[pgAdmin][PATCH] Add OAUTH2_SCOPE variable for scope configuration - Mailing list pgadmin-hackers
| From | Nico Rikken |
|---|---|
| Subject | [pgAdmin][PATCH] Add OAUTH2_SCOPE variable for scope configuration |
| Date | |
| Msg-id | AM0PR08MB325257DCFFE8BFED28BA5281F4C89@AM0PR08MB3252.eurprd08.prod.outlook.com Whole thread Raw |
| Responses |
Re: [pgAdmin][PATCH] Add OAUTH2_SCOPE variable for scope configuration
(Akshay Joshi <akshay.joshi@enterprisedb.com>)
|
| List | pgadmin-hackers |
In certain cases like with OpenID Connect, a different scope is needed. This patch adds an additional variable `OAUTH2_SCOPE` that can be used to configure the appropriate scope for the deployment. Already there are runtime checks to ensure that the email claim is included in the user profile, so there is no need for similar checks on the configuration. This commit does introduce a check in the oauth2.py if a value for OAUTH2_SCOPE is set, to prevent a breaking change. Related issue: https://redmine.postgresql.org/issues/6627 OIDC docs: https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims I haven't yet tested this, as I'm still in the process of setting up a local development environment. I hope somebody else here can help me with the quality assurance. Signed-off-by: Nico Rikken <nico.rikken@alliander.com> --- docs/en_US/oauth2.rst | 1 + web/config.py | 3 +++ web/pgadmin/authenticate/oauth2.py | 6 +++++- web/pgadmin/browser/tests/test_oauth2_with_mocking.py | 1 + 4 files changed, 10 insertions(+), 1 deletion(-) diff --git a/docs/en_US/oauth2.rst b/docs/en_US/oauth2.rst index 8947b509e..4cc2628f5 100644 --- a/docs/en_US/oauth2.rst +++ b/docs/en_US/oauth2.rst @@ -30,6 +30,7 @@ and modify the values for the following parameters: "OAUTH2_AUTHORIZATION_URL", "Endpoint for user authorization" "OAUTH2_API_BASE_URL", "Oauth2 base URL endpoint to make requests simple, ex: *https://api.github.com/*" "OAUTH2_USERINFO_ENDPOINT", "User Endpoint, ex: *user* (for github) and *useinfo* (for google)" + "OAUTH2_SCOPE", "Oauth scope, ex: 'openid email profile'. Note that an 'email' claim is required in the resulting profile." "OAUTH2_ICON", "The Font-awesome icon to be placed on the oauth2 button, ex: fa-github" "OAUTH2_BUTTON_COLOR", "Oauth2 button color" "OAUTH2_AUTO_CREATE_USER", "Set the value to *True* if you want to automatically diff --git a/web/config.py b/web/config.py index d797e26f7..e932d17fc 100644 --- a/web/config.py +++ b/web/config.py @@ -711,6 +711,9 @@ OAUTH2_CONFIG = [ # Name of the Endpoint, ex: user 'OAUTH2_USERINFO_ENDPOINT': None, # Font-awesome icon, ex: fa-github + 'OAUTH2_SCOPE': None, + # Oauth scope, ex: 'openid email profile' + # Note that an 'email' claim is required in the resulting profile 'OAUTH2_ICON': None, # UI button colour, ex: #0000ff 'OAUTH2_BUTTON_COLOR': None, diff --git a/web/pgadmin/authenticate/oauth2.py b/web/pgadmin/authenticate/oauth2.py index 91903165a..5e60d35dd 100644 --- a/web/pgadmin/authenticate/oauth2.py +++ b/web/pgadmin/authenticate/oauth2.py @@ -104,7 +104,11 @@ class OAuth2Authentication(BaseAuthentication): access_token_url=oauth2_config['OAUTH2_TOKEN_URL'], authorize_url=oauth2_config['OAUTH2_AUTHORIZATION_URL'], api_base_url=oauth2_config['OAUTH2_API_BASE_URL'], - client_kwargs={'scope': 'email profile'} + # Resort to previously hardcoded scope 'email profile' in case + # no OAUTH2_SCOPE is provided. This prevents a breaking change. + client_kwargs={'scope': + oauth2_config.get('OAUTH2_SCOPE', + 'email profile')} ) def get_source_name(self): diff --git a/web/pgadmin/browser/tests/test_oauth2_with_mocking.py b/web/pgadmin/browser/tests/test_oauth2_with_mocking.py index b170720a8..71706ebe6 100644 --- a/web/pgadmin/browser/tests/test_oauth2_with_mocking.py +++ b/web/pgadmin/browser/tests/test_oauth2_with_mocking.py @@ -58,6 +58,7 @@ class Oauth2LoginMockTestCase(BaseTestGenerator): 'https://github.com/login/oauth/authorize', 'OAUTH2_API_BASE_URL': 'https://api.github.com/', 'OAUTH2_USERINFO_ENDPOINT': 'user', + 'OAUTH2_SCOPE': 'email profile', 'OAUTH2_ICON': 'fa-github', 'OAUTH2_BUTTON_COLOR': '#3253a8', } -- 2.25.1
pgadmin-hackers by date: