Add OpenID claims "profile" and "email". (#16141)

* Added OpenID claims "profile" and "email".

* Splitted error.

* Added scopes_supported and claims_supported.

* Added more metadata.

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Co-authored-by: Lauris BH <lauris@nix.lv>
release/v1.15
KN4CK3R 2021-06-14 12:33:16 +02:00 committed by GitHub
parent 2b39357443
commit 1295e750b4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 72 additions and 1 deletions

View File

@ -394,7 +394,7 @@ func (grant *OAuth2Grant) TableName() string {
return "oauth2_grant"
}
// GenerateNewAuthorizationCode generates a new authorization code for a grant and saves it to the databse
// GenerateNewAuthorizationCode generates a new authorization code for a grant and saves it to the database
func (grant *OAuth2Grant) GenerateNewAuthorizationCode(redirectURI, codeChallenge, codeChallengeMethod string) (*OAuth2AuthorizationCode, error) {
return grant.generateNewAuthorizationCode(x, redirectURI, codeChallenge, codeChallengeMethod)
}
@ -567,6 +567,19 @@ func (token *OAuth2Token) SignToken() (string, error) {
type OIDCToken struct {
jwt.StandardClaims
Nonce string `json:"nonce,omitempty"`
// Scope profile
Name string `json:"name,omitempty"`
PreferredUsername string `json:"preferred_username,omitempty"`
Profile string `json:"profile,omitempty"`
Picture string `json:"picture,omitempty"`
Website string `json:"website,omitempty"`
Locale string `json:"locale,omitempty"`
UpdatedAt timeutil.TimeStamp `json:"updated_at,omitempty"`
// Scope email
Email string `json:"email,omitempty"`
EmailVerified bool `json:"email_verified,omitempty"`
}
// SignToken signs an id_token with the (symmetric) client secret key

View File

@ -185,6 +185,21 @@ func newAccessTokenResponse(grant *models.OAuth2Grant, clientSecret string) (*Ac
ErrorDescription: "cannot find application",
}
}
err = app.LoadUser()
if err != nil {
if models.IsErrUserNotExist(err) {
return nil, &AccessTokenError{
ErrorCode: AccessTokenErrorCodeInvalidRequest,
ErrorDescription: "cannot find user",
}
}
log.Error("Error loading user: %v", err)
return nil, &AccessTokenError{
ErrorCode: AccessTokenErrorCodeInvalidRequest,
ErrorDescription: "server error",
}
}
idToken := &models.OIDCToken{
StandardClaims: jwt.StandardClaims{
ExpiresAt: expirationDate.AsTime().Unix(),
@ -194,6 +209,20 @@ func newAccessTokenResponse(grant *models.OAuth2Grant, clientSecret string) (*Ac
},
Nonce: grant.Nonce,
}
if grant.ScopeContains("profile") {
idToken.Name = app.User.FullName
idToken.PreferredUsername = app.User.Name
idToken.Profile = app.User.HTMLURL()
idToken.Picture = app.User.AvatarLink()
idToken.Website = app.User.Website
idToken.Locale = app.User.Language
idToken.UpdatedAt = app.User.UpdatedUnix
}
if grant.ScopeContains("email") {
idToken.Email = app.User.Email
idToken.EmailVerified = app.User.IsActive
}
signedIDToken, err = idToken.SignToken(clientSecret)
if err != nil {
return nil, &AccessTokenError{

View File

@ -6,5 +6,34 @@
"response_types_supported": [
"code",
"id_token"
],
"scopes_supported": [
"openid",
"profile",
"email"
],
"claims_supported": [
"aud",
"exp",
"iat",
"iss",
"sub",
"name",
"preferred_username",
"profile",
"picture",
"website",
"locale",
"updated_at",
"email",
"email_verified"
],
"code_challenge_methods_supported": [
"plain",
"S256"
],
"grant_types_supported": [
"authorization_code",
"refresh_token"
]
}