[Web] add configurable client scopes for generic-oidc

mailcow · Feb 8, 2024 · eb9e3b8 · eb9e3b8
1 parent ba32f11
commit eb9e3b8
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 3 deletions.
diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
@@ -2108,6 +2108,10 @@ function identity_provider($_action, $_data = null, $_extra = null) {
           $settings[$row["key"]] = $row["value"];
         }
       }
+      // return default client_scopes for generic-oidc if none is set
+      if ($settings["authsource"] == "generic-oidc" && empty($settings["client_scopes"])){
+        $settings["client_scopes"] = "openid profile email";
+      }
       if ($_extra['hide_sensitive']){
         $settings['client_secret'] = '';
         $settings['access_token'] = '';
@@ -2168,7 +2172,8 @@ function identity_provider($_action, $_data = null, $_extra = null) {
         $_data['authorize_url']     = (!empty($_data['authorize_url'])) ? $_data['authorize_url'] : null;
         $_data['token_url']         = (!empty($_data['token_url'])) ? $_data['token_url'] : null;
         $_data['userinfo_url']      = (!empty($_data['userinfo_url'])) ? $_data['userinfo_url'] : null;
-        $required_settings          = array('authsource', 'authorize_url', 'token_url', 'client_id', 'client_secret', 'redirect_url', 'userinfo_url');
+        $_data['client_scopes']     = (!empty($_data['client_scopes'])) ? $_data['client_scopes'] : "openid profile email";
+        $required_settings          = array('authsource', 'authorize_url', 'token_url', 'client_id', 'client_secret', 'redirect_url', 'userinfo_url', 'client_scopes');
       }
 
       $pdo->beginTransaction();
@@ -2318,7 +2323,7 @@ function identity_provider($_action, $_data = null, $_extra = null) {
             'urlAuthorize'            => $iam_settings['authorize_url'],
             'urlAccessToken'          => $iam_settings['token_url'],
             'urlResourceOwnerDetails' => $iam_settings['userinfo_url'],
-            'scopes'                  => 'openid profile email'
+            'scopes'                  => $iam_settings['client_scopes']
           ]);
         }
       }

diff --git a/data/web/lang/lang.en-gb.json b/data/web/lang/lang.en-gb.json
@@ -217,6 +217,7 @@
         "iam_auth_flow_info": "In addition to the Authorization Code Flow (Standard Flow in Keycloak), which is used for Single-Sign On login, mailcow also supports Authentication Flow with direct Credentials. The Mailpassword Flow attempts to validate the user's credentials by using the Keycloak Admin REST API. mailcow retrieves the hashed password from the <code>mailcow_password</code> attribute, which is mapped in Keycloak.",
         "iam_client_id": "Client ID",
         "iam_client_secret": "Client Secret",
+        "iam_client_scopes": "Client Scopes",
         "iam_description": "Configure an external OIDC Provider for Authentication<br>User's mailboxes will be automatically created upon their first login, provided that an attribute mapping has been set.",
         "iam_extra_permission": "For the following settings to work, the mailcow client in Keycloak needs a <code>Service account</code> and the permission to <code>view-users</code>.",
         "iam_import_users": "Import Users",

diff --git a/data/web/templates/admin/tab-config-identity-provider.twig b/data/web/templates/admin/tab-config-identity-provider.twig
@@ -207,12 +207,18 @@
               </div>
             </div>
           </div>
-          <div class="row mb-4">
+          <div class="row mb-2">
             <label class="control-label col-md-3 text-sm-end" for="iam_redirect_url">{{ lang.admin.iam_redirect_url }}:</label>
             <div class="col-12 col-md-9 col-lg-4">
               <input type="text" class="form-control" id="iam_redirect_url" name="redirect_url" value="{{ iam_settings.redirect_url }}" required>
             </div>
           </div>
+          <div class="row mb-4">
+            <label class="control-label col-md-3 text-sm-end" for="iam_client_scopes">{{ lang.admin.iam_client_scopes }}:</label>
+            <div class="col-12 col-md-9 col-lg-4">
+              <input type="text" placeholder="openid profile email" class="form-control" id="iam_client_scopes" name="client_scopes" value="{{ iam_settings.client_scopes }}">
+            </div>
+          </div>
           <div class="row mb-2">
             <label class="control-label col-md-3 text-sm-end">{{ lang.admin.iam_mapping }}:</label>
             <div class="col-12 col-md-9 col-lg-4">