ExternalVendorCode/chirpstack
1
0
Fork 0
mirror of https://github.com/chirpstack/chirpstack.git synced 2025-02-07 11:10:15 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Make OIDC and OAuth2 scopes configurable. (#445)

Browse Source 
Co-authored-by: Orne Brocaar <info@brocaar.com>
This commit is contained in:
pyttel 2024-07-11 12:51:37 +03:00 committed by GitHub
parent f76a4b7f83
commit 3777de706d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 80 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
chirpstack/src/api/oauth2.rs
View File

@ -53,11 +53,14 @@ pub async fn login_handler() -> Result<impl Reply, Rejection> {
}; };
let (pkce_challenge, pkce_verifier) = PkceCodeChallenge::new_random_sha256(); let (pkce_challenge, pkce_verifier) = PkceCodeChallenge::new_random_sha256();
let (auth_url, csrf_token) = client let conf = config::get();
.authorize_url(CsrfToken::new_random)
.add_scope(Scope::new("email".into())) let mut request = client.authorize_url(CsrfToken::new_random);
.set_pkce_challenge(pkce_challenge)
.url(); for scope in &conf.user_authentication.oauth2.scopes {
request = request.add_scope(Scope::new(scope.to_string()))
}
let (auth_url, csrf_token) = request.set_pkce_challenge(pkce_challenge).url();
if let Err(e) = store_verifier(&csrf_token, &pkce_verifier).await { if let Err(e) = store_verifier(&csrf_token, &pkce_verifier).await {
error!(error = %e.full(), "Store verifier error"); error!(error = %e.full(), "Store verifier error");

13
chirpstack/src/api/oidc.rs
View File

@ -59,15 +59,16 @@ pub async fn login_handler() -> Result<impl Reply, Rejection> {
} }
}; };
let (auth_url, csrf_state, nonce) = client let conf = config::get();
.authorize_url( let mut request = client.authorize_url(
AuthenticationFlow::<CoreResponseType>::AuthorizationCode, AuthenticationFlow::<CoreResponseType>::AuthorizationCode,
CsrfToken::new_random, CsrfToken::new_random,
Nonce::new_random, Nonce::new_random,
) );
.add_scope(Scope::new("email".to_string())) for scope in &conf.user_authentication.openid_connect.scopes {
.add_scope(Scope::new("profile".to_string())) request = request.add_scope(Scope::new(scope.to_string()))
.url(); }
let (auth_url, csrf_state, nonce) = request.url();
if let Err(e) = store_nonce(&csrf_state, &nonce).await { if let Err(e) = store_nonce(&csrf_state, &nonce).await {
error!(error = %e.full(), "Store nonce error"); error!(error = %e.full(), "Store nonce error");

19
chirpstack/src/cmd/configfile.rs
View File

@ -618,6 +618,15 @@ pub fn run() {
# is needed. # is needed.
assume_email_verified={{ user_authentication.openid_connect.assume_email_verified }} assume_email_verified={{ user_authentication.openid_connect.assume_email_verified }}
# Scopes.
#
# This configures the scopes that are used during login. You must at least define
# "email" and "profile".
scopes=[
{{#each user_authentication.openid_connect.scopes}}
"{{this}}",
{{/each}}
]
# OAuth2 backend. # OAuth2 backend.
[user_authentication.oauth2] [user_authentication.oauth2]
@ -696,6 +705,16 @@ pub fn run() {
# from the userinfo URL, assuming it will be true. # from the userinfo URL, assuming it will be true.
assume_email_verified={{ user_authentication.oauth2.assume_email_verified }} assume_email_verified={{ user_authentication.oauth2.assume_email_verified }}
# Scopes.
#
# This configures the scopes that are used during login. You must at least define
# "email".
scopes=[
{{#each user_authentication.oauth2.scopes}}
"{{this}}",
{{/each}}
]
# Join Server configuration. # Join Server configuration.
[join_server] [join_server]

45
chirpstack/src/config.rs
View File

@ -410,7 +410,7 @@ impl Default for UserAuthentication {
} }
} }
#[derive(Serialize, Deserialize, Default, Clone)] #[derive(Serialize, Deserialize, Clone)]
#[serde(default)] #[serde(default)]
pub struct OpenIdConnect { pub struct OpenIdConnect {
pub registration_enabled: bool, pub registration_enabled: bool,
@ -423,9 +423,28 @@ pub struct OpenIdConnect {
pub login_redirect: bool, pub login_redirect: bool,
pub login_label: String, pub login_label: String,
pub assume_email_verified: bool, pub assume_email_verified: bool,
pub scopes: Vec<String>,
} }
#[derive(Serialize, Deserialize, Default, Clone)] impl Default for OpenIdConnect {
fn default() -> Self {
OpenIdConnect {
registration_enabled: false,
registration_callback_url: "".to_string(),
provider_url: "".to_string(),
client_id: "".to_string(),
client_secret: "".to_string(),
redirect_url: "".to_string(),
logout_url: "".to_string(),
login_redirect: false,
login_label: "".to_string(),
assume_email_verified: false,
scopes: vec!["email".to_string(), "profile".to_string()],
}
}
}
#[derive(Serialize, Deserialize, Clone)]
#[serde(default)] #[serde(default)]
pub struct OAuth2 { pub struct OAuth2 {
pub registration_enabled: bool, pub registration_enabled: bool,
@ -441,6 +460,28 @@ pub struct OAuth2 {
pub login_redirect: bool, pub login_redirect: bool,
pub login_label: String, pub login_label: String,
pub assume_email_verified: bool, pub assume_email_verified: bool,
pub scopes: Vec<String>,
}
impl Default for OAuth2 {
fn default() -> Self {
OAuth2 {
registration_enabled: false,
registration_callback_url: "".to_string(),
client_id: "".to_string(),
client_secret: "".to_string(),
auth_url: "".to_string(),
token_url: "".to_string(),
redirect_url: "".to_string(),
userinfo_url: "".to_string(),
provider: "".to_string(),
logout_url: "".to_string(),
login_redirect: false,
login_label: "".to_string(),
assume_email_verified: false,
scopes: vec!["email".to_string()],
}
}
} }
#[derive(Serialize, Deserialize, Default, Clone)] #[derive(Serialize, Deserialize, Default, Clone)]