oauth2 additional scopes

Author: marcellmars

modules/setting/oauth2.go

@@ -90,23 +90,25 @@ func parseScopes(sec ConfigSection, name string) []string {
 }
 
 var OAuth2 = struct {
-	Enabled                    bool
-	AccessTokenExpirationTime  int64
-	RefreshTokenExpirationTime int64
-	InvalidateRefreshTokens    bool
-	JWTSigningAlgorithm        string `ini:"JWT_SIGNING_ALGORITHM"`
-	JWTSigningPrivateKeyFile   string `ini:"JWT_SIGNING_PRIVATE_KEY_FILE"`
-	MaxTokenLength             int
-	DefaultApplications        []string
+	Enabled                     bool
+	AccessTokenExpirationTime   int64
+	RefreshTokenExpirationTime  int64
+	InvalidateRefreshTokens     bool
+	JWTSigningAlgorithm         string `ini:"JWT_SIGNING_ALGORITHM"`
+	JWTSigningPrivateKeyFile    string `ini:"JWT_SIGNING_PRIVATE_KEY_FILE"`
+	MaxTokenLength              int
+	DefaultApplications         []string
+	EnableAdditionalGrantScopes bool
 }{
-	Enabled:                    true,
-	AccessTokenExpirationTime:  3600,
-	RefreshTokenExpirationTime: 730,
-	InvalidateRefreshTokens:    false,
-	JWTSigningAlgorithm:        "RS256",
-	JWTSigningPrivateKeyFile:   "jwt/private.pem",
-	MaxTokenLength:             math.MaxInt16,
-	DefaultApplications:        []string{"git-credential-oauth", "git-credential-manager", "tea"},
+	Enabled:                     true,
+	AccessTokenExpirationTime:   3600,
+	RefreshTokenExpirationTime:  730,
+	InvalidateRefreshTokens:     false,
+	JWTSigningAlgorithm:         "RS256",
+	JWTSigningPrivateKeyFile:    "jwt/private.pem",
+	MaxTokenLength:              math.MaxInt16,
+	DefaultApplications:         []string{"git-credential-oauth", "git-credential-manager", "tea"},
+	EnableAdditionalGrantScopes: false,
 }
 
 func loadOAuth2From(rootCfg ConfigProvider) {

routers/web/auth/oauth2_provider.go

@@ -85,7 +85,7 @@ type userInfoResponse struct {
 	PreferredUsername string   `json:"preferred_username"`
 	Email             string   `json:"email"`
 	Picture           string   `json:"picture"`
-	Groups            []string `json:"groups"`
+	Groups            []string `json:"groups,omitempty"`
 }
 
 // InfoOAuth manages request for userinfo endpoint

routers/web/user/setting/applications.go

@@ -113,5 +113,6 @@ func loadApplicationsData(ctx *context.Context) {
 			ctx.ServerError("GetOAuth2GrantsByUserID", err)
 			return
 		}
+		ctx.Data["EnableAdditionalGrantScopes"] = setting.OAuth2.EnableAdditionalGrantScopes
 	}
 }

services/auth/oauth2.go

@@ -26,9 +26,10 @@ var (
 )
 
 // CheckOAuthAccessToken returns uid of user from oauth token
-func CheckOAuthAccessToken(ctx context.Context, accessToken string) int64 {
+func CheckOAuthAccessToken(ctx context.Context, accessToken string) (int64, auth_model.AccessTokenScope) {
+	var accessTokenScope auth_model.AccessTokenScope
 	if !setting.OAuth2.Enabled {
-		return 0
+		return 0, accessTokenScope
 	}
 
 	// JWT tokens require a ".", if the token isn't like that, return early

services/oauth2_provider/access_token.go

@@ -232,10 +232,14 @@ func GetOAuthGroupsForUser(ctx context.Context, user *user_model.User) ([]string
 
 	var groups []string
 	for _, org := range orgs {
-		if onlyPublicGroups {
-			if public, err := org_model.IsPublicMembership(ctx, org.ID, user.ID); err == nil {
-				if !public || !org.Visibility.IsPublic() {
-					continue
+		// process additional scopes only if enabled in settings
+		// this could be removed once additional scopes get accepted
+		if setting.OAuth2.EnableAdditionalGrantScopes {
+			if onlyPublicGroups {
+				if public, err := org_model.IsPublicMembership(ctx, org.ID, user.ID); err == nil {
+					if !public || !org.Visibility.IsPublic() {
+						continue
+					}
 				}
 			}
 		}

services/oauth2_provider/additional_scopes_test.go

@@ -10,6 +10,7 @@ import (
 )
 
 func TestGrantAdditionalScopes(t *testing.T) {
+	setting.OAuth2.EnableAdditionalGrantScopes = true
 	tests := []struct {
 		grantScopes    string
 		expectedScopes string

tests/integration/oauth_test.go

@@ -515,7 +515,7 @@ func TestOAuth_GrantScopesReadUserFailRepos(t *testing.T) {
 	err := db.Insert(db.DefaultContext, grant)
 	require.NoError(t, err)
 
-	assert.ElementsMatch(t, []string{"openid", "profile", "email", "read:user"}, strings.Split(grant.Scope, " "))
+	assert.Contains(t, grant.Scope, "openid profile email read:user")
 
 	ctx := loginUserWithPasswordRemember(t, user.Name, "password", true)
 
@@ -596,7 +596,7 @@ func TestOAuth_GrantScopesReadRepositoryFailOrganization(t *testing.T) {
 	err := db.Insert(db.DefaultContext, grant)
 	require.NoError(t, err)
 
-	assert.ElementsMatch(t, []string{"openid", "profile", "email", "read:user", "read:repository"}, strings.Split(grant.Scope, " "))
+	assert.Contains(t, grant.Scope, "openid profile email read:user read:repository")
 
 	ctx := loginUserWithPasswordRemember(t, user.Name, "password", true)
 
@@ -790,7 +790,7 @@ func TestOAuth_GrantScopesClaimGroupsAll(t *testing.T) {
 	}
 }
 
-func TestOAuth_GrantScopesClaimGroupsPublicOnly(t *testing.T) {
+func TestOAuth_GrantScopesEnabledClaimGroups(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 
 	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{Name: "user2"})
@@ -819,7 +819,7 @@ func TestOAuth_GrantScopesClaimGroupsPublicOnly(t *testing.T) {
 	err := db.Insert(db.DefaultContext, grant)
 	require.NoError(t, err)
 
-	assert.ElementsMatch(t, []string{"openid", "profile", "email", "groups"}, strings.Split(grant.Scope, " "))
+	assert.Contains(t, grant.Scope, "openid profile email groups")
 
 	ctx := loginUserWithPasswordRemember(t, user.Name, "password", true)