forked from gitea/gitea
Add OpenID claims "profile" and "email". (#16141)
* Added OpenID claims "profile" and "email". * Splitted error. * Added scopes_supported and claims_supported. * Added more metadata. Co-authored-by: techknowlogick <techknowlogick@gitea.io> Co-authored-by: Lauris BH <lauris@nix.lv>
This commit is contained in:
parent
2b39357443
commit
1295e750b4
|
@ -394,7 +394,7 @@ func (grant *OAuth2Grant) TableName() string {
|
|||
return "oauth2_grant"
|
||||
}
|
||||
|
||||
// GenerateNewAuthorizationCode generates a new authorization code for a grant and saves it to the databse
|
||||
// GenerateNewAuthorizationCode generates a new authorization code for a grant and saves it to the database
|
||||
func (grant *OAuth2Grant) GenerateNewAuthorizationCode(redirectURI, codeChallenge, codeChallengeMethod string) (*OAuth2AuthorizationCode, error) {
|
||||
return grant.generateNewAuthorizationCode(x, redirectURI, codeChallenge, codeChallengeMethod)
|
||||
}
|
||||
|
@ -567,6 +567,19 @@ func (token *OAuth2Token) SignToken() (string, error) {
|
|||
type OIDCToken struct {
|
||||
jwt.StandardClaims
|
||||
Nonce string `json:"nonce,omitempty"`
|
||||
|
||||
// Scope profile
|
||||
Name string `json:"name,omitempty"`
|
||||
PreferredUsername string `json:"preferred_username,omitempty"`
|
||||
Profile string `json:"profile,omitempty"`
|
||||
Picture string `json:"picture,omitempty"`
|
||||
Website string `json:"website,omitempty"`
|
||||
Locale string `json:"locale,omitempty"`
|
||||
UpdatedAt timeutil.TimeStamp `json:"updated_at,omitempty"`
|
||||
|
||||
// Scope email
|
||||
Email string `json:"email,omitempty"`
|
||||
EmailVerified bool `json:"email_verified,omitempty"`
|
||||
}
|
||||
|
||||
// SignToken signs an id_token with the (symmetric) client secret key
|
||||
|
|
|
@ -185,6 +185,21 @@ func newAccessTokenResponse(grant *models.OAuth2Grant, clientSecret string) (*Ac
|
|||
ErrorDescription: "cannot find application",
|
||||
}
|
||||
}
|
||||
err = app.LoadUser()
|
||||
if err != nil {
|
||||
if models.IsErrUserNotExist(err) {
|
||||
return nil, &AccessTokenError{
|
||||
ErrorCode: AccessTokenErrorCodeInvalidRequest,
|
||||
ErrorDescription: "cannot find user",
|
||||
}
|
||||
}
|
||||
log.Error("Error loading user: %v", err)
|
||||
return nil, &AccessTokenError{
|
||||
ErrorCode: AccessTokenErrorCodeInvalidRequest,
|
||||
ErrorDescription: "server error",
|
||||
}
|
||||
}
|
||||
|
||||
idToken := &models.OIDCToken{
|
||||
StandardClaims: jwt.StandardClaims{
|
||||
ExpiresAt: expirationDate.AsTime().Unix(),
|
||||
|
@ -194,6 +209,20 @@ func newAccessTokenResponse(grant *models.OAuth2Grant, clientSecret string) (*Ac
|
|||
},
|
||||
Nonce: grant.Nonce,
|
||||
}
|
||||
if grant.ScopeContains("profile") {
|
||||
idToken.Name = app.User.FullName
|
||||
idToken.PreferredUsername = app.User.Name
|
||||
idToken.Profile = app.User.HTMLURL()
|
||||
idToken.Picture = app.User.AvatarLink()
|
||||
idToken.Website = app.User.Website
|
||||
idToken.Locale = app.User.Language
|
||||
idToken.UpdatedAt = app.User.UpdatedUnix
|
||||
}
|
||||
if grant.ScopeContains("email") {
|
||||
idToken.Email = app.User.Email
|
||||
idToken.EmailVerified = app.User.IsActive
|
||||
}
|
||||
|
||||
signedIDToken, err = idToken.SignToken(clientSecret)
|
||||
if err != nil {
|
||||
return nil, &AccessTokenError{
|
||||
|
|
|
@ -6,5 +6,34 @@
|
|||
"response_types_supported": [
|
||||
"code",
|
||||
"id_token"
|
||||
],
|
||||
"scopes_supported": [
|
||||
"openid",
|
||||
"profile",
|
||||
"email"
|
||||
],
|
||||
"claims_supported": [
|
||||
"aud",
|
||||
"exp",
|
||||
"iat",
|
||||
"iss",
|
||||
"sub",
|
||||
"name",
|
||||
"preferred_username",
|
||||
"profile",
|
||||
"picture",
|
||||
"website",
|
||||
"locale",
|
||||
"updated_at",
|
||||
"email",
|
||||
"email_verified"
|
||||
],
|
||||
"code_challenge_methods_supported": [
|
||||
"plain",
|
||||
"S256"
|
||||
],
|
||||
"grant_types_supported": [
|
||||
"authorization_code",
|
||||
"refresh_token"
|
||||
]
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue