Merge pull request #656 from bcgov/append-pres_req_conf_id-to-sub

Append @pres_req_conf_id to sub
bcgov · Oct 9, 2024 · dfe31bd · dfe31bd
2 parents 7ba6ba3 + 760fcba
commit dfe31bd
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 4 deletions.
diff --git a/oidc-controller/api/core/oidc/issue_token_service.py b/oidc-controller/api/core/oidc/issue_token_service.py
@@ -96,15 +96,28 @@ def get_claims(
         # matching the configured subject_identifier, if any
         sub_id_claim = presentation_claims.get(ver_config.subject_identifier)
 
+        pres_req_conf_id_suffix = (
+            f"@{auth_session.request_parameters['pres_req_conf_id']}"
+        )
+
         if sub_id_claim:
             # add sub and append presentation_claims
-            oidc_claims.append(Claim(type="sub", value=sub_id_claim.value))
+            assert type(auth_session.request_parameters["pres_req_conf_id"]) == str
+            oidc_claims.append(
+                Claim(
+                    type="sub",
+                    value=sub_id_claim.value + pres_req_conf_id_suffix,
+                )
+            )
+
         elif ver_config.generate_consistent_identifier:
             # Do not create a sub based on the proof claims if the
             # user requests a generated identifier
             # Generate a SHA256 hash of the canonicaljson encoded proof_claims
-            encoded_json = canonicaljson.encode_canonical_json(proof_claims)
-            sha256_hash = hashlib.sha256(encoded_json).hexdigest()
+            encoded_json: bytes = canonicaljson.encode_canonical_json(proof_claims)
+            sha256_hash = hashlib.sha256(
+                encoded_json + pres_req_conf_id_suffix.encode()
+            ).hexdigest()
             oidc_claims.append(
                 Claim(
                     type="sub",

diff --git a/oidc-controller/api/core/oidc/tests/test_issue_token_service.py b/oidc-controller/api/core/oidc/tests/test_issue_token_service.py
@@ -235,7 +235,7 @@ async def test_valid_presentation_with_matching_subject_identifier_in_claims_sub
     auth_session.presentation_exchange = presentation["by_format"]
     claims = Token.get_claims(auth_session, ver_config)
     print(claims)
-    assert claims["sub"] == "[email protected]"
+    assert claims["sub"] == "[email protected]@verified-email"
 
 
 @pytest.mark.asyncio