Refactor OpenIDConnect to support SSH/FullName sync (#34978)

* Fix #26585
* Fix #28327
* Fix #34932

Author: wxiaoguang

cmd/admin_auth_oauth.go

@@ -87,6 +87,14 @@ func oauthCLIFlags() []cli.Flag {
 			Value: nil,
 			Usage: "Scopes to request when to authenticate against this OAuth2 source",
 		},
+		&cli.StringFlag{
+			Name:  "ssh-public-key-claim-name",
+			Usage: "Claim name that provides SSH public keys",
+		},
+		&cli.StringFlag{
+			Name:  "full-name-claim-name",
+			Usage: "Claim name that provides user's full name",
+		},
 		&cli.StringFlag{
 			Name:  "required-claim-name",
 			Value: "",
@@ -177,6 +185,8 @@ func parseOAuth2Config(c *cli.Command) *oauth2.Source {
 		RestrictedGroup:               c.String("restricted-group"),
 		GroupTeamMap:                  c.String("group-team-map"),
 		GroupTeamMapRemoval:           c.Bool("group-team-map-removal"),
+		SSHPublicKeyClaimName:         c.String("ssh-public-key-claim-name"),
+		FullNameClaimName:             c.String("full-name-claim-name"),
 	}
 }
 
@@ -268,6 +278,12 @@ func (a *authService) runUpdateOauth(ctx context.Context, c *cli.Command) error
 	if c.IsSet("group-team-map-removal") {
 		oAuth2Config.GroupTeamMapRemoval = c.Bool("group-team-map-removal")
 	}
+	if c.IsSet("ssh-public-key-claim-name") {
+		oAuth2Config.SSHPublicKeyClaimName = c.String("ssh-public-key-claim-name")
+	}
+	if c.IsSet("full-name-claim-name") {
+		oAuth2Config.FullNameClaimName = c.String("full-name-claim-name")
+	}
 
