fix scope of authorization

.env.example

@@ -5,4 +5,5 @@ API_BASE_URL = 'http://localhost:9080/api/'
 STATIC_ROOT = 'musician/static/'
 CLIENT_ID = "ZjYHcERGfUKo26y41VLI4KHz"
 CLIENT_SECRET = "jjUfJq9vOomJaj8Zm5W6OweMG61wQ5G3VyKhBzxLqp5k5HVW"
-OIDC_PROVIDER = "http://localhost:5000"
+OIDC_PROVIDER = "http://localhost:9000"
+DOMAIN = "http://localhost:8000"

musician/views.py

@@ -548,20 +548,55 @@ class AllowCodeView(RedirectView):
     userinfo = None
 
     def get_token(self):
-        url = "http://localhost:5000/oauth/token"
+        oidc_provider = settings.OIDC_PROVIDER.strip("/")
+        domain = settings.DOMAIN.strip("/")
+        url = f"{oidc_provider}/application/o/token/"
         client_id = settings.CLIENT_ID
         client_secret = settings.CLIENT_SECRET
         self.code = self.request.GET.get('code')
-        data = {'grant_type': 'authorization_code', 'code': self.code}
+        data = {
+            'grant_type': 'authorization_code',
+            'code': self.code,
+            'redirect_uri': f"{domain}/allow_code",
+        }
         auth = (client_id, client_secret)
         msg = requests.post(url, data=data, auth=auth)
         self.token = msg.text
 
+    def get_user_info(self):
+        # DELETE THIS METHOD IS ONLY A TEST
+        if self.userinfo:
+            return self.username
+        if 'error' in self.token:
+            return
+
+        if 'access_token' not in self.token:
+            return
+
+        if not isinstance(self.token, str):
+            return
+
+        self.token = json.loads(self.token)
+        oidc_provider = settings.OIDC_PROVIDER.strip("/")
+        url = f"{oidc_provider}/application/o/userinfo/"
+        access_token = self.token.get('access_token')
+        token_type = self.token.get('token_type', 'Bearer')
+        if not access_token or not token_type:
+            return
+
+        headers = {"Authorization": f"{token_type} {access_token}"}
+        msg = requests.get(url, headers=headers)
+        self.userinfo = json.loads(msg.text)
+        self.username = self.userinfo.get("username")
+        # import pdb; pdb.set_trace()
+        return self.username
+
     def get(self, request, *args, **kwargs):
         """
         Logs in the user.
         """
         self.get_token()
+        # Delete this line
         # self.get_user_info()
         orchestra = api.Orchestra(token=self.token)
         self.orchestra_token = orchestra.auth_token
@@ -612,12 +647,14 @@ class LoginView(FormView):
 
     def get_oidc_url(self):
         client_id = settings.CLIENT_ID
-        domain = settings.OIDC_PROVIDER
-        if not client_id or not domain:
+        oidc_provider = settings.OIDC_PROVIDER.strip("/")
+        domain = settings.DOMAIN.strip("/")
+        if not client_id or not oidc_provider:
             return
 
-        url = f'{domain}/oauth/authorize?client_id={client_id}'
-        url += '&scope=openid+profile&response_type=code&nonce=abc'
+        url = f'{oidc_provider}/application/o/authorize/?client_id={client_id}'
+        url += f'&scope=openid+musician&response_type=code&nonce=abc'
+        url += f'&redirect_uri={domain}/allow_code&response_type=code&nonce=abc'
         return url
 
     def form_valid(self, form):

userpanel/settings.py

@@ -180,6 +180,7 @@ CLIENT_ID = config('CLIENT_ID')
 CLIENT_SECRET = config('CLIENT_SECRET')
 
 OIDC_PROVIDER = config('OIDC_PROVIDER')
+DOMAIN = config('DOMAIN')
 
 # Managers: who should get notifications about services changes that
 # may require human actions (e.g. deleted mailboxes)