From 75590a8cb232d4c453a15917e9ba15784b1426d2 Mon Sep 17 00:00:00 2001 From: KN4CK3R Date: Sun, 13 Jun 2021 11:18:37 +0000 Subject: [PATCH 1/6] Added OpenID claims "profile" and "email". --- models/oauth2_application.go | 20 ++++++++++++++++++++ routers/web/user/oauth.go | 22 ++++++++++++++++++++++ 2 files changed, 42 insertions(+) diff --git a/models/oauth2_application.go b/models/oauth2_application.go index 679fdb18f957d..9e50292af4dc1 100644 --- a/models/oauth2_application.go +++ b/models/oauth2_application.go @@ -567,6 +567,26 @@ func (token *OAuth2Token) SignToken() (string, error) { type OIDCToken struct { jwt.StandardClaims Nonce string `json:"nonce,omitempty"` + + // Scope profile + Name string `json:"name,omitempty"` + FamilyName string `json:"family_name,omitempty"` + GivenName string `json:"given_name,omitempty"` + MiddleName string `json:"middle_name,omitempty"` + Nickname string `json:"nickname,omitempty"` + PreferredUsername string `json:"preferred_username,omitempty"` + Profile string `json:"profile,omitempty"` + Picture string `json:"picture,omitempty"` + Website string `json:"website,omitempty"` + Gender string `json:"gender,omitempty"` + Birthdate string `json:"birthdate,omitempty"` + ZoneInfo string `json:"zoneinfo,omitempty"` + Locale string `json:"locale,omitempty"` + UpdatedAt timeutil.TimeStamp `json:"updated_at,omitempty"` + + // Scope email + Email string `json:"email,omitempty"` + EmailVerified bool `json:"email_verified,omitempty"` } // SignToken signs an id_token with the (symmetric) client secret key diff --git a/routers/web/user/oauth.go b/routers/web/user/oauth.go index 3359c75020a25..8f4c24a2a07ea 100644 --- a/routers/web/user/oauth.go +++ b/routers/web/user/oauth.go @@ -185,6 +185,14 @@ func newAccessTokenResponse(grant *models.OAuth2Grant, clientSecret string) (*Ac ErrorDescription: "cannot find application", } } + err = app.LoadUser() + if err != nil { + return nil, &AccessTokenError{ + ErrorCode: AccessTokenErrorCodeInvalidRequest, + ErrorDescription: "cannot find user", + } + } + idToken := &models.OIDCToken{ StandardClaims: jwt.StandardClaims{ ExpiresAt: expirationDate.AsTime().Unix(), @@ -194,6 +202,20 @@ func newAccessTokenResponse(grant *models.OAuth2Grant, clientSecret string) (*Ac }, Nonce: grant.Nonce, } + if grant.ScopeContains("profile") { + idToken.Name = app.User.FullName + idToken.PreferredUsername = app.User.Name + idToken.Profile = app.User.HTMLURL() + idToken.Picture = app.User.AvatarLink() + idToken.Website = app.User.Website + idToken.Locale = app.User.Language + idToken.UpdatedAt = app.User.UpdatedUnix + } + if grant.ScopeContains("email") { + idToken.Email = app.User.Email + idToken.EmailVerified = app.User.IsActive + } + signedIDToken, err = idToken.SignToken(clientSecret) if err != nil { return nil, &AccessTokenError{ From 3b24a41d219e2ebb3e2eb7521fc12bb783969cf9 Mon Sep 17 00:00:00 2001 From: KN4CK3R Date: Sun, 13 Jun 2021 18:32:54 +0000 Subject: [PATCH 2/6] Splitted error. --- routers/web/user/oauth.go | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/routers/web/user/oauth.go b/routers/web/user/oauth.go index 8f4c24a2a07ea..5667eea45c963 100644 --- a/routers/web/user/oauth.go +++ b/routers/web/user/oauth.go @@ -187,9 +187,16 @@ func newAccessTokenResponse(grant *models.OAuth2Grant, clientSecret string) (*Ac } err = app.LoadUser() if err != nil { + if models.IsErrUserNotExist(err) { + return nil, &AccessTokenError{ + ErrorCode: AccessTokenErrorCodeInvalidRequest, + ErrorDescription: "cannot find user", + } + } + log.Error("Error loading user: %v", err) return nil, &AccessTokenError{ ErrorCode: AccessTokenErrorCodeInvalidRequest, - ErrorDescription: "cannot find user", + ErrorDescription: "server error", } } From 55763cf5567e3b554a832f03abc161eb2fb2e957 Mon Sep 17 00:00:00 2001 From: KN4CK3R Date: Sun, 13 Jun 2021 19:02:43 +0000 Subject: [PATCH 3/6] Added