Postgres Pro
Downloads
Home   >   mailing lists

Re: [pgAdmin][PATCH] Add OAUTH2_SCOPE variable for scope configuration - Mailing list pgadmin-hackers

From Khushboo Vashi
Subject Re: [pgAdmin][PATCH] Add OAUTH2_SCOPE variable for scope configuration
Date
Msg-id CAFOhELfvpif=4KQWDG1DEcZChR_R2eDL3DrWpe8zLmE-N8mbrQ@mail.gmail.com
Whole thread Raw
In response to Re: [pgAdmin][PATCH] Add OAUTH2_SCOPE variable for scope configuration  (Khushboo Vashi <khushboo.vashi@enterprisedb.com>)
Responses Re: [pgAdmin][PATCH] Add OAUTH2_SCOPE variable for scope configuration  (Nico Rikken <nico.rikken@alliander.com>)
List pgadmin-hackers
Tree view
Hi,

Note that this patch just includes the configurable Scope (which would be helpful in OpenID connect), it does not include the proper OIDC implementation.

Thanks,
Khushboo

On Tue, Aug 31, 2021 at 12:52 PM Khushboo Vashi <khushboo.vashi@enterprisedb.com> wrote:
Hi,

The patch looks good to me.
Please find the attached patch for the same.

Thanks,
Khushbo

On Sun, Aug 29, 2021 at 7:46 PM Akshay Joshi <akshay.joshi@enterprisedb.com> wrote:
Hi Khushboo

Can you please review/test the patch?

On Fri, Aug 27, 2021 at 7:46 PM Nico Rikken <nico.rikken@alliander.com> wrote:
In certain cases like with OpenID Connect, a different scope is needed. This
patch adds an additional variable `OAUTH2_SCOPE` that can be used to configure
the appropriate scope for the deployment. Already there are runtime checks to
ensure that the email claim is included in the user profile, so there is no need
for similar checks on the configuration. This commit does introduce a check in
the oauth2.py if a value for OAUTH2_SCOPE is set, to prevent a breaking change.

Related issue: https://redmine.postgresql.org/issues/6627
OIDC docs: https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims

I haven't yet tested this, as I'm still in the process of setting up a local
development environment. I hope somebody else here can help me with the quality
assurance.

Signed-off-by: Nico Rikken <nico.rikken@alliander.com>
---
 docs/en_US/oauth2.rst                                 | 1 +
 web/config.py                                         | 3 +++
 web/pgadmin/authenticate/oauth2.py                    | 6 +++++-
 web/pgadmin/browser/tests/test_oauth2_with_mocking.py | 1 +
 4 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/docs/en_US/oauth2.rst b/docs/en_US/oauth2.rst
index 8947b509e..4cc2628f5 100644
--- a/docs/en_US/oauth2.rst
+++ b/docs/en_US/oauth2.rst
@@ -30,6 +30,7 @@ and modify the values for the following parameters:
     "OAUTH2_AUTHORIZATION_URL", "Endpoint for user authorization"
     "OAUTH2_API_BASE_URL", "Oauth2 base URL endpoint to make requests simple, ex: *https://api.github.com/*"
     "OAUTH2_USERINFO_ENDPOINT", "User Endpoint, ex: *user* (for github) and *useinfo* (for google)"
+    "OAUTH2_SCOPE", "Oauth scope, ex: 'openid email profile'. Note that an 'email' claim is required in the resulting profile."
     "OAUTH2_ICON", "The Font-awesome icon to be placed on the oauth2 button,  ex: fa-github"
     "OAUTH2_BUTTON_COLOR", "Oauth2 button color"
     "OAUTH2_AUTO_CREATE_USER", "Set the value to *True* if you want to automatically
diff --git a/web/config.py b/web/config.py
index d797e26f7..e932d17fc 100644
--- a/web/config.py
+++ b/web/config.py
@@ -711,6 +711,9 @@ OAUTH2_CONFIG = [
         # Name of the Endpoint, ex: user
         'OAUTH2_USERINFO_ENDPOINT': None,
         # Font-awesome icon, ex: fa-github
+        'OAUTH2_SCOPE': None,
+        # Oauth scope, ex: 'openid email profile'
+        # Note that an 'email' claim is required in the resulting profile
         'OAUTH2_ICON': None,
         # UI button colour, ex: #0000ff
         'OAUTH2_BUTTON_COLOR': None,
diff --git a/web/pgadmin/authenticate/oauth2.py b/web/pgadmin/authenticate/oauth2.py
index 91903165a..5e60d35dd 100644
--- a/web/pgadmin/authenticate/oauth2.py
+++ b/web/pgadmin/authenticate/oauth2.py
@@ -104,7 +104,11 @@ class OAuth2Authentication(BaseAuthentication):
                 access_token_url=oauth2_config['OAUTH2_TOKEN_URL'],
                 authorize_url=oauth2_config['OAUTH2_AUTHORIZATION_URL'],
                 api_base_url=oauth2_config['OAUTH2_API_BASE_URL'],
-                client_kwargs={'scope': 'email profile'}
+                # Resort to previously hardcoded scope 'email profile' in case
+                # no OAUTH2_SCOPE is provided. This prevents a breaking change.
+                client_kwargs={'scope':
+                               oauth2_config.get('OAUTH2_SCOPE',
+                                                 'email profile')}
             )

     def get_source_name(self):
diff --git a/web/pgadmin/browser/tests/test_oauth2_with_mocking.py b/web/pgadmin/browser/tests/test_oauth2_with_mocking.py
index b170720a8..71706ebe6 100644
--- a/web/pgadmin/browser/tests/test_oauth2_with_mocking.py
+++ b/web/pgadmin/browser/tests/test_oauth2_with_mocking.py
@@ -58,6 +58,7 @@ class Oauth2LoginMockTestCase(BaseTestGenerator):
                     'https://github.com/login/oauth/authorize',
                 'OAUTH2_API_BASE_URL': 'https://api.github.com/',
                 'OAUTH2_USERINFO_ENDPOINT': 'user',
+                'OAUTH2_SCOPE': 'email profile',
                 'OAUTH2_ICON': 'fa-github',
                 'OAUTH2_BUTTON_COLOR': '#3253a8',
             }
--
2.25.1





--
Thanks & Regards
Akshay Joshi
pgAdmin Hacker | Principal Software Architect
EDB Postgres
Mobile: +91 976-788-8246

pgadmin-hackers by date:

Previous
From: Khushboo Vashi
Date:
Subject: Re: [pgAdmin][PATCH] Add OAUTH2_SCOPE variable for scope configuration
Next
From: Akshay Joshi
Date:
Subject: Re: Patch: Two-factor Authentication (RM #6543)