Make OIDC and OAuth2 scopes configurable. (#445)

Co-authored-by: Orne Brocaar <info@brocaar.com>
2025-01-19 02:56:23 +00:00 · 2024-07-11 12:51:37 +03:00 · 2024-07-11 12:51:37 +03:00 · 3777de706d
commit 3777de706d
parent f76a4b7f83
4 changed files with 80 additions and 16 deletions
--- a/chirpstack/src/api/oauth2.rs
+++ b/chirpstack/src/api/oauth2.rs
@ -53,11 +53,14 @@ pub async fn login_handler() -> Result<impl Reply, Rejection> {
    };

    let (pkce_challenge, pkce_verifier) = PkceCodeChallenge::new_random_sha256();
-    let (auth_url, csrf_token) = client
-        .authorize_url(CsrfToken::new_random)
-        .add_scope(Scope::new("email".into()))
-        .set_pkce_challenge(pkce_challenge)
-        .url();
+    let conf = config::get();
+
+    let mut request = client.authorize_url(CsrfToken::new_random);
+
+    for scope in &conf.user_authentication.oauth2.scopes {
+        request = request.add_scope(Scope::new(scope.to_string()))
+    }
+    let (auth_url, csrf_token) = request.set_pkce_challenge(pkce_challenge).url();

    if let Err(e) = store_verifier(&csrf_token, &pkce_verifier).await {
        error!(error = %e.full(), "Store verifier error");
--- a/chirpstack/src/api/oidc.rs
+++ b/chirpstack/src/api/oidc.rs
@ -59,15 +59,16 @@ pub async fn login_handler() -> Result<impl Reply, Rejection> {
        }
    };

-    let (auth_url, csrf_state, nonce) = client
-        .authorize_url(
-            AuthenticationFlow::<CoreResponseType>::AuthorizationCode,
-            CsrfToken::new_random,
-            Nonce::new_random,
-        )
-        .add_scope(Scope::new("email".to_string()))
-        .add_scope(Scope::new("profile".to_string()))
-        .url();
+    let conf = config::get();
+    let mut request = client.authorize_url(
+        AuthenticationFlow::<CoreResponseType>::AuthorizationCode,
+        CsrfToken::new_random,
+        Nonce::new_random,
+    );
+    for scope in &conf.user_authentication.openid_connect.scopes {
+        request = request.add_scope(Scope::new(scope.to_string()))
+    }
+    let (auth_url, csrf_state, nonce) = request.url();

    if let Err(e) = store_nonce(&csrf_state, &nonce).await {
        error!(error = %e.full(), "Store nonce error");
--- a/chirpstack/src/cmd/configfile.rs
+++ b/chirpstack/src/cmd/configfile.rs
@ -618,6 +618,15 @@ pub fn run() {
    # is needed.
    assume_email_verified={{ user_authentication.openid_connect.assume_email_verified }}

+    # Scopes.
+    #
+    # This configures the scopes that are used during login. You must at least define
+    # "email" and "profile".
+    scopes=[
+      {{#each user_authentication.openid_connect.scopes}}
+      "{{this}}",
+      {{/each}}
+    ]

  # OAuth2 backend.
  [user_authentication.oauth2]
@ -696,6 +705,16 @@ pub fn run() {
    # from the userinfo URL, assuming it will be true.
    assume_email_verified={{ user_authentication.oauth2.assume_email_verified }}

+    # Scopes.
+    #
+    # This configures the scopes that are used during login. You must at least define
+    # "email".
+    scopes=[
+      {{#each user_authentication.oauth2.scopes}}
+      "{{this}}",
+      {{/each}}
+    ]
+

 # Join Server configuration.
 [join_server]
--- a/chirpstack/src/config.rs
+++ b/chirpstack/src/config.rs
@ -410,7 +410,7 @@ impl Default for UserAuthentication {
    }
 }

-#[derive(Serialize, Deserialize, Default, Clone)]
+#[derive(Serialize, Deserialize, Clone)]
 #[serde(default)]
 pub struct OpenIdConnect {
    pub registration_enabled: bool,
@ -423,9 +423,28 @@ pub struct OpenIdConnect {
    pub login_redirect: bool,
    pub login_label: String,
    pub assume_email_verified: bool,
+    pub scopes: Vec<String>,
 }

-#[derive(Serialize, Deserialize, Default, Clone)]
+impl Default for OpenIdConnect {
+    fn default() -> Self {
+        OpenIdConnect {
+            registration_enabled: false,
+            registration_callback_url: "".to_string(),
+            provider_url: "".to_string(),
+            client_id: "".to_string(),
+            client_secret: "".to_string(),
+            redirect_url: "".to_string(),
+            logout_url: "".to_string(),
+            login_redirect: false,
+            login_label: "".to_string(),
+            assume_email_verified: false,
+            scopes: vec!["email".to_string(), "profile".to_string()],
+        }
+    }
+}
+
+#[derive(Serialize, Deserialize, Clone)]
 #[serde(default)]
 pub struct OAuth2 {
    pub registration_enabled: bool,
@ -441,6 +460,28 @@ pub struct OAuth2 {
    pub login_redirect: bool,
    pub login_label: String,
    pub assume_email_verified: bool,
+    pub scopes: Vec<String>,
+}
+
+impl Default for OAuth2 {
+    fn default() -> Self {
+        OAuth2 {
+            registration_enabled: false,
+            registration_callback_url: "".to_string(),
+            client_id: "".to_string(),
+            client_secret: "".to_string(),
+            auth_url: "".to_string(),
+            token_url: "".to_string(),
+            redirect_url: "".to_string(),
+            userinfo_url: "".to_string(),
+            provider: "".to_string(),
+            logout_url: "".to_string(),
+            login_redirect: false,
+            login_label: "".to_string(),
+            assume_email_verified: false,
+            scopes: vec!["email".to_string()],
+        }
+    }
 }

 #[derive(Serialize, Deserialize, Default, Clone)]