Add Option to synchronize Admin & Restricted states from OIDC/OAuth2 along with Setting Scopes (#16766)

* Add setting to OAuth handlers to override local 2FA settings This PR adds a setting to OAuth and OpenID login sources to allow the source to override local 2FA requirements. Fix #13939 Signed-off-by: Andrew Thornton <art27@cantab.net> * Fix regression from #16544 Signed-off-by: Andrew Thornton <art27@cantab.net> * Add scopes settings Signed-off-by: Andrew Thornton <art27@cantab.net> * fix trace logging in auth_openid Signed-off-by: Andrew Thornton <art27@cantab.net> * add required claim options Signed-off-by: Andrew Thornton <art27@cantab.net> * Move UpdateExternalUser to externalaccount Signed-off-by: Andrew Thornton <art27@cantab.net> * Allow OAuth2/OIDC to set Admin/Restricted status Signed-off-by: Andrew Thornton <art27@cantab.net> * Allow use of the same group claim name for the prohibit login value Signed-off-by: Andrew Thornton <art27@cantab.net> * fixup! Move UpdateExternalUser to externalaccount * as per wxiaoguang Signed-off-by: Andrew Thornton <art27@cantab.net> * add label back in Signed-off-by: Andrew Thornton <art27@cantab.net> * adjust localisation Signed-off-by: Andrew Thornton <art27@cantab.net> * placate lint Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
author: zeripath <art27@cantab.net> 2021-12-14 08:37:11 +0000
committer: GitHub <noreply@github.com> 2021-12-14 16:37:11 +0800
commit: 0981ec30c3d5218939d44fc2f40725b0b4a03684 (patch)
tree: 5479fb309f9800310cf2268d493e1cd33abfeac6 /services/auth/source/oauth2/providers_custom.go
parent: b4782e24d2821bbb5647eff2eaf5c338e92324db (diff)
download: gitea-0981ec30c3d5218939d44fc2f40725b0b4a03684.tar.gz
gitea-0981ec30c3d5218939d44fc2f40725b0b4a03684.zip
1 files changed, 19 insertions, 13 deletions
diff --git a/services/auth/source/oauth2/providers_custom.go b/services/auth/source/oauth2/providers_custom.go
index f2cff131f4..c3ebdf9df0 100644
--- a/services/auth/source/oauth2/providers_custom.go
+++ b/services/auth/source/oauth2/providers_custom.go
@@ -17,7 +17,7 @@ import (
 )
 
 // CustomProviderNewFn creates a goth.Provider using a custom url mapping
-type CustomProviderNewFn func(clientID, secret, callbackURL string, custom *CustomURLMapping) (goth.Provider, error)
+type CustomProviderNewFn func(clientID, secret, callbackURL string, custom *CustomURLMapping, scopes []string) (goth.Provider, error)
 
 // CustomProvider is a GothProvider that has CustomURL features
 type CustomProvider struct {
@@ -35,7 +35,7 @@ func (c *CustomProvider) CustomURLSettings() *CustomURLSettings {
 func (c *CustomProvider) CreateGothProvider(providerName, callbackURL string, source *Source) (goth.Provider, error) {
 	custom := c.customURLSettings.OverrideWith(source.CustomURLMapping)
 
-	return c.newFn(source.ClientID, source.ClientSecret, callbackURL, custom)
+	return c.newFn(source.ClientID, source.ClientSecret, callbackURL, custom, source.Scopes)
 }
 
 // NewCustomProvider is a constructor function for custom providers
@@ -60,8 +60,7 @@ func init() {
 			ProfileURL: availableAttribute(github.ProfileURL),
 			EmailURL:   availableAttribute(github.EmailURL),
 		},
-		func(clientID, secret, callbackURL string, custom *CustomURLMapping) (goth.Provider, error) {
-			scopes := []string{}
+		func(clientID, secret, callbackURL string, custom *CustomURLMapping, scopes []string) (goth.Provider, error) {
 			if setting.OAuth2Client.EnableAutoRegistration {
 				scopes = append(scopes, "user:email")
 			}
@@ -73,8 +72,9 @@ func init() {
 			AuthURL:    availableAttribute(gitlab.AuthURL),
 			TokenURL:   availableAttribute(gitlab.TokenURL),
 			ProfileURL: availableAttribute(gitlab.ProfileURL),
-		}, func(clientID, secret, callbackURL string, custom *CustomURLMapping) (goth.Provider, error) {
-			return gitlab.NewCustomisedURL(clientID, secret, callbackURL, custom.AuthURL, custom.TokenURL, custom.ProfileURL, "read_user"), nil
+		}, func(clientID, secret, callbackURL string, custom *CustomURLMapping, scopes []string) (goth.Provider, error) {
+			scopes = append(scopes, "read_user")
+			return gitlab.NewCustomisedURL(clientID, secret, callbackURL, custom.AuthURL, custom.TokenURL, custom.ProfileURL, scopes...), nil
 		}))
 
