aboutsummaryrefslogtreecommitdiffstats
path: root/services/oauth2_provider
diff options
context:
space:
mode:
Diffstat (limited to 'services/oauth2_provider')
-rw-r--r--services/oauth2_provider/access_token.go36
-rw-r--r--services/oauth2_provider/additional_scopes_test.go2
-rw-r--r--services/oauth2_provider/init.go2
-rw-r--r--services/oauth2_provider/jwtsigningkey.go2
-rw-r--r--services/oauth2_provider/token.go2
5 files changed, 27 insertions, 17 deletions
diff --git a/services/oauth2_provider/access_token.go b/services/oauth2_provider/access_token.go
index 52a73c9572..5a190d8616 100644
--- a/services/oauth2_provider/access_token.go
+++ b/services/oauth2_provider/access_token.go
@@ -1,7 +1,7 @@
// Copyright 2024 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
-package oauth2_provider //nolint
+package oauth2_provider
import (
"context"
@@ -16,7 +16,9 @@ import (
user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting"
+ api "code.gitea.io/gitea/modules/structs"
"code.gitea.io/gitea/modules/timeutil"
+ "code.gitea.io/gitea/modules/util"
"github.com/golang-jwt/jwt/v5"
)
@@ -83,7 +85,7 @@ func GrantAdditionalScopes(grantScopes string) auth.AccessTokenScope {
}
var accessScopes []string // the scopes for access control, but not for general information
- for _, scope := range strings.Split(grantScopes, " ") {
+ for scope := range strings.SplitSeq(grantScopes, " ") {
if scope != "" && !slices.Contains(generalScopesSupported, scope) {
accessScopes = append(accessScopes, scope)
}
@@ -104,6 +106,20 @@ func GrantAdditionalScopes(grantScopes string) auth.AccessTokenScope {
return auth.AccessTokenScopeAll
}
+func NewJwtRegisteredClaimsFromUser(clientID string, grantUserID int64, exp *jwt.NumericDate) jwt.RegisteredClaims {
+ // https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig
+ // The issuer value returned MUST be identical to the Issuer URL that was used as the prefix to /.well-known/openid-configuration
+ // to retrieve the configuration information. This MUST also be identical to the "iss" Claim value in ID Tokens issued from this Issuer.
+ // * https://accounts.google.com/.well-known/openid-configuration
+ // * https://github.com/login/oauth/.well-known/openid-configuration
+ return jwt.RegisteredClaims{
+ Issuer: strings.TrimSuffix(setting.AppURL, "/"),
+ Audience: []string{clientID},
+ Subject: strconv.FormatInt(grantUserID, 10),
+ ExpiresAt: exp,
+ }
+}
+
func NewAccessTokenResponse(ctx context.Context, grant *auth.OAuth2Grant, serverKey, clientKey JWTSigningKey) (*AccessTokenResponse, *AccessTokenError) {
if setting.OAuth2.InvalidateRefreshTokens {
if err := grant.IncreaseCounter(ctx); err != nil {
@@ -174,13 +190,8 @@ func NewAccessTokenResponse(ctx context.Context, grant *auth.OAuth2Grant, server
}
idToken := &OIDCToken{
- RegisteredClaims: jwt.RegisteredClaims{
- ExpiresAt: jwt.NewNumericDate(expirationDate.AsTime()),
- Issuer: setting.AppURL,
- Audience: []string{app.ClientID},
- Subject: strconv.FormatInt(grant.UserID, 10),
- },
- Nonce: grant.Nonce,
+ RegisteredClaims: NewJwtRegisteredClaimsFromUser(app.ClientID, grant.UserID, jwt.NewNumericDate(expirationDate.AsTime())),
+ Nonce: grant.Nonce,
}
if grant.ScopeContains("profile") {
idToken.Name = user.DisplayName()
@@ -231,12 +242,11 @@ func NewAccessTokenResponse(ctx context.Context, grant *auth.OAuth2Grant, server
}, nil
}
-// returns a list of "org" and "org:team" strings,
-// that the given user is a part of.
+// GetOAuthGroupsForUser returns a list of "org" and "org:team" strings, that the given user is a part of.
func GetOAuthGroupsForUser(ctx context.Context, user *user_model.User, onlyPublicGroups bool) ([]string, error) {
orgs, err := db.Find[org_model.Organization](ctx, org_model.FindOrgOptions{
- UserID: user.ID,
- IncludePrivate: !onlyPublicGroups,
+ UserID: user.ID,
+ IncludeVisibility: util.Iif(onlyPublicGroups, api.VisibleTypePublic, api.VisibleTypePrivate),
})
if err != nil {
return nil, fmt.Errorf("GetUserOrgList: %w", err)
diff --git a/services/oauth2_provider/additional_scopes_test.go b/services/oauth2_provider/additional_scopes_test.go
index 2d4df7aea2..5f375346dc 100644
--- a/services/oauth2_provider/additional_scopes_test.go
+++ b/services/oauth2_provider/additional_scopes_test.go
@@ -1,7 +1,7 @@
// Copyright 2024 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
-package oauth2_provider //nolint
+package oauth2_provider
import (
"testing"
diff --git a/services/oauth2_provider/init.go b/services/oauth2_provider/init.go
index e5958099a6..c412bd6433 100644
--- a/services/oauth2_provider/init.go
+++ b/services/oauth2_provider/init.go
@@ -1,7 +1,7 @@
// Copyright 2024 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
-package oauth2_provider //nolint
+package oauth2_provider
import (
"context"
diff --git a/services/oauth2_provider/jwtsigningkey.go b/services/oauth2_provider/jwtsigningkey.go
index 3bc4f49410..03c7403f75 100644
--- a/services/oauth2_provider/jwtsigningkey.go
+++ b/services/oauth2_provider/jwtsigningkey.go
@@ -1,7 +1,7 @@
// Copyright 2021 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
-package oauth2_provider //nolint
+package oauth2_provider
import (
"crypto/ecdsa"
diff --git a/services/oauth2_provider/token.go b/services/oauth2_provider/token.go
index 383bcdb3eb..935c4cc01f 100644
--- a/services/oauth2_provider/token.go
+++ b/services/oauth2_provider/token.go
@@ -1,7 +1,7 @@
// Copyright 2021 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
-package oauth2_provider //nolint
+package oauth2_provider
import (
"errors"
generated by cgit v1.2.3 (git 2.39.1) at 2025-07-24 12:32:11 +0000