Add alternate_emails prop to OIDC userinfo

app/assets/stylesheets/components/_list.scss

@@ -27,7 +27,7 @@
 }
 
 .success-bullets {
-  li {
+  .success-bullet {
     padding: 1rem 1rem 1rem 0;
 
     &::before {

app/controllers/sign_up/completions_controller.rb

@@ -105,10 +105,15 @@ def email
       EmailContext.new(current_user).last_sign_in_email_address.email
     end
 
+    def all_emails
+      current_user.confirmed_email_addresses.map(&:email)
+    end
+
     def displayable_attributes
       return pii_to_displayable_attributes if user_session['decrypted_pii'].present?
       {
         email: email,
+        all_emails: all_emails,
         verified_at: verified_at,
         x509_subject: current_user.piv_cac_configurations.first&.x509_dn_uuid,
         x509_issuer: current_user.piv_cac_configurations.first&.x509_issuer,

app/presenters/openid_connect_user_info_presenter.rb

@@ -14,6 +14,7 @@ def user_info
       iss: root_url,
       email: email_from_sp_identity(identity),
       email_verified: true,
+      all_emails: all_emails_from_sp_identity(identity),
     }
 
     info.merge!(ial2_attributes) if scoper.ial2_scopes_requested?
@@ -34,7 +35,15 @@ def uuid_from_sp_identity(identity)
   end
 
   def email_from_sp_identity(identity)
-    EmailContext.new(identity.user).last_sign_in_email_address.email
+    email_context.last_sign_in_email_address.email
+  end
+
+  def all_emails_from_sp_identity(identity)
+    identity.user.confirmed_email_addresses.map(&:email)
+  end
+
+  def email_context
+    @email_context ||= EmailContext.new(identity.user)
   end
 
   def ial2_attributes

app/services/openid_connect_attribute_scoper.rb

@@ -17,19 +17,22 @@ class OpenidConnectAttributeScoper
 
   VALID_SCOPES = %w[
     email
+    all_emails
     openid
     profile:verified_at
   ] + X509_SCOPES + IAL2_SCOPES
 
   VALID_IAL1_SCOPES = %w[
     email
+    all_emails
     openid
     profile:verified_at
   ] + X509_SCOPES
 
   ATTRIBUTE_SCOPES_MAP = {
     email: %w[email],
     email_verified: %w[email],
+    all_emails: %w[all_emails],
     address: %w[address],
     phone: %w[phone],
     phone_verified: %w[phone],

app/view_models/sign_up_completions_show.rb

@@ -18,6 +18,7 @@ def initialize(ial2_requested:, decorated_session:, current_user:, handoff:, ial
     [[:address], :address],
     [[:phone], :phone],
     [[:email], :email],
+    [[:all_emails], :all_emails],
     [[:birthdate], :birthdate],
     [[:social_security_number], :social_security_number],
     [[:x509_subject], :x509_subject],
@@ -27,6 +28,7 @@ def initialize(ial2_requested:, decorated_session:, current_user:, handoff:, ial
 
   SORTED_IAL1_ATTRIBUTE_MAPPING = [
     [[:email], :email],
+    [[:all_emails], :all_emails],
     [[:x509_subject], :x509_subject],
     [[:x509_issuer], :x509_issuer],
     [[:verified_at], :verified_at],
@@ -69,9 +71,13 @@ def image_name
   end
 
   def requested_attributes_sorted
-    sorted_attribute_mapping.map do |raw_attribute, display_attribute|
+    sorted_attributes = sorted_attribute_mapping.map do |raw_attribute, display_attribute|
       display_attribute if (requested_attributes & raw_attribute).present?
     end.compact
+    # If the SP requests all emails, there is no reason to show them the sign
+    # in email address in the consent screen
+    sorted_attributes.delete(:email) if sorted_attributes.include?(:all_emails)
+    sorted_attributes
   end
 
   def sorted_attribute_mapping

app/views/sign_up/completions/_requested_attributes.html.erb

@@ -1,12 +1,20 @@
 <ul class="margin-bottom-4 list-reset border-bottom border-primary-light success-bullets requested-attributes">
   <% requested_attributes.each do |attribute| %>
     <% next if @pii[attribute].blank? %>
-    <li class="border-top border-primary-light">
+    <li class="success-bullet border-top border-primary-light">
       <div class="bold margin-left-4">
         <%= t("help_text.requested_attributes.#{attribute}") %>
       </div>
       <div class="margin-left-4">
-        <%= @pii[attribute].to_s %>
+        <% if @pii[attribute].is_a? Array %>
+          <ul class='usa-list usa-list--unstyled'>
+            <% @pii[attribute].each do |item| %>
+              <li><%= item %></li>
+            <% end %>
+          </ul>
+        <% else %>
+          <%= @pii[attribute].to_s %>
+        <% end %>
       </div>
     </li>
   <% end %>

app/views/users/authorization_confirmation/show.html.erb

@@ -19,7 +19,7 @@
     </div>
     <div class='tablet:margin-left-1 tablet:margin-right-1' >
       <ul class='margin-bottom-4 list-reset border-bottom border-primary-light success-bullets requested-attributes'>
-        <li class='border-top border-primary-light'>
+        <li class='success-bullet border-top border-primary-light'>
           <span class='bold'>
             <%= t("help_text.requested_attributes.email") %>
           </span>

