Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add groups scope/claim to OIDC/OAuth2 Provider #17367

Merged
merged 6 commits into from
Oct 22, 2021
Merged

Add groups scope/claim to OIDC/OAuth2 Provider #17367

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
2e230a3
Add groups scope/claim to OICD/OAuth2
thetechnick Oct 19, 2021
1f6814a
Add missing return
thetechnick Oct 20, 2021
037b6c6
Merge branch 'main' into oidc-groups
zeripath Oct 21, 2021
54c6b78
Merge branch 'main' into oidc-groups
zeripath Oct 21, 2021
dd16437
Merge branch 'main' into oidc-groups
wxiaoguang Oct 22, 2021
dbea5f3
Merge branch 'main' into oidc-groups
wxiaoguang Oct 22, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 50 additions & 5 deletions routers/web/user/oauth.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -207,6 +207,17 @@ func newAccessTokenResponse(grant *login.OAuth2Grant, serverKey, clientKey oauth
idToken.Email = user.Email
idToken.EmailVerified = user.IsActive
}
if grant.ScopeContains("groups") {
groups, err := getOAuthGroupsForUser(user)
if err != nil {
log.Error("Error getting groups: %v", err)
return nil, &AccessTokenError{
ErrorCode: AccessTokenErrorCodeInvalidRequest,
ErrorDescription: "server error",
}
}
idToken.Groups = groups
}

signedIDToken, err = idToken.SignToken(clientKey)
if err != nil {
Expand All @@ -227,11 +238,12 @@ func newAccessTokenResponse(grant *login.OAuth2Grant, serverKey, clientKey oauth
}

type userInfoResponse struct {
Sub string `json:"sub"`
Name string `json:"name"`
Username string `json:"preferred_username"`
Email string `json:"email"`
Picture string `json:"picture"`
Sub string `json:"sub"`
Name string `json:"name"`
Username string `json:"preferred_username"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can it be PreferredUsername to match the name in json?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can for sure be refactored, if you check side-by side, you will see that I have only added the Groups property. I can submit a follow up PR to clean that up, as it's unrelated to the introduction of the groups parameter.

Amazing fast review response time!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's better to make the names match, make code more strict. Otherwise L-G-T-M.

Email string `json:"email"`
Picture string `json:"picture"`
Groups []string `json:"groups"`
}

// InfoOAuth manages request for userinfo endpoint
Expand All @@ -241,16 +253,49 @@ func InfoOAuth(ctx *context.Context) {
ctx.HandleText(http.StatusUnauthorized, "no valid authorization")
return
}

response := &userInfoResponse{
Sub: fmt.Sprint(ctx.User.ID),
Name: ctx.User.FullName,
Username: ctx.User.Name,
Email: ctx.User.Email,
Picture: ctx.User.AvatarLink(),
}

groups, err := getOAuthGroupsForUser(ctx.User)
if err != nil {
ctx.ServerError("Oauth groups for user", err)
return
}
zeripath marked this conversation as resolved.
Show resolved Hide resolved
response.Groups = groups

ctx.JSON(http.StatusOK, response)
}

// returns a list of "org" and "org:team" strings,
// that the given user is a part of.
func getOAuthGroupsForUser(user *models.User) ([]string, error) {
orgs, err := models.GetUserOrgsList(user)
if err != nil {
return nil, fmt.Errorf("GetUserOrgList: %v", err)
}

var groups []string
for _, org := range orgs {
groups = append(groups, org.Name)

if err := org.LoadTeams(); err != nil {
return nil, fmt.Errorf("LoadTeams: %v", err)
}
for _, team := range org.Teams {
if team.IsMember(user.ID) {
groups = append(groups, org.Name+":"+team.LowerName)
}
}
}
return groups, nil
}

// IntrospectOAuth introspects an oauth token
func IntrospectOAuth(ctx *context.Context) {
if ctx.User == nil {
Expand Down
3 changes: 3 additions & 0 deletions services/auth/source/oauth2/token.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,9 @@ type OIDCToken struct {
// Scope email
Email string `json:"email,omitempty"`
EmailVerified bool `json:"email_verified,omitempty"`

// Groups are generated by organization and team names
Groups []string `json:"groups,omitempty"`
}

// SignToken signs an id_token with the (symmetric) client secret key
Expand Down
6 changes: 4 additions & 2 deletions templates/user/auth/oidc_wellknown.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,8 @@
"scopes_supported": [
"openid",
"profile",
"email"
"email",
"groups"
],
"claims_supported": [
"aud",
Expand All @@ -34,7 +35,8 @@
"locale",
"updated_at",
"email",
"email_verified"
"email_verified",
"groups"
],
"code_challenge_methods_supported": [
"plain",
Expand Down