 	// update custom URL mapping
 	customURLMapping := &oauth2.CustomURLMapping{}

cmd/admin_auth_oauth_test.go

@@ -88,6 +88,8 @@ func TestAddOauth(t *testing.T) {
 				"--restricted-group", "restricted",
 				"--group-team-map", `{"group1": [1,2]}`,
 				"--group-team-map-removal=true",
+				"--ssh-public-key-claim-name", "attr_ssh_pub_key",
+				"--full-name-claim-name", "attr_full_name",
 			},
 			source: &auth_model.Source{
 				Type:     auth_model.OAuth2,
@@ -104,15 +106,17 @@ func TestAddOauth(t *testing.T) {
 						EmailURL:   "https://example.com/email",
 						Tenant:     "some_tenant",
 					},
-					IconURL:             "https://example.com/icon",
-					Scopes:              []string{"scope1", "scope2"},
-					RequiredClaimName:   "claim_name",
-					RequiredClaimValue:  "claim_value",
-					GroupClaimName:      "group_name",
-					AdminGroup:          "admin",
-					RestrictedGroup:     "restricted",
-					GroupTeamMap:        `{"group1": [1,2]}`,
-					GroupTeamMapRemoval: true,
+					IconURL:               "https://example.com/icon",
+					Scopes:                []string{"scope1", "scope2"},
+					RequiredClaimName:     "claim_name",
+					RequiredClaimValue:    "claim_value",
+					GroupClaimName:        "group_name",
+					AdminGroup:            "admin",
+					RestrictedGroup:       "restricted",
+					GroupTeamMap:          `{"group1": [1,2]}`,
+					GroupTeamMapRemoval:   true,
+					SSHPublicKeyClaimName: "attr_ssh_pub_key",
+					FullNameClaimName:     "attr_full_name",
 				},
 				TwoFactorPolicy: "skip",
 			},
@@ -223,15 +227,17 @@ func TestUpdateOauth(t *testing.T) {
 						EmailURL:   "https://old.example.com/email",
 						Tenant:     "old_tenant",
 					},
-					IconURL:             "https://old.example.com/icon",
-					Scopes:              []string{"old_scope1", "old_scope2"},
-					RequiredClaimName:   "old_claim_name",
-					RequiredClaimValue:  "old_claim_value",
-					GroupClaimName:      "old_group_name",
-					AdminGroup:          "old_admin",
-					RestrictedGroup:     "old_restricted",
-					GroupTeamMap:        `{"old_group1": [1,2]}`,
-					GroupTeamMapRemoval: true,
+					IconURL:               "https://old.example.com/icon",
+					Scopes:                []string{"old_scope1", "old_scope2"},
+					RequiredClaimName:     "old_claim_name",
+					RequiredClaimValue:    "old_claim_value",
+					GroupClaimName:        "old_group_name",
+					AdminGroup:            "old_admin",
+					RestrictedGroup:       "old_restricted",
+					GroupTeamMap:          `{"old_group1": [1,2]}`,
+					GroupTeamMapRemoval:   true,
+					SSHPublicKeyClaimName: "old_ssh_pub_key",
+					FullNameClaimName:     "old_full_name",
 				},
 				TwoFactorPolicy: "",
 			},
@@ -257,6 +263,8 @@ func TestUpdateOauth(t *testing.T) {
 				"--restricted-group", "restricted",
 				"--group-team-map", `{"group1": [1,2]}`,
 				"--group-team-map-removal=false",
+				"--ssh-public-key-claim-name", "new_ssh_pub_key",
+				"--full-name-claim-name", "new_full_name",
 			},
 			authSource: &auth_model.Source{
 				ID:       1,
@@ -274,15 +282,17 @@ func TestUpdateOauth(t *testing.T) {
 						EmailURL:   "https://example.com/email",
 						Tenant:     "new_tenant",
 					},
-					IconURL:             "https://example.com/icon",
-					Scopes:              []string{"scope1", "scope2"},
-					RequiredClaimName:   "claim_name",
-					RequiredClaimValue:  "claim_value",
-					GroupClaimName:      "group_name",
-					AdminGroup:          "admin",
-					RestrictedGroup:     "restricted",
-					GroupTeamMap:        `{"group1": [1,2]}`,
-					GroupTeamMapRemoval: false,
+					IconURL:               "https://example.com/icon",
+					Scopes:                []string{"scope1", "scope2"},
+					RequiredClaimName:     "claim_name",
+					RequiredClaimValue:    "claim_value",
+					GroupClaimName:        "group_name",
+					AdminGroup:            "admin",
+					RestrictedGroup:       "restricted",
+					GroupTeamMap:          `{"group1": [1,2]}`,
+					GroupTeamMapRemoval:   false,
+					SSHPublicKeyClaimName: "new_ssh_pub_key",
+					FullNameClaimName:     "new_full_name",
 				},
 				TwoFactorPolicy: "skip",
 			},

models/asymkey/ssh_key.go

@@ -355,13 +355,13 @@ func AddPublicKeysBySource(ctx context.Context, usr *user_model.User, s *auth.So
 	return sshKeysNeedUpdate
 }
 
-// SynchronizePublicKeys updates a users public keys. Returns true if there are changes.
+// SynchronizePublicKeys updates a user's public keys. Returns true if there are changes.
 func SynchronizePublicKeys(ctx context.Context, usr *user_model.User, s *auth.Source, sshPublicKeys []string) bool {
 	var sshKeysNeedUpdate bool
 
 	log.Trace("synchronizePublicKeys[%s]: Handling Public SSH Key synchronization for user %s", s.Name, usr.Name)
 
-	// Get Public Keys from DB with current LDAP source
+	// Get Public Keys from DB with the current auth source
 	var giteaKeys []string
 	keys, err := db.Find[PublicKey](ctx, FindPublicKeyOptions{
 		OwnerID:       usr.ID,

models/auth/oauth2.go

@@ -612,8 +612,8 @@ func (err ErrOAuthApplicationNotFound) Unwrap() error {
 	return util.ErrNotExist
 }
 
