Add scopes settings

Signed-off-by: Andrew Thornton <[email protected]>

cmd/admin.go

@@ -292,6 +292,11 @@ var (
 			Name:  "override-local-2fa",
 			Usage: "Set to true to override local 2fa settings",
 		},
+		cli.StringSliceFlag{
+			Name:  "scopes",
+			Value: nil,
+			Usage: "Scopes to request when to authenticate against this OAuth2 source",
+		},
 	}
 
 	microcmdAuthUpdateOauth = cli.Command{
@@ -621,6 +626,7 @@ func parseOAuth2Config(c *cli.Context) *oauth2.Source {
 		CustomURLMapping:              customURLMapping,
 		IconURL:                       c.String("icon-url"),
 		OverrideLocalTwoFA:            c.Bool("override-local-2fa"),
+		Scopes:                        c.StringSlice("scopes"),
 	}
 }
 
@@ -677,6 +683,10 @@ func runUpdateOauth(c *cli.Context) error {
 		oAuth2Config.IconURL = c.String("icon-url")
 	}
 
+	if c.IsSet("scopes") {
+		oAuth2Config.Scopes = c.StringSlice("scopes")
+	}
+
 	// update custom URL mapping
 	var customURLMapping = &oauth2.CustomURLMapping{}
 

docs/content/doc/usage/command-line.en-us.md

@@ -117,6 +117,8 @@ Admin operations:
         - `--custom-profile-url`: Use a custom Profile URL (option for GitLab/GitHub).
         - `--custom-email-url`: Use a custom Email URL (option for GitHub).
         - `--icon-url`: Custom icon URL for OAuth2 login source.
+        - `--override-local-2fa`: Allow source to override local 2fa. (Optional)
+        - `--scopes`: Addtional scopes to request for this OAuth2 source. (Optional)
       - Examples:
         - `gitea admin auth add-oauth --name external-github --provider github --key OBTAIN_FROM_SOURCE --secret OBTAIN_FROM_SOURCE`
     - `update-oauth`:
@@ -133,6 +135,8 @@ Admin operations:
         - `--custom-profile-url`: Use a custom Profile URL (option for GitLab/GitHub).
         - `--custom-email-url`: Use a custom Email URL (option for GitHub).
         - `--icon-url`: Custom icon URL for OAuth2 login source.
+        - `--override-local-2fa`: Allow source to override local 2fa. (Optional)
+        - `--scopes`: Addtional scopes to request for this OAuth2 source.
       - Examples:
         - `gitea admin auth update-oauth --id 1 --name external-github-updated`
     - `add-ldap`: Add new LDAP (via Bind DN) authentication source

modules/templates/helper.go

@@ -377,6 +377,7 @@ func NewFuncMap() []template.FuncMap {
 		"MermaidMaxSourceCharacters": func() int {
 			return setting.MermaidMaxSourceCharacters
 		},
+		"Join": strings.Join,
 	}}
 }
 

options/locale/locale_en-US.ini

@@ -2451,6 +2451,7 @@ auths.oauth2_emailURL = Email URL
 auths.override_local_two_fa = Override local 2FA
 auths.override_local_two_fa_helper = Leaving unset means local users with 2FA set will still have to pass 2FA to log on
 auths.oauth2_tenant = Tenant
+auths.oauth2_scopes = Additional Scopes
 auths.enable_auto_register = Enable Auto Registration
 auths.sspi_auto_create_users = Automatically create users
 auths.sspi_auto_create_users_helper = Allow SSPI auth method to automatically create new accounts for users that login for the first time

routers/web/admin/auths.go

@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"net/http"
 	"regexp"
+	"strings"
 
 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/modules/auth/pam"
@@ -182,6 +183,7 @@ func parseOAuth2Config(form forms.AuthenticationForm) *oauth2.Source {
 		CustomURLMapping:              customURLMapping,
 		IconURL:                       form.Oauth2IconURL,
 		OverrideLocalTwoFA:            form.OverrideLocalTwoFA,
+		Scopes:                        strings.Split(form.Oauth2Scopes, ","),
 	}
 }
 
@@ -322,8 +324,8 @@ func EditAuthSource(ctx *context.Context) {
 				break
 			}
 		}
-
 	}
+
 	ctx.HTML(http.StatusOK, tplAuthEdit)
 }
 

services/auth/source/oauth2/providers_custom.go

@@ -17,7 +17,7 @@ import (
 )
 
 // CustomProviderNewFn creates a goth.Provider using a custom url mapping
-type CustomProviderNewFn func(clientID, secret, callbackURL string, custom *CustomURLMapping) (goth.Provider, error)
+type CustomProviderNewFn func(clientID, secret, callbackURL string, custom *CustomURLMapping, scopes []string) (goth.Provider, error)
 