 	RegisterGothProvider(NewCustomProvider(
@@ -83,8 +83,8 @@ func init() {
 			AuthURL:    requiredAttribute(gitea.AuthURL),
 			ProfileURL: requiredAttribute(gitea.ProfileURL),
 		},
-		func(clientID, secret, callbackURL string, custom *CustomURLMapping) (goth.Provider, error) {
-			return gitea.NewCustomisedURL(clientID, secret, callbackURL, custom.AuthURL, custom.TokenURL, custom.ProfileURL), nil
+		func(clientID, secret, callbackURL string, custom *CustomURLMapping, scopes []string) (goth.Provider, error) {
+			return gitea.NewCustomisedURL(clientID, secret, callbackURL, custom.AuthURL, custom.TokenURL, custom.ProfileURL, scopes...), nil
 		}))
 
 	RegisterGothProvider(NewCustomProvider(
@@ -93,25 +93,31 @@ func init() {
 			AuthURL:    requiredAttribute(nextcloud.AuthURL),
 			ProfileURL: requiredAttribute(nextcloud.ProfileURL),
 		},
-		func(clientID, secret, callbackURL string, custom *CustomURLMapping) (goth.Provider, error) {
-			return nextcloud.NewCustomisedURL(clientID, secret, callbackURL, custom.AuthURL, custom.TokenURL, custom.ProfileURL), nil
+		func(clientID, secret, callbackURL string, custom *CustomURLMapping, scopes []string) (goth.Provider, error) {
+			return nextcloud.NewCustomisedURL(clientID, secret, callbackURL, custom.AuthURL, custom.TokenURL, custom.ProfileURL, scopes...), nil
 		}))
 
 	RegisterGothProvider(NewCustomProvider(
 		"mastodon", "Mastodon", &CustomURLSettings{
 			AuthURL: requiredAttribute(mastodon.InstanceURL),
 		},
-		func(clientID, secret, callbackURL string, custom *CustomURLMapping) (goth.Provider, error) {
-			return mastodon.NewCustomisedURL(clientID, secret, callbackURL, custom.AuthURL), nil
+		func(clientID, secret, callbackURL string, custom *CustomURLMapping, scopes []string) (goth.Provider, error) {
+			return mastodon.NewCustomisedURL(clientID, secret, callbackURL, custom.AuthURL, scopes...), nil
 		}))
 
 	RegisterGothProvider(NewCustomProvider(
 		"azureadv2", "Azure AD v2", &CustomURLSettings{
 			Tenant: requiredAttribute("organizations"),
 		},
-		func(clientID, secret, callbackURL string, custom *CustomURLMapping) (goth.Provider, error) {
+		func(clientID, secret, callbackURL string, custom *CustomURLMapping, scopes []string) (goth.Provider, error) {
+			azureScopes := make([]azureadv2.ScopeType, len(scopes))
+			for i, scope := range scopes {
+				azureScopes[i] = azureadv2.ScopeType(scope)
+			}
+
 			return azureadv2.New(clientID, secret, callbackURL, azureadv2.ProviderOptions{
 				Tenant: azureadv2.TenantType(custom.Tenant),
+				Scopes: azureScopes,
 			}), nil
 		},
 	))
author	zeripath <art27@cantab.net>	2021-12-14 08:37:11 +0000
committer	GitHub <noreply@github.com>	2021-12-14 16:37:11 +0800
commit	0981ec30c3d5218939d44fc2f40725b0b4a03684 (patch)
tree	5479fb309f9800310cf2268d493e1cd33abfeac6 /services/auth/source/oauth2/providers_custom.go
parent	b4782e24d2821bbb5647eff2eaf5c338e92324db (diff)
download	gitea-0981ec30c3d5218939d44fc2f40725b0b4a03684.tar.gz gitea-0981ec30c3d5218939d44fc2f40725b0b4a03684.zip