Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add OpenID claims "profile" and "email". #16141

Merged
merged 8 commits into from
Jun 14, 2021
Merged
Show file tree
Hide file tree
Changes from 6 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 21 additions & 1 deletion models/oauth2_application.go
Original file line number Diff line number Diff line change
Expand Up @@ -394,7 +394,7 @@ func (grant *OAuth2Grant) TableName() string {
return "oauth2_grant"
}

// GenerateNewAuthorizationCode generates a new authorization code for a grant and saves it to the databse
// GenerateNewAuthorizationCode generates a new authorization code for a grant and saves it to the database
func (grant *OAuth2Grant) GenerateNewAuthorizationCode(redirectURI, codeChallenge, codeChallengeMethod string) (*OAuth2AuthorizationCode, error) {
return grant.generateNewAuthorizationCode(x, redirectURI, codeChallenge, codeChallengeMethod)
}
Expand Down Expand Up @@ -567,6 +567,26 @@ func (token *OAuth2Token) SignToken() (string, error) {
type OIDCToken struct {
jwt.StandardClaims
Nonce string `json:"nonce,omitempty"`

// Scope profile
Name string `json:"name,omitempty"`
FamilyName string `json:"family_name,omitempty"`
KN4CK3R marked this conversation as resolved.
Show resolved Hide resolved
GivenName string `json:"given_name,omitempty"`
MiddleName string `json:"middle_name,omitempty"`
Nickname string `json:"nickname,omitempty"`
PreferredUsername string `json:"preferred_username,omitempty"`
Profile string `json:"profile,omitempty"`
Picture string `json:"picture,omitempty"`
Website string `json:"website,omitempty"`
Gender string `json:"gender,omitempty"`
Birthdate string `json:"birthdate,omitempty"`
ZoneInfo string `json:"zoneinfo,omitempty"`
Locale string `json:"locale,omitempty"`
UpdatedAt timeutil.TimeStamp `json:"updated_at,omitempty"`

// Scope email
Email string `json:"email,omitempty"`
EmailVerified bool `json:"email_verified,omitempty"`
}

// SignToken signs an id_token with the (symmetric) client secret key
Expand Down
29 changes: 29 additions & 0 deletions routers/web/user/oauth.go
Original file line number Diff line number Diff line change
Expand Up @@ -185,6 +185,21 @@ func newAccessTokenResponse(grant *models.OAuth2Grant, clientSecret string) (*Ac
ErrorDescription: "cannot find application",
}
}
err = app.LoadUser()
if err != nil {
KN4CK3R marked this conversation as resolved.
Show resolved Hide resolved
if models.IsErrUserNotExist(err) {
return nil, &AccessTokenError{
ErrorCode: AccessTokenErrorCodeInvalidRequest,
ErrorDescription: "cannot find user",
}
}
log.Error("Error loading user: %v", err)
return nil, &AccessTokenError{
ErrorCode: AccessTokenErrorCodeInvalidRequest,
ErrorDescription: "server error",
}
}

idToken := &models.OIDCToken{
StandardClaims: jwt.StandardClaims{
ExpiresAt: expirationDate.AsTime().Unix(),
Expand All @@ -194,6 +209,20 @@ func newAccessTokenResponse(grant *models.OAuth2Grant, clientSecret string) (*Ac
},
Nonce: grant.Nonce,
}
if grant.ScopeContains("profile") {
idToken.Name = app.User.FullName
idToken.PreferredUsername = app.User.Name
idToken.Profile = app.User.HTMLURL()
idToken.Picture = app.User.AvatarLink()
idToken.Website = app.User.Website
idToken.Locale = app.User.Language
idToken.UpdatedAt = app.User.UpdatedUnix
}
if grant.ScopeContains("email") {
idToken.Email = app.User.Email
idToken.EmailVerified = app.User.IsActive
}

signedIDToken, err = idToken.SignToken(clientSecret)
if err != nil {
return nil, &AccessTokenError{
Expand Down
29 changes: 29 additions & 0 deletions templates/user/auth/oidc_wellknown.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -6,5 +6,34 @@
"response_types_supported": [
"code",
"id_token"
],
"scopes_supported": [
"openid",
"profile",
"email"
],
"claims_supported": [
"aud",
"exp",
"iat",
"iss",
"sub",
"name",
"preferred_username",
"profile",
"picture",
"website",
"locale",
"updated_at",
"email",
"email_verified"
],
"code_challenge_methods_supported": [
"plain",
"S256"
],
"grant_types_supported": [
"authorization_code",
"refresh_token"
]
}