scopes_supported and claims_supported. --- templates/user/auth/oidc_wellknown.tmpl | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/templates/user/auth/oidc_wellknown.tmpl b/templates/user/auth/oidc_wellknown.tmpl index fcde060a8d19f..7dbb160d587ca 100644 --- a/templates/user/auth/oidc_wellknown.tmpl +++ b/templates/user/auth/oidc_wellknown.tmpl @@ -6,5 +6,26 @@ "response_types_supported": [ "code", "id_token" + ], + "scopes_supported": [ + "openid", + "profile", + "email" + ], + "claims_supported": [ + "aud", + "exp", + "iat" + "iss", + "sub" + "name", + "preferred_username", + "profile", + "picture", + "website", + "locale", + "updated_at", + "email", + "email_verified" ] } From 38d2b8876f7e65eb564fe8257de98e842e8e92d4 Mon Sep 17 00:00:00 2001 From: KN4CK3R Date: Sun, 13 Jun 2021 19:03:32 +0000 Subject: [PATCH 4/6] , --- templates/user/auth/oidc_wellknown.tmpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/user/auth/oidc_wellknown.tmpl b/templates/user/auth/oidc_wellknown.tmpl index 7dbb160d587ca..c72684ccd5c9a 100644 --- a/templates/user/auth/oidc_wellknown.tmpl +++ b/templates/user/auth/oidc_wellknown.tmpl @@ -15,9 +15,9 @@ "claims_supported": [ "aud", "exp", - "iat" + "iat", "iss", - "sub" + "sub", "name", "preferred_username", "profile", From 5aef6df235cf9d609c2b096a5e8854ea1ca6b200 Mon Sep 17 00:00:00 2001 From: KN4CK3R Date: Sun, 13 Jun 2021 19:41:20 +0000 Subject: [PATCH 5/6] Added more metadata. --- models/oauth2_application.go | 2 +- templates/user/auth/oidc_wellknown.tmpl | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/models/oauth2_application.go b/models/oauth2_application.go index 9e50292af4dc1..5be11b76bc13f 100644 --- a/models/oauth2_application.go +++ b/models/oauth2_application.go @@ -394,7 +394,7 @@ func (grant *OAuth2Grant) TableName() string { return "oauth2_grant" } -// GenerateNewAuthorizationCode generates a new authorization code for a grant and saves it to the databse +// GenerateNewAuthorizationCode generates a new authorization code for a grant and saves it to the database func (grant *OAuth2Grant) GenerateNewAuthorizationCode(redirectURI, codeChallenge, codeChallengeMethod string) (*OAuth2AuthorizationCode, error) { return grant.generateNewAuthorizationCode(x, redirectURI, codeChallenge, codeChallengeMethod) } diff --git a/templates/user/auth/oidc_wellknown.tmpl b/templates/user/auth/oidc_wellknown.tmpl index c72684ccd5c9a..6b1f8f899c13a 100644 --- a/templates/user/auth/oidc_wellknown.tmpl +++ b/templates/user/auth/oidc_wellknown.tmpl @@ -27,5 +27,13 @@ "updated_at", "email", "email_verified" + ], + "code_challenge_methods_supported": [ + "plain", + "S256" + ], + "grant_types_supported": [ + "authorization_code", + "refresh_token" ] } From 639d0887f7b1b86f232216592a8ae0d99fb6b173 Mon Sep 17 00:00:00 2001 From: KN4CK3R Date: Sun, 13 Jun 2021 23:14:00 +0200 Subject: [PATCH 6/6] Removed currently unused fields. --- models/oauth2_application.go | 7 ------- 1 file changed, 7 deletions(-) diff --git a/models/oauth2_application.go b/models/oauth2_application.go index 5be11b76bc13f..82d8f4cdf7b1f 100644 --- a/models/oauth2_application.go +++ b/models/oauth2_application.go @@ -570,17 +570,10 @@ type OIDCToken struct { // Scope profile Name string `json:"name,omitempty"` - FamilyName string `json:"family_name,omitempty"` - GivenName string `json:"given_name,omitempty"` - MiddleName string `json:"middle_name,omitempty"` - Nickname string `json:"nickname,omitempty"` PreferredUsername string `json:"preferred_username,omitempty"` Profile string `json:"profile,omitempty"` Picture string `json:"picture,omitempty"` Website string `json:"website,omitempty"` - Gender string `json:"gender,omitempty"` - Birthdate string `json:"birthdate,omitempty"` - ZoneInfo string `json:"zoneinfo,omitempty"` Locale string `json:"locale,omitempty"` UpdatedAt timeutil.TimeStamp `json:"updated_at,omitempty"`