config/locales/help_text/en.yml

@@ -7,6 +7,7 @@ en:
       delete_account: To delete your account, please confirm your password and security code.
     requested_attributes:
       address: Mailing address
+      all_emails: Email addresses on your account
       birthdate: Date of birth
       email: Email address
       full_name: Full name

config/locales/help_text/es.yml

@@ -7,6 +7,7 @@ es:
       delete_account: Para eliminar su cuenta, confirme su contraseña y código de seguridad.
     requested_attributes:
       address: Dirección de correo postal
+      all_emails: Direcciones de correo electrónico en su cuenta
       birthdate: Fecha de nacimiento
       email: Dirección de correo electrónico
       full_name: Nombre completo

config/locales/help_text/fr.yml

@@ -8,6 +8,7 @@ fr:
         passe et votre code de sécurité.
     requested_attributes:
       address: Adresse postale
+      all_emails: Adresses e-mail sur votre compte
       birthdate: Date de naissance
       email: Adresse e-mail
       full_name: Nom complet

spec/presenters/openid_connect_user_info_presenter_spec.rb

@@ -4,7 +4,9 @@
   include Rails.application.routes.url_helpers
 
   let(:rails_session_id) { SecureRandom.uuid }
-  let(:scope) { 'openid email address phone profile social_security_number x509:subject' }
+  let(:scope) do
+    'openid email all_emails address phone profile social_security_number x509:subject'
+  end
   let(:service_provider_ial) { 2 }
   let(:service_provider) { create(:service_provider, ial: service_provider_ial) }
   let(:profile) { build(:profile, :active, :verified) }
@@ -29,6 +31,7 @@
         expect(user_info[:iss]).to eq(root_url)
         expect(user_info[:email]).to eq(identity.user.email_addresses.first.email)
         expect(user_info[:email_verified]).to eq(true)
+        expect(user_info[:all_emails]).to eq([identity.user.email_addresses.first.email])
       end
     end
 

spec/services/openid_connect_attribute_scoper_spec.rb

@@ -34,6 +34,7 @@
         iss: 'https://login.gov',
         email: 'foo@example.com',
         email_verified: true,
+        all_emails: ['foo@example.com', 'bar@example.com'],
         given_name: 'John',
         family_name: 'Jones',
         birthdate: '1970-01-01',
@@ -76,6 +77,15 @@
       it 'includes the email and email_verified attributes' do
         expect(filtered[:email]).to be_present
         expect(filtered[:email_verified]).to eq(true)
+        expect(filtered[:all_emails]).to be_nil
+      end
+    end
+
+    context 'with the all_emails scope' do
+      let(:scope) { 'openid all_emails' }
+
+      it 'includes the all_emails attributes' do
+        expect(filtered[:all_emails]).to eq(['foo@example.com', 'bar@example.com'])
       end
     end
 

spec/view_models/sign_up_completions_show_spec.rb

@@ -7,6 +7,7 @@
 
   let(:handoff) { false }
   let(:consent_has_expired?) { false }
+  let(:sp_session) {}
 
   subject(:view_model) do
     SignUpCompletionsShow.new(
@@ -24,7 +25,7 @@
       ServiceProviderSessionDecorator.new(
         sp: build_stubbed(:service_provider),
         view_context: ActionController::Base.new.view_context,
-        sp_session: {},
+        sp_session: sp_session,
         service_provider_request: ServiceProviderRequestProxy.new,
       )
     end
@@ -81,6 +82,25 @@
         end
       end
     end
+
+    describe '#requested_attributes_sorted' do
+      context 'the requested attributes include email' do
+        let(:sp_session) { { requested_attributes: [:email] } }
+
+        it 'includes the sign in email address' do
+          expect(view_model.requested_attributes_sorted).to include(:email)
+        end
+      end
+
+      context 'the requrested attributes include all_emails' do
+        let(:sp_session) { { requested_attributes: [:email, :all_emails] } }
+
+        it 'includes all email addresses and not the individual email address' do
+          expect(view_model.requested_attributes_sorted).to include(:all_emails)
+          expect(view_model.requested_attributes_sorted).to_not include(:email)
+        end
+      end
+    end
   end
 
   context 'with no sp session' do

spec/views/sign_up/completions/show.html.erb_spec.rb

@@ -60,12 +60,13 @@
     end
 
     let(:view_context) { ActionController::Base.new.view_context }
+    let(:requested_attributes) { [:email] }
     let(:decorated_session) do
       ServiceProviderSessionDecorator.new(
         sp: service_provider,
         view_context: view_context,
         sp_session: {
-          requested_attributes: [:email],
+          requested_attributes: requested_attributes,
         },
         service_provider_request: ServiceProviderRequestProxy.new,
       )
@@ -82,7 +83,7 @@
         consent_has_expired: false,
       )
       allow(view).to receive(:decorated_session).and_return(decorated_session)
-      assign(:pii, {})
+      assign(:pii, { email: 'foo@example.com', all_emails: ['foo@example.com', 'bar@example.com'] })
     end
 
     it 'shows the app name, not the agency name' do
@@ -98,6 +99,18 @@
         ),
       )
     end
+
+    context 'the all_emails scope is requested' do
+      let(:requested_attributes) { [:email, :all_emails] }
+
+      it 'renders all of the user email addresses' do
+        render
+
+        expect(rendered).to include(t('help_text.requested_attributes.all_emails'))
+        expect(rendered).to include('foo@example.com')
+        expect(rendered).to include('bar@example.com')
+      end
+    end
   end
 
   private