-// GetActiveOAuth2SourceByName returns a OAuth2 AuthSource based on the given name
-func GetActiveOAuth2SourceByName(ctx context.Context, name string) (*Source, error) {
+// GetActiveOAuth2SourceByAuthName returns a OAuth2 AuthSource based on the given name
+func GetActiveOAuth2SourceByAuthName(ctx context.Context, name string) (*Source, error) {
 	authSource := new(Source)
 	has, err := db.GetEngine(ctx).Where("name = ? and type = ? and is_active = ?", name, OAuth2, true).Get(authSource)
 	if err != nil {

models/auth/source.go

@@ -334,7 +334,7 @@ func UpdateSource(ctx context.Context, source *Source) error {
 
 	err = registerableSource.RegisterSource()
 	if err != nil {
-		// restore original values since we cannot update the provider it self
+		// restore original values since we cannot update the provider itself
 		if _, err := db.GetEngine(ctx).ID(source.ID).AllCols().Update(originalSource); err != nil {
 			log.Error("UpdateSource: Error while wrapOpenIDConnectInitializeError: %v", err)
 		}

modules/setting/oauth2.go

@@ -12,7 +12,7 @@ import (
 	"code.gitea.io/gitea/modules/log"
 )
 
-// OAuth2UsernameType is enum describing the way gitea 'name' should be generated from oauth2 data
+// OAuth2UsernameType is enum describing the way gitea generates its 'username' from oauth2 data
 type OAuth2UsernameType string
 
 const (

options/locale/locale_en-US.ini

@@ -3251,6 +3251,8 @@ auths.oauth2_required_claim_name_helper = Set this name to restrict login from t
 auths.oauth2_required_claim_value = Required Claim Value
 auths.oauth2_required_claim_value_helper = Set this value to restrict login from this source to users with a claim with this name and value
 auths.oauth2_group_claim_name = Claim name providing group names for this source. (Optional)
+auths.oauth2_full_name_claim_name = Full Name Claim Name. (Optional, if set, the user's full name will always be synchronized with this claim)
+auths.oauth2_ssh_public_key_claim_name = SSH Public Key Claim Name
 auths.oauth2_admin_group = Group Claim value for administrator users. (Optional - requires claim name above)
 auths.oauth2_restricted_group = Group Claim value for restricted users. (Optional - requires claim name above)
 auths.oauth2_map_group_to_team = Map claimed groups to Organization teams. (Optional - requires claim name above)

routers/web/admin/auths.go

@@ -199,6 +199,9 @@ func parseOAuth2Config(form forms.AuthenticationForm) *oauth2.Source {
 		AdminGroup:                    form.Oauth2AdminGroup,
 		GroupTeamMap:                  form.Oauth2GroupTeamMap,
 		GroupTeamMapRemoval:           form.Oauth2GroupTeamMapRemoval,
+
+		SSHPublicKeyClaimName: form.Oauth2SSHPublicKeyClaimName,
+		FullNameClaimName:     form.Oauth2FullNameClaimName,
 	}
 }
 

routers/web/auth/2fa.go

@@ -14,7 +14,6 @@ import (
 	"code.gitea.io/gitea/modules/templates"
 	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/services/context"
-	"code.gitea.io/gitea/services/externalaccount"
 	"code.gitea.io/gitea/services/forms"
 )
 
@@ -75,7 +74,7 @@ func TwoFactorPost(ctx *context.Context) {
 		}
 
 		if ctx.Session.Get("linkAccount") != nil {
-			err = externalaccount.LinkAccountFromStore(ctx, ctx.Session, u)
+			err = linkAccountFromContext(ctx, u)
 			if err != nil {
 				ctx.ServerError("UserSignIn", err)
 				return

routers/web/auth/auth.go

@@ -329,6 +329,7 @@ func handleSignInFull(ctx *context.Context, u *user_model.User, remember, obeyRe
 		"twofaUid",
 		"twofaRemember",
 		"linkAccount",
+		"linkAccountData",
 	}, map[string]any{
 		session.KeyUID:                  u.ID,
 		session.KeyUname:                u.Name,
@@ -519,7 +520,7 @@ func SignUpPost(ctx *context.Context) {
 		Passwd: form.Password,
 	}
 
-	if !createAndHandleCreatedUser(ctx, tplSignUp, form, u, nil, nil, false) {
+	if !createAndHandleCreatedUser(ctx, tplSignUp, form, u, nil, nil) {
 		// error already handled
 		return
 	}
@@ -530,22 +531,22 @@ func SignUpPost(ctx *context.Context) {
 