 // CustomProvider is a GothProvider that has CustomURL features
 type CustomProvider struct {
@@ -35,7 +35,7 @@ func (c *CustomProvider) CustomURLSettings() *CustomURLSettings {
 func (c *CustomProvider) CreateGothProvider(providerName, callbackURL string, source *Source) (goth.Provider, error) {
 	custom := c.customURLSettings.OverrideWith(source.CustomURLMapping)
 
-	return c.newFn(source.ClientID, source.ClientSecret, callbackURL, custom)
+	return c.newFn(source.ClientID, source.ClientSecret, callbackURL, custom, source.Scopes)
 }
 
 // NewCustomProvider is a constructor function for custom providers
@@ -60,8 +60,7 @@ func init() {
 			ProfileURL: availableAttribute(github.ProfileURL),
 			EmailURL:   availableAttribute(github.EmailURL),
 		},
-		func(clientID, secret, callbackURL string, custom *CustomURLMapping) (goth.Provider, error) {
-			scopes := []string{}
+		func(clientID, secret, callbackURL string, custom *CustomURLMapping, scopes []string) (goth.Provider, error) {
 			if setting.OAuth2Client.EnableAutoRegistration {
 				scopes = append(scopes, "user:email")
 			}
@@ -73,8 +72,9 @@ func init() {
 			AuthURL:    availableAttribute(gitlab.AuthURL),
 			TokenURL:   availableAttribute(gitlab.TokenURL),
 			ProfileURL: availableAttribute(gitlab.ProfileURL),
-		}, func(clientID, secret, callbackURL string, custom *CustomURLMapping) (goth.Provider, error) {
-			return gitlab.NewCustomisedURL(clientID, secret, callbackURL, custom.AuthURL, custom.TokenURL, custom.ProfileURL, "read_user"), nil
+		}, func(clientID, secret, callbackURL string, custom *CustomURLMapping, scopes []string) (goth.Provider, error) {
+			scopes = append(scopes, "read_user")
+			return gitlab.NewCustomisedURL(clientID, secret, callbackURL, custom.AuthURL, custom.TokenURL, custom.ProfileURL, scopes...), nil
 		}))
 
 	RegisterGothProvider(NewCustomProvider(
@@ -83,8 +83,8 @@ func init() {
 			AuthURL:    requiredAttribute(gitea.AuthURL),
 			ProfileURL: requiredAttribute(gitea.ProfileURL),
 		},
-		func(clientID, secret, callbackURL string, custom *CustomURLMapping) (goth.Provider, error) {
-			return gitea.NewCustomisedURL(clientID, secret, callbackURL, custom.AuthURL, custom.TokenURL, custom.ProfileURL), nil
+		func(clientID, secret, callbackURL string, custom *CustomURLMapping, scopes []string) (goth.Provider, error) {
+			return gitea.NewCustomisedURL(clientID, secret, callbackURL, custom.AuthURL, custom.TokenURL, custom.ProfileURL, scopes...), nil
 		}))
 
 	RegisterGothProvider(NewCustomProvider(
@@ -93,25 +93,31 @@ func init() {
 			AuthURL:    requiredAttribute(nextcloud.AuthURL),
 			ProfileURL: requiredAttribute(nextcloud.ProfileURL),
 		},
-		func(clientID, secret, callbackURL string, custom *CustomURLMapping) (goth.Provider, error) {
-			return nextcloud.NewCustomisedURL(clientID, secret, callbackURL, custom.AuthURL, custom.TokenURL, custom.ProfileURL), nil
+		func(clientID, secret, callbackURL string, custom *CustomURLMapping, scopes []string) (goth.Provider, error) {
+			return nextcloud.NewCustomisedURL(clientID, secret, callbackURL, custom.AuthURL, custom.TokenURL, custom.ProfileURL, scopes...), nil
 		}))
 
 	RegisterGothProvider(NewCustomProvider(
 		"mastodon", "Mastodon", &CustomURLSettings{
 			AuthURL: requiredAttribute(mastodon.InstanceURL),
 		},
-		func(clientID, secret, callbackURL string, custom *CustomURLMapping) (goth.Provider, error) {
-			return mastodon.NewCustomisedURL(clientID, secret, callbackURL, custom.AuthURL), nil
+		func(clientID, secret, callbackURL string, custom *CustomURLMapping, scopes []string) (goth.Provider, error) {
+			return mastodon.NewCustomisedURL(clientID, secret, callbackURL, custom.AuthURL, scopes...), nil
 		}))
 
