Merged in [19412] from rjsparks@nostrum.com:

    Only show roles in active roups in the oidc roles claim. Fixes ietf-tools#3424.
 - Legacy-Id: 19442
Note: SVN reference [19412] has been migrated to Git commit 21f5a55

Author: rjsparks

ietf/ietfauth/tests.py

@@ -810,7 +810,8 @@ def test_oidc_code_auth(self):
 
             # Get a user for which we want to get access
             person = PersonFactory(with_bio=True)
-            RoleFactory(name_id='chair', person=person)
+            active_group = RoleFactory(name_id='chair', person=person).group
+            closed_group = RoleFactory(name_id='chair', person=person, group__state_id='conclude').group
             # an additional email
             EmailFactory(person=person)
             email_list = person.email_set.all().values_list('address', flat=True)
@@ -880,6 +881,8 @@ def test_oidc_code_auth(self):
                 self.assertTrue(userinfo[key])
             self.assertIn('remote', set(userinfo['reg_type'].split()))
             self.assertNotIn('hackathon', set(userinfo['reg_type'].split()))
+            self.assertIn(active_group.acronym, [i[1] for i in userinfo['roles']])
+            self.assertNotIn(closed_group.acronym, [i[1] for i in userinfo['roles']])
 
             # Create another registration, with a different email
             MeetingRegistration.objects.create(

ietf/ietfauth/utils.py

@@ -247,7 +247,7 @@ class OidcExtraScopeClaims(oidc_provider.lib.claims.ScopeClaims):
         )
 
     def scope_roles(self):
-        roles = self.user.person.role_set.values_list('name__slug', 'group__acronym')
+        roles = self.user.person.role_set.filter(group__state_id__in=('active','bof','proposed')).values_list('name__slug', 'group__acronym')
         info = {
                 'roles': list(roles)
             }