 // createAndHandleCreatedUser calls createUserInContext and
 // then handleUserCreated.
-func createAndHandleCreatedUser(ctx *context.Context, tpl templates.TplName, form any, u *user_model.User, overwrites *user_model.CreateUserOverwriteOptions, gothUser *goth.User, allowLink bool) bool {
-	if !createUserInContext(ctx, tpl, form, u, overwrites, gothUser, allowLink) {
+func createAndHandleCreatedUser(ctx *context.Context, tpl templates.TplName, form any, u *user_model.User, overwrites *user_model.CreateUserOverwriteOptions, possibleLinkAccountData *LinkAccountData) bool {
+	if !createUserInContext(ctx, tpl, form, u, overwrites, possibleLinkAccountData) {
 		return false
 	}
-	return handleUserCreated(ctx, u, gothUser)
+	return handleUserCreated(ctx, u, possibleLinkAccountData)
 }
 
 // createUserInContext creates a user and handles errors within a given context.
-// Optionally a template can be specified.
-func createUserInContext(ctx *context.Context, tpl templates.TplName, form any, u *user_model.User, overwrites *user_model.CreateUserOverwriteOptions, gothUser *goth.User, allowLink bool) (ok bool) {
+// Optionally, a template can be specified.
+func createUserInContext(ctx *context.Context, tpl templates.TplName, form any, u *user_model.User, overwrites *user_model.CreateUserOverwriteOptions, possibleLinkAccountData *LinkAccountData) (ok bool) {
 	meta := &user_model.Meta{
 		InitialIP:        ctx.RemoteAddr(),
 		InitialUserAgent: ctx.Req.UserAgent(),
 	}
 	if err := user_model.CreateUser(ctx, u, meta, overwrites); err != nil {
-		if allowLink && (user_model.IsErrUserAlreadyExist(err) || user_model.IsErrEmailAlreadyUsed(err)) {
+		if possibleLinkAccountData != nil && (user_model.IsErrUserAlreadyExist(err) || user_model.IsErrEmailAlreadyUsed(err)) {
 			switch setting.OAuth2Client.AccountLinking {
 			case setting.OAuth2AccountLinkingAuto:
 				var user *user_model.User
@@ -561,15 +562,15 @@ func createUserInContext(ctx *context.Context, tpl templates.TplName, form any,
 				}
 
 				// TODO: probably we should respect 'remember' user's choice...
-				linkAccount(ctx, user, *gothUser, true)
+				oauth2LinkAccount(ctx, user, possibleLinkAccountData, true)
 				return false // user is already created here, all redirects are handled
 			case setting.OAuth2AccountLinkingLogin:
-				showLinkingLogin(ctx, *gothUser)
+				showLinkingLogin(ctx, &possibleLinkAccountData.AuthSource, possibleLinkAccountData.GothUser)
 				return false // user will be created only after linking login
 			}
 		}
 
-		// handle error without template
+		// handle error without a template
 		if len(tpl) == 0 {
 			ctx.ServerError("CreateUser", err)
 			return false
@@ -610,7 +611,7 @@ func createUserInContext(ctx *context.Context, tpl templates.TplName, form any,
 // handleUserCreated does additional steps after a new user is created.
 // It auto-sets admin for the only user, updates the optional external user and
 // sends a confirmation email if required.
-func handleUserCreated(ctx *context.Context, u *user_model.User, gothUser *goth.User) (ok bool) {
+func handleUserCreated(ctx *context.Context, u *user_model.User, possibleLinkAccountData *LinkAccountData) (ok bool) {
 	// Auto-set admin for the only user.
 	hasUsers, err := user_model.HasUsers(ctx)
 	if err != nil {
@@ -631,8 +632,8 @@ func handleUserCreated(ctx *context.Context, u *user_model.User, gothUser *goth.
 	}
 
 	// update external user information
-	if gothUser != nil {
-		if err := externalaccount.EnsureLinkExternalToUser(ctx, u, *gothUser); err != nil {
+	if possibleLinkAccountData != nil {
+		if err := externalaccount.EnsureLinkExternalToUser(ctx, possibleLinkAccountData.AuthSource.ID, u, possibleLinkAccountData.GothUser); err != nil {
 			log.Error("EnsureLinkExternalToUser failed: %v", err)
 		}
 	}