Add OpenID claims "profile" and "email". (#16141)

* Added OpenID claims "profile" and "email".

* Splitted error.

* Added scopes_supported and claims_supported.

* Added more metadata.

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Co-authored-by: Lauris BH <lauris@nix.lv>

diff --git a/models/oauth2_application.go b/models/oauth2_application.go
index 679fdb18f957deceed24dda482c44335b0ff4739..82d8f4cdf7b1f2e34cf474fd187751048da416a0 100644 (file)
--- a/models/oauth2_application.go
+++ b/models/oauth2_application.go
@@ -394,7 +394,7 @@ func (grant *OAuth2Grant) TableName() string {
        return "oauth2_grant"
 }
 
-// GenerateNewAuthorizationCode generates a new authorization code for a grant and saves it to the databse
+// GenerateNewAuthorizationCode generates a new authorization code for a grant and saves it to the database
 func (grant *OAuth2Grant) GenerateNewAuthorizationCode(redirectURI, codeChallenge, codeChallengeMethod string) (*OAuth2AuthorizationCode, error) {
        return grant.generateNewAuthorizationCode(x, redirectURI, codeChallenge, codeChallengeMethod)
 }
@@ -567,6 +567,19 @@ func (token *OAuth2Token) SignToken() (string, error) {
 type OIDCToken struct {
        jwt.StandardClaims
        Nonce string `json:"nonce,omitempty"`
+
+       // Scope profile
+       Name              string             `json:"name,omitempty"`
+       PreferredUsername string             `json:"preferred_username,omitempty"`
+       Profile           string             `json:"profile,omitempty"`
+       Picture           string             `json:"picture,omitempty"`
+       Website           string             `json:"website,omitempty"`
+       Locale            string             `json:"locale,omitempty"`
+       UpdatedAt         timeutil.TimeStamp `json:"updated_at,omitempty"`
+
+       // Scope email
+       Email         string `json:"email,omitempty"`
+       EmailVerified bool   `json:"email_verified,omitempty"`
 }
 
 // SignToken signs an id_token with the (symmetric) client secret key

diff --git a/routers/web/user/oauth.go b/routers/web/user/oauth.go
index 3359c75020a251e1c5fce988b042f8f580bf6bf8..5667eea45c9638488706878b983b687353f80f08 100644 (file)
--- a/routers/web/user/oauth.go
+++ b/routers/web/user/oauth.go
@@ -185,6 +185,21 @@ func newAccessTokenResponse(grant *models.OAuth2Grant, clientSecret string) (*Ac
                                ErrorDescription: "cannot find application",
                        }
                }
+               err = app.LoadUser()
+               if err != nil {
+                       if models.IsErrUserNotExist(err) {
+                               return nil, &AccessTokenError{
+                                       ErrorCode:        AccessTokenErrorCodeInvalidRequest,
+                                       ErrorDescription: "cannot find user",
+                               }
+                       }
+                       log.Error("Error loading user: %v", err)
+                       return nil, &AccessTokenError{
+                               ErrorCode:        AccessTokenErrorCodeInvalidRequest,
+                               ErrorDescription: "server error",
+                       }
+               }
+
                idToken := &models.OIDCToken{
                        StandardClaims: jwt.StandardClaims{
                                ExpiresAt: expirationDate.AsTime().Unix(),
@@ -194,6 +209,20 @@ func newAccessTokenResponse(grant *models.OAuth2Grant, clientSecret string) (*Ac
                        },
                        Nonce: grant.Nonce,
                }
+               if grant.ScopeContains("profile") {
+                       idToken.Name = app.User.FullName
+                       idToken.PreferredUsername = app.User.Name
+                       idToken.Profile = app.User.HTMLURL()
+                       idToken.Picture = app.User.AvatarLink()
+                       idToken.Website = app.User.Website
+                       idToken.Locale = app.User.Language
+                       idToken.UpdatedAt = app.User.UpdatedUnix
+               }
+               if grant.ScopeContains("email") {
+                       idToken.Email = app.User.Email
+                       idToken.EmailVerified = app.User.IsActive
+               }
+
                signedIDToken, err = idToken.SignToken(clientSecret)
                if err != nil {
                        return nil, &AccessTokenError{

diff --git a/templates/user/auth/oidc_wellknown.tmpl b/templates/user/auth/oidc_wellknown.tmpl
index fcde060a8d19f23261f7baab61de3f5117a9a3dc..6b1f8f899c13a2aadca8a85e43dc0e8ca870b276 100644 (file)
--- a/templates/user/auth/oidc_wellknown.tmpl
+++ b/templates/user/auth/oidc_wellknown.tmpl
@@ -6,5 +6,34 @@
     "response_types_supported": [
         "code",
         "id_token"
+    ],
+    "scopes_supported": [
+        "openid",
+        "profile",
+        "email"
+    ],
+    "claims_supported": [
+        "aud",
+        "exp",
+        "iat",
+        "iss",
+        "sub",
+        "name",
+        "preferred_username",
+        "profile",
+        "picture",
+        "website",
+        "locale",
+        "updated_at",
+        "email",
+        "email_verified"
+    ],
+    "code_challenge_methods_supported": [
+        "plain",
+        "S256"
+    ],
+    "grant_types_supported": [
+        "authorization_code",
+        "refresh_token"
     ]
 }