Skip to content

Forward the login_hint upstream. #4512

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 10 commits into from
May 7, 2025
Merged

Forward the login_hint upstream. #4512

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
b58344f
Forward the login_hint upstream.
pixlwave May 6, 2025
c5e0f16
Fix lint error.
pixlwave May 6, 2025
691c055
Fix clippy error.
pixlwave May 6, 2025
096ce60
Add a configuration for forwarding the login hint to the upstream pro…
pixlwave May 6, 2025
e4a4261
Add missing parameter.
pixlwave May 6, 2025
6d29ebb
Generate the schema (which fixes a typo amongst other things 🤦‍♂️)
pixlwave May 6, 2025
26d84c5
Fix database snapshot.
pixlwave May 7, 2025
0d1caae
Update the login schema docs.
pixlwave May 7, 2025
2d4f24e
Update copyright header
pixlwave May 7, 2025
e3c7b80
Update upstream_oauth2.providers docs.
pixlwave May 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1,9 @@
# Rust
target/

# Editors
.idea
.nova

# OS garbage
.DS_Store
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have those in my global git-config, that's why I never bothered :)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Whaaat, there's a global gitignore?! Why did nobody ever tell me this before?!! 😂😂

Would you like me to revert this or is it useful for anyone who doesn't have (or know about) global ignores?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, it's a thing!

I'm fine with keeping it though :)

1 change: 1 addition & 0 deletions crates/cli/src/sync.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -304,6 +304,7 @@ pub async fn config_sync(
.additional_authorization_parameters
.into_iter()
.collect(),
forward_login_hint: provider.forward_login_hint,
ui_order,
},
)
Expand Down
7 changes: 7 additions & 0 deletions crates/config/src/sections/upstream_oauth2.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -565,4 +565,11 @@ pub struct Provider {
/// Orders of the keys are not preserved.
#[serde(default, skip_serializing_if = "BTreeMap::is_empty")]
pub additional_authorization_parameters: BTreeMap<String, String>,

/// Whether the `login_hint` should be forwarded to the provider in the
/// authorization request.
///
/// Defaults to `false`.
#[serde(default)]
pub forward_login_hint: bool,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I imagine this should be a template to allow people to configure what exactly gets forwarded based on their upstream provider's requirements

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think later on we'd want a behaviour which looks up the user based on a mxid: login hint, and forwards to the upstream provider with either a id_token_hint (the last id_token we've seen for this user) or a templated login_hint. This obviously has some privacy implications, which is why we want to be careful with this

But for now, this simple feature of just forwarding the login_hint as-is could already be valuable for some deployments

}
1 change: 1 addition & 0 deletions crates/data-model/src/upstream_oauth2/provider.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -241,6 +241,7 @@ pub struct UpstreamOAuthProvider {
pub disabled_at: Option<DateTime<Utc>>,
pub claims_imports: ClaimsImports,
pub additional_authorization_parameters: Vec<(String, String)>,
pub forward_login_hint: bool,
}

impl PartialOrd for UpstreamOAuthProvider {
Expand Down
1 change: 1 addition & 0 deletions crates/handlers/src/admin/v1/upstream_oauth_links/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ mod test_utils {
userinfo_endpoint_override: None,
jwks_uri_override: None,
additional_authorization_parameters: Vec::new(),
forward_login_hint: false,
ui_order: 0,
}
}
Expand Down
17 changes: 16 additions & 1 deletion crates/handlers/src/upstream_oauth2/authorize.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ use hyper::StatusCode;
use mas_axum_utils::{cookies::CookieJar, record_error};
use mas_data_model::UpstreamOAuthProvider;
use mas_oidc_client::requests::authorization_code::AuthorizationRequestData;
use mas_router::UrlBuilder;
use mas_router::{PostAuthAction, UrlBuilder};
use mas_storage::{
BoxClock, BoxRepository, BoxRng,
upstream_oauth2::{UpstreamOAuthProviderRepository, UpstreamOAuthSessionRepository},
Expand Down Expand Up @@ -92,6 +92,21 @@ pub(crate) async fn get(
data = data.with_response_mode(response_mode.into());
}

// Forward the raw login hint upstream for the provider to handle however it
// sees fit
if provider.forward_login_hint {
if let Some(PostAuthAction::ContinueAuthorizationGrant { id }) = &query.post_auth_action {
if let Some(login_hint) = repo
.oauth2_authorization_grant()
.lookup(*id)
.await?
.and_then(|grant| grant.login_hint)
{
data = data.with_login_hint(login_hint);
}
}
}

let data = if let Some(methods) = lazy_metadata.pkce_methods().await? {
data.with_code_challenge_methods_supported(methods)
} else {
Expand Down
1 change: 1 addition & 0 deletions crates/handlers/src/upstream_oauth2/cache.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -426,6 +426,7 @@ mod tests {
disabled_at: None,
claims_imports: UpstreamOAuthProviderClaimsImports::default(),
additional_authorization_parameters: Vec::new(),
forward_login_hint: false,
};

// Without any override, it should just use discovery
Expand Down
1 change: 1 addition & 0 deletions crates/handlers/src/upstream_oauth2/link.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -983,6 +983,7 @@ mod tests {
pkce_mode: mas_data_model::UpstreamOAuthProviderPkceMode::Auto,
response_mode: None,
additional_authorization_parameters: Vec::new(),
forward_login_hint: false,
ui_order: 0,
},
)
Expand Down
2 changes: 2 additions & 0 deletions crates/handlers/src/views/login.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -498,6 +498,7 @@ mod test {
pkce_mode: mas_data_model::UpstreamOAuthProviderPkceMode::Auto,
response_mode: None,
additional_authorization_parameters: Vec::new(),
forward_login_hint: false,
ui_order: 0,
},
)
Expand Down Expand Up @@ -539,6 +540,7 @@ mod test {
pkce_mode: mas_data_model::UpstreamOAuthProviderPkceMode::Auto,
response_mode: None,
additional_authorization_parameters: Vec::new(),
forward_login_hint: false,
ui_order: 1,
},
)
Expand Down
45 changes: 45 additions & 0 deletions ...rage-pg/.sqlx/query-585a1e78834c953c80a0af9215348b0f551b16f4cb57c022b50212cfc3d8431f.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

44 changes: 0 additions & 44 deletions ...rage-pg/.sqlx/query-72de26d5e3c56f4b0658685a95b45b647bb6637e55b662a5a548aa3308c62a8a.json
View file
Open in desktop

This file was deleted.

5 changes: 3 additions & 2 deletions ...2eab5efe330f60ef8c6c813c747424ba7ec9.json → ...42ea16db436352b19fcd3b2c620c73d9cc0c.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

12 changes: 9 additions & 3 deletions ...0b382b7881e9c4ead31ff257ff5ff4414b6e.json → ...82fbb5029d5f7adf95aaa0decd668d25ba89.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

12 changes: 9 additions & 3 deletions ...90aeae4a20329045ab23639181a0d0903178.json → ...419129ef52ac45bea4345471838016cae917.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading
Loading