-
-
Notifications
You must be signed in to change notification settings - Fork 5.5k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Minimal OpenID Connect implementation (#14139)
This is "minimal" in the sense that only the Authorization Code Flow from OpenID Connect Core is implemented. No discovery, no configuration endpoint, and no user scope management. OpenID Connect is an extension to the (already implemented) OAuth 2.0 protocol, and essentially an `id_token` JWT is added to the access token endpoint response when using the Authorization Code Flow. I also added support for the "nonce" field since it is required to be used in the id_token if the client decides to include it in its initial request. In order to enable this extension an OAuth 2.0 scope containing "openid" is needed. Other OAuth 2.0 requests should not be impacted by this change. This minimal implementation is enough to enable single sign-on (SSO) for other sites, e.g. by using something like `mod_auth_openidc` to only allow access to a CI server if a user has logged into Gitea. Fixes: #1310 Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: zeripath <art27@cantab.net>
- Loading branch information
1 parent
4f2f08b
commit a07e67d
Showing
9 changed files
with
154 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -2,5 +2,6 @@ | |
user_id: 1 | ||
application_id: 1 | ||
counter: 1 | ||
scope: "openid profile" | ||
created_unix: 1546869730 | ||
updated_unix: 1546869730 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
// Copyright 2020 The Gitea Authors. All rights reserved. | ||
// Use of this source code is governed by a MIT-style | ||
// license that can be found in the LICENSE file. | ||
|
||
package migrations | ||
|
||
import ( | ||
"fmt" | ||
|
||
"xorm.io/xorm" | ||
) | ||
|
||
// OAuth2Grant here is a snapshot of models.OAuth2Grant for this version | ||
// of the database, as it does not appear to have been added as a part | ||
// of a previous migration. | ||
type OAuth2Grant struct { | ||
ID int64 `xorm:"pk autoincr"` | ||
UserID int64 `xorm:"INDEX unique(user_application)"` | ||
ApplicationID int64 `xorm:"INDEX unique(user_application)"` | ||
Counter int64 `xorm:"NOT NULL DEFAULT 1"` | ||
Scope string `xorm:"TEXT"` | ||
Nonce string `xorm:"TEXT"` | ||
CreatedUnix int64 `xorm:"created"` | ||
UpdatedUnix int64 `xorm:"updated"` | ||
} | ||
|
||
// TableName sets the database table name to be the correct one, as the | ||
// autogenerated table name for this struct is "o_auth2_grant". | ||
func (grant *OAuth2Grant) TableName() string { | ||
return "oauth2_grant" | ||
} | ||
|
||
func addScopeAndNonceColumnsToOAuth2Grant(x *xorm.Engine) error { | ||
if err := x.Sync2(new(OAuth2Grant)); err != nil { | ||
return fmt.Errorf("Sync2: %v", err) | ||
} | ||
return nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters