Adding scope field to generic OAuth

Some OAuth providers (like Mastodon) do not use the default
"read_user" scope, instead offering a custom scope. The config.ini
for generic OAuth now contains a "scope" field, allowing the admin
to set the scope manually (it defaults to "read_user" if blank).
This commit is contained in:
Darius Kazemi 2020-10-12 20:54:48 -07:00
parent e1cde913e2
commit 667cbb97ed
3 changed files with 6 additions and 2 deletions

View File

@ -108,6 +108,7 @@ type (
TokenEndpoint string `ini:"token_endpoint"` TokenEndpoint string `ini:"token_endpoint"`
InspectEndpoint string `ini:"inspect_endpoint"` InspectEndpoint string `ini:"inspect_endpoint"`
AuthEndpoint string `ini:"auth_endpoint"` AuthEndpoint string `ini:"auth_endpoint"`
Scope string `ini:"scope"`
AllowDisconnect bool `ini:"allow_disconnect"` AllowDisconnect bool `ini:"allow_disconnect"`
} }

View File

@ -265,6 +265,7 @@ func configureGenericOauth(parentHandler *Handler, r *mux.Router, app *App) {
AuthLocation: app.Config().GenericOauth.Host + app.Config().GenericOauth.AuthEndpoint, AuthLocation: app.Config().GenericOauth.Host + app.Config().GenericOauth.AuthEndpoint,
HttpClient: config.DefaultHTTPClient(), HttpClient: config.DefaultHTTPClient(),
CallbackLocation: callbackLocation, CallbackLocation: callbackLocation,
Scope: config.OrDefaultString(app.Config().GenericOauth.Scope, "read_user"),
} }
configureOauthRoutes(parentHandler, r, app, oauthClient, callbackProxy) configureOauthRoutes(parentHandler, r, app, oauthClient, callbackProxy)
} }

View File

@ -15,6 +15,7 @@ type genericOauthClient struct {
ExchangeLocation string ExchangeLocation string
InspectLocation string InspectLocation string
CallbackLocation string CallbackLocation string
Scope string
HttpClient HttpClient HttpClient HttpClient
} }
@ -46,7 +47,7 @@ func (c genericOauthClient) buildLoginURL(state string) (string, error) {
q.Set("redirect_uri", c.CallbackLocation) q.Set("redirect_uri", c.CallbackLocation)
q.Set("response_type", "code") q.Set("response_type", "code")
q.Set("state", state) q.Set("state", state)
q.Set("scope", "read_user") q.Set("scope", c.Scope)
u.RawQuery = q.Encode() u.RawQuery = q.Encode()
return u.String(), nil return u.String(), nil
} }
@ -55,7 +56,7 @@ func (c genericOauthClient) exchangeOauthCode(ctx context.Context, code string)
form := url.Values{} form := url.Values{}
form.Add("grant_type", "authorization_code") form.Add("grant_type", "authorization_code")
form.Add("redirect_uri", c.CallbackLocation) form.Add("redirect_uri", c.CallbackLocation)
form.Add("scope", "read_user") form.Add("scope", c.Scope)
form.Add("code", code) form.Add("code", code)
req, err := http.NewRequest("POST", c.ExchangeLocation, strings.NewReader(form.Encode())) req, err := http.NewRequest("POST", c.ExchangeLocation, strings.NewReader(form.Encode()))
if err != nil { if err != nil {
@ -110,5 +111,6 @@ func (c genericOauthClient) inspectOauthAccessToken(ctx context.Context, accessT
if inspectResponse.Error != "" { if inspectResponse.Error != "" {
return nil, errors.New(inspectResponse.Error) return nil, errors.New(inspectResponse.Error)
} }
return &inspectResponse, nil return &inspectResponse, nil
} }