From 39b362a1f858887fe95268cc170a2d75ff334315 Mon Sep 17 00:00:00 2001
From: Matti Eiden <matti.eiden@anders.com>
Date: Thu, 27 Feb 2025 10:23:20 +0200
Subject: [PATCH] fix: tunnistus related settings

HELSINKI_PROFILE_SCOPE must be set to access_token in tunnistus

OIDC_RP_SCOPES must not include the profile scope in tunnistus

OIDC_RP_SCOPES should include email in tunnistus so that the token has
email information for django-helusers.

refs: TETP-310, TETP-314
---
 backend/tet/tet/settings.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/backend/tet/tet/settings.py b/backend/tet/tet/settings.py
index b2cbebfd67..867b4f94f6 100644
--- a/backend/tet/tet/settings.py
+++ b/backend/tet/tet/settings.py
@@ -104,6 +104,7 @@
     LINKEDEVENTS_TIMEOUT=(int, 20),
     GDPR_API_QUERY_SCOPE=(str, "gdprquery"),
     GDPR_API_DELETE_SCOPE=(str, "gdprdelete"),
+    HELSINKI_PROFILE_SCOPE=(str, "access_token"),
 )
 
 if os.path.exists(env_file):
@@ -280,8 +281,8 @@
 OIDC_AUTH = {"OIDC_LEEWAY": django_env.int("OIDC_LEEWAY")}
 
 OIDC_RP_SIGN_ALGO = "RS256"
-HELSINKI_PROFILE_SCOPE = "https://api.hel.fi/auth/helsinkiprofile"
-OIDC_RP_SCOPES = f"openid profile {HELSINKI_PROFILE_SCOPE}"
+HELSINKI_PROFILE_SCOPE = django_env("HELSINKI_PROFILE_SCOPE")
+OIDC_RP_SCOPES = "openid profile email"
 
 OIDC_RP_CLIENT_ID = django_env.str("OIDC_RP_CLIENT_ID")
 OIDC_RP_CLIENT_SECRET = django_env.str("OIDC_RP_CLIENT_SECRET")