From 08fbdf6ed37623fd2cbd577d0da56d4dd59ccc8d Mon Sep 17 00:00:00 2001
From: Tomas Pazderka <tomas.pazderka@nic.cz>
Date: Tue, 3 Feb 2015 16:45:03 +0100
Subject: [PATCH 1/2] Authz tunning

authz is passed client_id as kwarg
uic dict is trimmed according to permissions in session
    - permissions is a list with allowed claims
---
 src/oic/oic/provider.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/oic/oic/provider.py b/src/oic/oic/provider.py
index 75de87143..748787e14 100644
--- a/src/oic/oic/provider.py
+++ b/src/oic/oic/provider.py
@@ -969,6 +969,10 @@ def _collect_user_info(self, session, userinfo_claims=None):
                     uic.update(claims)
                 except KeyError:
                     pass
+            # Get only keys allowed by user and update the dict if such info is stored in session
+            perm_set = session.get('permission')
+            if perm_set:
+                uic = {key: uic[key] for key in uic if key in perm_set}
 
             if "oidreq" in session:
                 uic = self.server.update_claims(session, "oidreq", "userinfo",
@@ -1661,7 +1665,7 @@ def authz_part2(self, user, areq, sid, **kwargs):
 
         # Do the authorization
         try:
-            permission = self.authz(user)
+            permission = self.authz(user, client_id=areq['client_id'])
             self.sdb.update(sid, "permission", permission)
         except Exception:
             raise

From a61df77d757f3d34627ae64b5cb9b1209e2ece9c Mon Sep 17 00:00:00 2001
From: Tomas Pazderka <tomas.pazderka@nic.cz>
Date: Wed, 4 Feb 2015 09:50:05 +0100
Subject: [PATCH 2/2] Handle WebFinger redirection even for HTTP301

---
 src/oic/oic/__init__.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/oic/oic/__init__.py b/src/oic/oic/__init__.py
index 419863680..4a4b42efd 100644
--- a/src/oic/oic/__init__.py
+++ b/src/oic/oic/__init__.py
@@ -887,8 +887,8 @@ def provider_config(self, issuer, keys=True, endpoints=True,
         r = self.http_request(url)
         if r.status_code == 200:
             pcr = response_cls().from_json(r.text)
-        elif r.status_code == 302:
-            while r.status_code == 302:
+        elif r.status_code == 302 or r.status_code == 301:
+            while r.status_code == 302 or r.status_code == 301:
                 r = self.http_request(r.headers["location"])
                 if r.status_code == 200:
                     pcr = response_cls().from_json(r.text)