 	RegisterGothProvider(NewCustomProvider(
 		"azureadv2", "Azure AD v2", &CustomURLSettings{
 			Tenant: requiredAttribute("organizations"),
 		},
-		func(clientID, secret, callbackURL string, custom *CustomURLMapping) (goth.Provider, error) {
+		func(clientID, secret, callbackURL string, custom *CustomURLMapping, scopes []string) (goth.Provider, error) {
+			azureScopes := make([]azureadv2.ScopeType, len(scopes))
+			for i, scope := range scopes {
+				azureScopes[i] = azureadv2.ScopeType(scope)
+			}
+
 			return azureadv2.New(clientID, secret, callbackURL, azureadv2.ProviderOptions{
 				Tenant: azureadv2.TenantType(custom.Tenant),
+				Scopes: azureScopes,
 			}), nil
 		},
 	))

services/auth/source/oauth2/providers_openid.go

@@ -33,7 +33,12 @@ func (o *OpenIDProvider) Image() string {
 
 // CreateGothProvider creates a GothProvider from this Provider
 func (o *OpenIDProvider) CreateGothProvider(providerName, callbackURL string, source *Source) (goth.Provider, error) {
-	provider, err := openidConnect.New(source.ClientID, source.ClientSecret, callbackURL, source.OpenIDConnectAutoDiscoveryURL, setting.OAuth2Client.OpenIDConnectScopes...)
+	scopes := setting.OAuth2Client.OpenIDConnectScopes
+	if len(scopes) == 0 {
+		scopes = append(scopes, source.Scopes...)
+	}
+
+	provider, err := openidConnect.New(source.ClientID, source.ClientSecret, callbackURL, source.OpenIDConnectAutoDiscoveryURL, scopes...)
 	if err != nil {
 		log.Warn("Failed to create OpenID Connect Provider with name '%s' with url '%s': %v", providerName, source.OpenIDConnectAutoDiscoveryURL, err)
 	}

services/auth/source/oauth2/providers_simple.go

@@ -31,7 +31,8 @@ type SimpleProvider struct {
 
 // CreateGothProvider creates a GothProvider from this Provider
 func (c *SimpleProvider) CreateGothProvider(providerName, callbackURL string, source *Source) (goth.Provider, error) {
-	return c.newFn(source.ClientID, source.ClientSecret, callbackURL, c.scopes...), nil
+	scopes := append(c.scopes, source.Scopes...)
+	return c.newFn(source.ClientID, source.ClientSecret, callbackURL, scopes...), nil
 }
 
 // NewSimpleProvider is a constructor function for simple providers

services/auth/source/oauth2/source.go

@@ -26,6 +26,8 @@ type Source struct {
 	IconURL                       string
 	OverrideLocalTwoFA            bool
 
+	Scopes []string
+
 	// reference to the loginSource
 	loginSource *models.LoginSource
 }

services/forms/auth_form.go

@@ -67,6 +67,7 @@ type AuthenticationForm struct {
 	Oauth2IconURL                 string
 	Oauth2Tenant                  string
 	OverrideLocalTwoFA            bool
+	Oauth2Scopes                  string
 	SSPIAutoCreateUsers           bool
 	SSPIAutoActivateUsers         bool
 	SSPIStripDomainNames          bool

templates/admin/auth/edit.tmpl

@@ -298,6 +298,11 @@
 						<input id="{{.Name}}_email_url" value="{{.CustomURLSettings.EmailURL.Value}}" data-available="{{.CustomURLSettings.EmailURL.Available}}" data-required="{{.CustomURLSettings.EmailURL.Required}}" type="hidden" />
 						<input id="{{.Name}}_tenant" value="{{.CustomURLSettings.Tenant.Value}}" data-available="{{.CustomURLSettings.Tenant.Available}}" data-required="{{.CustomURLSettings.Tenant.Required}}" type="hidden" />
 					{{end}}{{end}}
+
+					<div class="field">
+						<label for="oauth2_scopes">{{.i18n.Tr "admin.auths.oauth2_scopes"}}</label>
+						<input id="oauth2_scopes" name="oauth2_scopes" value="{{if $cfg.Scopes}}{{Join $cfg.Scopes "," }}{{end}}">
+					</div>
 				{{end}}
 
 				<!-- SSPI -->

templates/admin/auth/source/oauth.tmpl

@@ -71,4 +71,9 @@
 		<input id="{{.Name}}_email_url" value="{{.CustomURLSettings.EmailURL.Value}}" data-available="{{.CustomURLSettings.EmailURL.Available}}" data-required="{{.CustomURLSettings.EmailURL.Required}}" type="hidden" />
 		<input id="{{.Name}}_tenant" value="{{.CustomURLSettings.Tenant.Value}}" data-available="{{.CustomURLSettings.Tenant.Available}}" data-required="{{.CustomURLSettings.Tenant.Required}}" type="hidden" />
 	{{end}}{{end}}
+
+	<div class="field">
+		<label for="oauth2_scopes">{{.i18n.Tr "admin.auths.oauth2_scopes"}}</label>
+		<input id="oauth2_scopes" name="oauth2_scopes" values="{{.oauth2_scopes}}">
+	</div>
 </div>