Add OpenID claims "profile" and "email". (#16141)

* Added OpenID claims "profile" and "email".

* Splitted error.

* Added scopes_supported and claims_supported.

* Added more metadata.

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Co-authored-by: Lauris BH <lauris@nix.lv>
tokarchuk/v1.17
KN4CK3R 3 years ago committed by GitHub
parent 2b39357443
commit 1295e750b4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 15
      models/oauth2_application.go
  2. 29
      routers/web/user/oauth.go
  3. 29
      templates/user/auth/oidc_wellknown.tmpl

@ -394,7 +394,7 @@ func (grant *OAuth2Grant) TableName() string {
return "oauth2_grant" return "oauth2_grant"
} }
// GenerateNewAuthorizationCode generates a new authorization code for a grant and saves it to the databse // GenerateNewAuthorizationCode generates a new authorization code for a grant and saves it to the database
func (grant *OAuth2Grant) GenerateNewAuthorizationCode(redirectURI, codeChallenge, codeChallengeMethod string) (*OAuth2AuthorizationCode, error) { func (grant *OAuth2Grant) GenerateNewAuthorizationCode(redirectURI, codeChallenge, codeChallengeMethod string) (*OAuth2AuthorizationCode, error) {
return grant.generateNewAuthorizationCode(x, redirectURI, codeChallenge, codeChallengeMethod) return grant.generateNewAuthorizationCode(x, redirectURI, codeChallenge, codeChallengeMethod)
} }
@ -567,6 +567,19 @@ func (token *OAuth2Token) SignToken() (string, error) {
type OIDCToken struct { type OIDCToken struct {
jwt.StandardClaims jwt.StandardClaims
Nonce string `json:"nonce,omitempty"` Nonce string `json:"nonce,omitempty"`
// Scope profile
Name string `json:"name,omitempty"`
PreferredUsername string `json:"preferred_username,omitempty"`
Profile string `json:"profile,omitempty"`
Picture string `json:"picture,omitempty"`
Website string `json:"website,omitempty"`
Locale string `json:"locale,omitempty"`
UpdatedAt timeutil.TimeStamp `json:"updated_at,omitempty"`
// Scope email
Email string `json:"email,omitempty"`
EmailVerified bool `json:"email_verified,omitempty"`
} }
// SignToken signs an id_token with the (symmetric) client secret key // SignToken signs an id_token with the (symmetric) client secret key

@ -185,6 +185,21 @@ func newAccessTokenResponse(grant *models.OAuth2Grant, clientSecret string) (*Ac
ErrorDescription: "cannot find application", ErrorDescription: "cannot find application",
} }
} }
err = app.LoadUser()
if err != nil {
if models.IsErrUserNotExist(err) {
return nil, &AccessTokenError{
ErrorCode: AccessTokenErrorCodeInvalidRequest,
ErrorDescription: "cannot find user",
}
}
log.Error("Error loading user: %v", err)
return nil, &AccessTokenError{
ErrorCode: AccessTokenErrorCodeInvalidRequest,
ErrorDescription: "server error",
}
}
idToken := &models.OIDCToken{ idToken := &models.OIDCToken{
StandardClaims: jwt.StandardClaims{ StandardClaims: jwt.StandardClaims{
ExpiresAt: expirationDate.AsTime().Unix(), ExpiresAt: expirationDate.AsTime().Unix(),
@ -194,6 +209,20 @@ func newAccessTokenResponse(grant *models.OAuth2Grant, clientSecret string) (*Ac
}, },
Nonce: grant.Nonce, Nonce: grant.Nonce,
} }
if grant.ScopeContains("profile") {
idToken.Name = app.User.FullName
idToken.PreferredUsername = app.User.Name
idToken.Profile = app.User.HTMLURL()
idToken.Picture = app.User.AvatarLink()
idToken.Website = app.User.Website
idToken.Locale = app.User.Language
idToken.UpdatedAt = app.User.UpdatedUnix
}
if grant.ScopeContains("email") {
idToken.Email = app.User.Email
idToken.EmailVerified = app.User.IsActive
}
signedIDToken, err = idToken.SignToken(clientSecret) signedIDToken, err = idToken.SignToken(clientSecret)
if err != nil { if err != nil {
return nil, &AccessTokenError{ return nil, &AccessTokenError{

@ -6,5 +6,34 @@
"response_types_supported": [ "response_types_supported": [
"code", "code",
"id_token" "id_token"
],
"scopes_supported": [
"openid",
"profile",
"email"
],
"claims_supported": [
"aud",
"exp",
"iat",
"iss",
"sub",
"name",
"preferred_username",
"profile",
"picture",
"website",
"locale",
"updated_at",
"email",
"email_verified"
],
"code_challenge_methods_supported": [
"plain",
"S256"
],
"grant_types_supported": [
"authorization_code",
"refresh_token"
] ]
} }

Loading…
Cancel
Save