* Added OpenID claims "profile" and "email". * Splitted error. * Added scopes_supported and claims_supported. * Added more metadata. Co-authored-by: techknowlogick <techknowlogick@gitea.io> Co-authored-by: Lauris BH <lauris@nix.lv>tags/v1.15.0-rc1
@@ -394,7 +394,7 @@ func (grant *OAuth2Grant) TableName() string { | |||
return "oauth2_grant" | |||
} | |||
// GenerateNewAuthorizationCode generates a new authorization code for a grant and saves it to the databse | |||
// GenerateNewAuthorizationCode generates a new authorization code for a grant and saves it to the database | |||
func (grant *OAuth2Grant) GenerateNewAuthorizationCode(redirectURI, codeChallenge, codeChallengeMethod string) (*OAuth2AuthorizationCode, error) { | |||
return grant.generateNewAuthorizationCode(x, redirectURI, codeChallenge, codeChallengeMethod) | |||
} | |||
@@ -567,6 +567,19 @@ func (token *OAuth2Token) SignToken() (string, error) { | |||
type OIDCToken struct { | |||
jwt.StandardClaims | |||
Nonce string `json:"nonce,omitempty"` | |||
// Scope profile | |||
Name string `json:"name,omitempty"` | |||
PreferredUsername string `json:"preferred_username,omitempty"` | |||
Profile string `json:"profile,omitempty"` | |||
Picture string `json:"picture,omitempty"` | |||
Website string `json:"website,omitempty"` | |||
Locale string `json:"locale,omitempty"` | |||
UpdatedAt timeutil.TimeStamp `json:"updated_at,omitempty"` | |||
// Scope email | |||
Email string `json:"email,omitempty"` | |||
EmailVerified bool `json:"email_verified,omitempty"` | |||
} | |||
// SignToken signs an id_token with the (symmetric) client secret key |
@@ -185,6 +185,21 @@ func newAccessTokenResponse(grant *models.OAuth2Grant, clientSecret string) (*Ac | |||
ErrorDescription: "cannot find application", | |||
} | |||
} | |||
err = app.LoadUser() | |||
if err != nil { | |||
if models.IsErrUserNotExist(err) { | |||
return nil, &AccessTokenError{ | |||
ErrorCode: AccessTokenErrorCodeInvalidRequest, | |||
ErrorDescription: "cannot find user", | |||
} | |||
} | |||
log.Error("Error loading user: %v", err) | |||
return nil, &AccessTokenError{ | |||
ErrorCode: AccessTokenErrorCodeInvalidRequest, | |||
ErrorDescription: "server error", | |||
} | |||
} | |||
idToken := &models.OIDCToken{ | |||
StandardClaims: jwt.StandardClaims{ | |||
ExpiresAt: expirationDate.AsTime().Unix(), | |||
@@ -194,6 +209,20 @@ func newAccessTokenResponse(grant *models.OAuth2Grant, clientSecret string) (*Ac | |||
}, | |||
Nonce: grant.Nonce, | |||
} | |||
if grant.ScopeContains("profile") { | |||
idToken.Name = app.User.FullName | |||
idToken.PreferredUsername = app.User.Name | |||
idToken.Profile = app.User.HTMLURL() | |||
idToken.Picture = app.User.AvatarLink() | |||
idToken.Website = app.User.Website | |||
idToken.Locale = app.User.Language | |||
idToken.UpdatedAt = app.User.UpdatedUnix | |||
} | |||
if grant.ScopeContains("email") { | |||
idToken.Email = app.User.Email | |||
idToken.EmailVerified = app.User.IsActive | |||
} | |||
signedIDToken, err = idToken.SignToken(clientSecret) | |||
if err != nil { | |||
return nil, &AccessTokenError{ |
@@ -6,5 +6,34 @@ | |||
"response_types_supported": [ | |||
"code", | |||
"id_token" | |||
], | |||
"scopes_supported": [ | |||
"openid", | |||
"profile", | |||
"email" | |||
], | |||
"claims_supported": [ | |||
"aud", | |||
"exp", | |||
"iat", | |||
"iss", | |||
"sub", | |||
"name", | |||
"preferred_username", | |||
"profile", | |||
"picture", | |||
"website", | |||
"locale", | |||
"updated_at", | |||
"email", | |||
"email_verified" | |||
], | |||
"code_challenge_methods_supported": [ | |||
"plain", | |||
"S256" | |||
], | |||
"grant_types_supported": [ | |||
"authorization_code", | |||
"refresh_token" | |||
] | |||
} |