From eb9e3b8391a5d8f24e92ba9b5d00b1093e162747 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Fri, 20 Oct 2023 12:30:50 +0200
Subject: [PATCH] [Web] add configurable client scopes for generic-oidc

---
 data/web/inc/functions.inc.php                           | 9 +++++++--
 data/web/lang/lang.en-gb.json                            | 1 +
 .../templates/admin/tab-config-identity-provider.twig    | 8 +++++++-
 3 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index efa34ef2ed..221ef5c71a 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -2108,6 +2108,10 @@ function identity_provider($_action, $_data = null, $_extra = null) {
           $settings[$row["key"]] = $row["value"];
         }
       }
+      // return default client_scopes for generic-oidc if none is set
+      if ($settings["authsource"] == "generic-oidc" && empty($settings["client_scopes"])){
+        $settings["client_scopes"] = "openid profile email";
+      }
       if ($_extra['hide_sensitive']){
         $settings['client_secret'] = '';
         $settings['access_token'] = '';
@@ -2168,7 +2172,8 @@ function identity_provider($_action, $_data = null, $_extra = null) {
         $_data['authorize_url']     = (!empty($_data['authorize_url'])) ? $_data['authorize_url'] : null;
         $_data['token_url']         = (!empty($_data['token_url'])) ? $_data['token_url'] : null;
         $_data['userinfo_url']      = (!empty($_data['userinfo_url'])) ? $_data['userinfo_url'] : null;
-        $required_settings          = array('authsource', 'authorize_url', 'token_url', 'client_id', 'client_secret', 'redirect_url', 'userinfo_url');
+        $_data['client_scopes']     = (!empty($_data['client_scopes'])) ? $_data['client_scopes'] : "openid profile email";
+        $required_settings          = array('authsource', 'authorize_url', 'token_url', 'client_id', 'client_secret', 'redirect_url', 'userinfo_url', 'client_scopes');
       }
       
       $pdo->beginTransaction();
@@ -2318,7 +2323,7 @@ function identity_provider($_action, $_data = null, $_extra = null) {
             'urlAuthorize'            => $iam_settings['authorize_url'],
             'urlAccessToken'          => $iam_settings['token_url'],
             'urlResourceOwnerDetails' => $iam_settings['userinfo_url'],
-            'scopes'                  => 'openid profile email'
+            'scopes'                  => $iam_settings['client_scopes']
           ]);
         }
       }
diff --git a/data/web/lang/lang.en-gb.json b/data/web/lang/lang.en-gb.json
index d77de73733..869e69d161 100644
--- a/data/web/lang/lang.en-gb.json
+++ b/data/web/lang/lang.en-gb.json
@@ -217,6 +217,7 @@
         "iam_auth_flow_info": "In addition to the Authorization Code Flow (Standard Flow in Keycloak), which is used for Single-Sign On login, mailcow also supports Authentication Flow with direct Credentials. The Mailpassword Flow attempts to validate the user's credentials by using the Keycloak Admin REST API. mailcow retrieves the hashed password from the <code>mailcow_password</code> attribute, which is mapped in Keycloak.",
         "iam_client_id": "Client ID",
         "iam_client_secret": "Client Secret",
+        "iam_client_scopes": "Client Scopes",
         "iam_description": "Configure an external OIDC Provider for Authentication<br>User's mailboxes will be automatically created upon their first login, provided that an attribute mapping has been set.",
         "iam_extra_permission": "For the following settings to work, the mailcow client in Keycloak needs a <code>Service account</code> and the permission to <code>view-users</code>.",
         "iam_import_users": "Import Users",
diff --git a/data/web/templates/admin/tab-config-identity-provider.twig b/data/web/templates/admin/tab-config-identity-provider.twig
index 88ccc95ee5..32c20feab7 100644
--- a/data/web/templates/admin/tab-config-identity-provider.twig
+++ b/data/web/templates/admin/tab-config-identity-provider.twig
@@ -207,12 +207,18 @@
               </div>
             </div>
           </div>
-          <div class="row mb-4">
+          <div class="row mb-2">
             <label class="control-label col-md-3 text-sm-end" for="iam_redirect_url">{{ lang.admin.iam_redirect_url }}:</label>
             <div class="col-12 col-md-9 col-lg-4">
               <input type="text" class="form-control" id="iam_redirect_url" name="redirect_url" value="{{ iam_settings.redirect_url }}" required>
             </div>
           </div>
+          <div class="row mb-4">
+            <label class="control-label col-md-3 text-sm-end" for="iam_client_scopes">{{ lang.admin.iam_client_scopes }}:</label>
+            <div class="col-12 col-md-9 col-lg-4">
+              <input type="text" placeholder="openid profile email" class="form-control" id="iam_client_scopes" name="client_scopes" value="{{ iam_settings.client_scopes }}">
+            </div>
+          </div>
           <div class="row mb-2">
             <label class="control-label col-md-3 text-sm-end">{{ lang.admin.iam_mapping }}:</label>
             <div class="col-12 col-md-9 col-lg-4">