Add OpenID claims "profile" and "email". (#16141)
* Added OpenID claims "profile" and "email". * Splitted error. * Added scopes_supported and claims_supported. * Added more metadata. Co-authored-by: techknowlogick <techknowlogick@gitea.io> Co-authored-by: Lauris BH <lauris@nix.lv>
This commit is contained in:
parent
2b39357443
commit
1295e750b4
3 changed files with 72 additions and 1 deletions
|
@ -394,7 +394,7 @@ func (grant *OAuth2Grant) TableName() string {
|
||||||
return "oauth2_grant"
|
return "oauth2_grant"
|
||||||
}
|
}
|
||||||
|
|
||||||
// GenerateNewAuthorizationCode generates a new authorization code for a grant and saves it to the databse
|
// GenerateNewAuthorizationCode generates a new authorization code for a grant and saves it to the database
|
||||||
func (grant *OAuth2Grant) GenerateNewAuthorizationCode(redirectURI, codeChallenge, codeChallengeMethod string) (*OAuth2AuthorizationCode, error) {
|
func (grant *OAuth2Grant) GenerateNewAuthorizationCode(redirectURI, codeChallenge, codeChallengeMethod string) (*OAuth2AuthorizationCode, error) {
|
||||||
return grant.generateNewAuthorizationCode(x, redirectURI, codeChallenge, codeChallengeMethod)
|
return grant.generateNewAuthorizationCode(x, redirectURI, codeChallenge, codeChallengeMethod)
|
||||||
}
|
}
|
||||||
|
@ -567,6 +567,19 @@ func (token *OAuth2Token) SignToken() (string, error) {
|
||||||
type OIDCToken struct {
|
type OIDCToken struct {
|
||||||
jwt.StandardClaims
|
jwt.StandardClaims
|
||||||
Nonce string `json:"nonce,omitempty"`
|
Nonce string `json:"nonce,omitempty"`
|
||||||
|
|
||||||
|
// Scope profile
|
||||||
|
Name string `json:"name,omitempty"`
|
||||||
|
PreferredUsername string `json:"preferred_username,omitempty"`
|
||||||
|
Profile string `json:"profile,omitempty"`
|
||||||
|
Picture string `json:"picture,omitempty"`
|
||||||
|
Website string `json:"website,omitempty"`
|
||||||
|
Locale string `json:"locale,omitempty"`
|
||||||
|
UpdatedAt timeutil.TimeStamp `json:"updated_at,omitempty"`
|
||||||
|
|
||||||
|
// Scope email
|
||||||
|
Email string `json:"email,omitempty"`
|
||||||
|
EmailVerified bool `json:"email_verified,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// SignToken signs an id_token with the (symmetric) client secret key
|
// SignToken signs an id_token with the (symmetric) client secret key
|
||||||
|
|
|
@ -185,6 +185,21 @@ func newAccessTokenResponse(grant *models.OAuth2Grant, clientSecret string) (*Ac
|
||||||
ErrorDescription: "cannot find application",
|
ErrorDescription: "cannot find application",
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
err = app.LoadUser()
|
||||||
|
if err != nil {
|
||||||
|
if models.IsErrUserNotExist(err) {
|
||||||
|
return nil, &AccessTokenError{
|
||||||
|
ErrorCode: AccessTokenErrorCodeInvalidRequest,
|
||||||
|
ErrorDescription: "cannot find user",
|
||||||
|
}
|
||||||
|
}
|
||||||
|
log.Error("Error loading user: %v", err)
|
||||||
|
return nil, &AccessTokenError{
|
||||||
|
ErrorCode: AccessTokenErrorCodeInvalidRequest,
|
||||||
|
ErrorDescription: "server error",
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
idToken := &models.OIDCToken{
|
idToken := &models.OIDCToken{
|
||||||
StandardClaims: jwt.StandardClaims{
|
StandardClaims: jwt.StandardClaims{
|
||||||
ExpiresAt: expirationDate.AsTime().Unix(),
|
ExpiresAt: expirationDate.AsTime().Unix(),
|
||||||
|
@ -194,6 +209,20 @@ func newAccessTokenResponse(grant *models.OAuth2Grant, clientSecret string) (*Ac
|
||||||
},
|
},
|
||||||
Nonce: grant.Nonce,
|
Nonce: grant.Nonce,
|
||||||
}
|
}
|
||||||
|
if grant.ScopeContains("profile") {
|
||||||
|
idToken.Name = app.User.FullName
|
||||||
|
idToken.PreferredUsername = app.User.Name
|
||||||
|
idToken.Profile = app.User.HTMLURL()
|
||||||
|
idToken.Picture = app.User.AvatarLink()
|
||||||
|
idToken.Website = app.User.Website
|
||||||
|
idToken.Locale = app.User.Language
|
||||||
|
idToken.UpdatedAt = app.User.UpdatedUnix
|
||||||
|
}
|
||||||
|
if grant.ScopeContains("email") {
|
||||||
|
idToken.Email = app.User.Email
|
||||||
|
idToken.EmailVerified = app.User.IsActive
|
||||||
|
}
|
||||||
|
|
||||||
signedIDToken, err = idToken.SignToken(clientSecret)
|
signedIDToken, err = idToken.SignToken(clientSecret)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, &AccessTokenError{
|
return nil, &AccessTokenError{
|
||||||
|
|
|
@ -6,5 +6,34 @@
|
||||||
"response_types_supported": [
|
"response_types_supported": [
|
||||||
"code",
|
"code",
|
||||||
"id_token"
|
"id_token"
|
||||||
|
],
|
||||||
|
"scopes_supported": [
|
||||||
|
"openid",
|
||||||
|
"profile",
|
||||||
|
"email"
|
||||||
|
],
|
||||||
|
"claims_supported": [
|
||||||
|
"aud",
|
||||||
|
"exp",
|
||||||
|
"iat",
|
||||||
|
"iss",
|
||||||
|
"sub",
|
||||||
|
"name",
|
||||||
|
"preferred_username",
|
||||||
|
"profile",
|
||||||
|
"picture",
|
||||||
|
"website",
|
||||||
|
"locale",
|
||||||
|
"updated_at",
|
||||||
|
"email",
|
||||||
|
"email_verified"
|
||||||
|
],
|
||||||
|
"code_challenge_methods_supported": [
|
||||||
|
"plain",
|
||||||
|
"S256"
|
||||||
|
],
|
||||||
|
"grant_types_supported": [
|
||||||
|
"authorization_code",
|
||||||
|
"refresh_token"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue