, aud=None, additional_claims=None):

    Arguments:
        user (User): User for which to generate the JWT.
+        scopes (list): Optional. Scopes that limit access to the token bearer and
+            controls which optional claims are included in the token.

    Deprecated Arguments (to be removed):
        secret (string): Overrides configured JWT secret (signing) key.
@@ -34,6 +36,7 @@ def create_jwt_for_user(user, secret=None, aud=None, additional_claims=None):
    expires_in = settings.OAUTH_ID_TOKEN_EXPIRATION
    return _create_jwt(
        user,
+        scopes=scopes,
        expires_in=expires_in,
        aud=aud,
        additional_claims=additional_claims,

--- a/openedx/core/djangoapps/oauth_dispatch/tests/test_jwt.py
+++ b/openedx/core/djangoapps/oauth_dispatch/tests/test_jwt.py
@@ -102,3 +102,34 @@ class TestCreateJWTs(AccessTokenMixin, TestCase):
        self.assertDictContainsSubset(additional_claims, token_payload)
        self.assertEqual(user_email_verified, token_payload['email_verified'])
        self.assertEqual(token_payload['roles'], mock_create_roles.return_value)
+
+    def test_default_scopes(self):
+        """
+        Ensure the default scopes are used.
+        """
+        jwt = jwt_api.create_jwt_for_user(self.user)
+        jwt_scopes = jwt_api.create_jwt_for_user(self.user, scopes=self.default_scopes)
+        self.assertEqual(jwt, jwt_scopes)
+
+    def test_scopes(self):
+        """
+        Ensure the requested scopes are used.
+        """
+        scopes = [
+            'user_id',
+        ]
+        aud = 'test_aud'
+        secret = 'test_secret'
+
+        jwt = jwt_api.create_jwt_for_user(self.user, secret=secret, aud=aud)
+        jwt_scopes = jwt_api.create_jwt_for_user(self.user, secret=secret, aud=aud, scopes=scopes)
+
+        jwt_payload = self.assert_valid_jwt_access_token(
+            jwt, self.user, self.default_scopes, aud=aud, secret=secret,
+        )
+        jwt_scopes_payload = self.assert_valid_jwt_access_token(
+            jwt_scopes, self.user, scopes, aud=aud, secret=secret,
+        )
+        self.assertEqual(jwt_payload['scopes'], self.default_scopes)
+        self.assertEqual(jwt_scopes_payload['scopes'], scopes)
+        self.assertEqual(jwt_scopes_payload['user_id'], self.user.id)