Skip to content

Commit

Permalink
Merge pull request #17227 from opf/fix/openid-custom-scope
Browse files Browse the repository at this point in the history
Add custom scopes to OpenID Connect
  • Loading branch information
machisuji authored Nov 19, 2024
2 parents 9097151 + 6f5e8e5 commit 3537fa2
Show file tree
Hide file tree
Showing 8 changed files with 58 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,8 @@
module OpenIDConnect
module Providers
class ClientDetailsForm < BaseForm
include Redmine::I18n

form do |f|
%i[client_id client_secret].each do |attr|
f.text_field(
Expand All @@ -48,6 +50,20 @@ class ClientDetailsForm < BaseForm
required: false,
input_width: :large
)
f.text_field(
name: :scope,
label: I18n.t("activemodel.attributes.openid_connect/provider.scope"),
placeholder: "openid email profile",
caption: link_translate(
"openid_connect.instructions.scope",
links: {
docs_url: "https://openid.net/specs/openid-connect-basic-1_0.html#Scopes"
}
),
disabled: provider.seeded_from_env?,
required: false,
input_width: :large
)
f.check_box(
name: :limit_self_registration,
label: I18n.t("activemodel.attributes.openid_connect/provider.limit_self_registration"),
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ class Provider < AuthProvider
store_attribute :options, :scheme, :string
store_attribute :options, :port, :string

store_attribute :options, :scope, :string
store_attribute :options, :claims, :string
store_attribute :options, :acr_values, :string

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ def to_h # rubocop:disable Metrics/AbcSize
authorization_endpoint:,
jwks_uri:,
issuer:,
scope:,
identifier: client_id,
secret: client_secret,
token_endpoint:,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ def call! # rubocop:disable Metrics/AbcSize
"limit_self_registration" => options["limit_self_registration"],
"use_graph_api" => options["use_graph_api"],
"acr_values" => options["acr_values"],
"scope" => extract_scope(options["scope"]),
"authorization_endpoint" => extract_url(options, "authorization_endpoint"),
"token_endpoint" => extract_url(options, "token_endpoint"),
"userinfo_endpoint" => extract_url(options, "userinfo_endpoint"),
Expand All @@ -68,6 +69,17 @@ def call! # rubocop:disable Metrics/AbcSize

private

def extract_scope(value)
return if value.blank?

case value
when Array
value.join(" ")
else
value
end
end

def oidc_provider(options)
case options["name"]
when /azure/
Expand Down
1 change: 1 addition & 0 deletions modules/openid_connect/config/locales/en.yml
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,7 @@ en:
limit_self_registration: If enabled, users can only register using this provider if configuration on the provider's end allows it.
display_name: The name of the provider. This will be displayed as the login button and in the list of providers.
tenant: Please replace the default tenant with your own if applicable. See <a href=" https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc#find-your-apps-openid-configuration-document-uri">this</a>.
scope: If you want to request custom scopes, you can add one or multiple scope values separated by spaces here. For more information, see the [OpenID Connect documentation](docs_url).
post_logout_redirect_uri: The URL the OpenID Connect provider should redirect to after a logout request.
claims: >
You can request additional claims for the userinfo and id token endpoints. Please see [our OpenID connect documentation](docs_url) for more information.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,9 @@
fill_in "Client ID", with: "client_id"
fill_in "Client secret", with: "client secret"

# Scope
fill_in "Scope", with: "custom_scope another_scope"

click_link_or_button "Continue"

# Mapping form
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,7 @@ class TestOpenIDConnectProvider < OpenIDConnect::Provider
host: "localhost",
port: "8080",
scheme: "http",
scope: ["foo", "bar"],
identifier: "http://localhost:3000",
secret: "IVl6GxxujAQ3mt6thAXKxyYYvmyRr8jw",
issuer: "http://localhost:8080/realms/test",
Expand All @@ -129,6 +130,7 @@ class TestOpenIDConnectProvider < OpenIDConnect::Provider
expect(provider.host).to eq "localhost"
expect(provider.port).to eq "8080"
expect(provider.scheme).to eq "http"
expect(provider.scope).to eq "foo bar"
expect(provider.client_id).to eq "http://localhost:3000"
expect(provider.client_secret).to eq "IVl6GxxujAQ3mt6thAXKxyYYvmyRr8jw"
expect(provider.issuer).to eq "http://localhost:8080/realms/test"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,28 @@
end
end

describe "scope" do
subject { result }

context "when provided" do
let(:configuration) { { scope: "custom" } }

it { is_expected.to include("scope" => "custom") }
end

context "when provided as array" do
let(:configuration) { { scope: ["foo", "bar"] } }

it { is_expected.to include("scope" => "foo bar") }
end

context "when not provided" do
let(:configuration) { { foo: "bar" } }

it { is_expected.not_to have_key("scope") }
end
end

describe "issuer" do
subject { result }

Expand Down

0 comments on commit 3537fa2

Please sign in to comment.