From 892ee605270d583d800ec5ff9e1e4844eae92b38 Mon Sep 17 00:00:00 2001 From: DominikPf <> Date: Thu, 23 May 2019 10:28:08 +0200 Subject: Fix Scope parsing Issue for OAuth2 Login --- Dockerfile | 2 +- docker-compose.yml | 2 +- packages/wekan-oidc/oidc_client.js | 5 ++--- releases/virtualbox/start-wekan.sh | 2 +- server/authentication.js | 2 +- snap-src/bin/config | 4 ++-- snap-src/bin/wekan-help | 2 +- start-wekan.bat | 2 +- start-wekan.sh | 2 +- 9 files changed, 11 insertions(+), 12 deletions(-) diff --git a/Dockerfile b/Dockerfile index bdd3b4ca..09df2c08 100644 --- a/Dockerfile +++ b/Dockerfile @@ -41,7 +41,7 @@ ENV BUILD_DEPS="apt-utils bsdtar gnupg gosu wget curl bzip2 build-essential pyth OAUTH2_USERNAME_MAP="" \ OAUTH2_FULLNAME_MAP="" \ OAUTH2_ID_TOKEN_WHITELIST_FIELDS=[] \ - OAUTH2_REQUEST_PERMISSIONS=['openid','profiles','email'] \ + OAUTH2_REQUEST_PERMISSIONS='openid profiles email' \ OAUTH2_EMAIL_MAP="" \ LDAP_ENABLE=false \ LDAP_PORT=389 \ diff --git a/docker-compose.yml b/docker-compose.yml index aaeb47b0..b2cc4781 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -327,7 +327,7 @@ services: # OAUTH2 ID Token Whitelist Fields. #- OAUTH2_ID_TOKEN_WHITELIST_FIELDS=[] # OAUTH2 Request Permissions. - #- OAUTH2_REQUEST_PERMISSIONS=['openid','profile','email'] + #- OAUTH2_REQUEST_PERMISSIONS='openid profile email' # OAuth2 ID Mapping #- OAUTH2_ID_MAP= # OAuth2 Username Mapping diff --git a/packages/wekan-oidc/oidc_client.js b/packages/wekan-oidc/oidc_client.js index 744bd841..6da9d9f0 100644 --- a/packages/wekan-oidc/oidc_client.js +++ b/packages/wekan-oidc/oidc_client.js @@ -18,10 +18,9 @@ Oidc.requestCredential = function (options, credentialRequestCompleteCallback) { new ServiceConfiguration.ConfigError('Service oidc not configured.')); return; } - + var credentialToken = Random.secret(); var loginStyle = OAuth._loginStyle('oidc', config, options); - var scope = config.requestPermissions || ['openid', 'profile', 'email']; // options options = options || {}; @@ -29,7 +28,7 @@ Oidc.requestCredential = function (options, credentialRequestCompleteCallback) { options.response_type = options.response_type || 'code'; options.redirect_uri = OAuth._redirectUri('oidc', config); options.state = OAuth._stateParam(loginStyle, credentialToken, options.redirectUrl); - options.scope = scope.join(' '); + options.scope = config.requestPermissions || 'openid profile email'; if (config.loginStyle && config.loginStyle == 'popup') { options.display = 'popup'; diff --git a/releases/virtualbox/start-wekan.sh b/releases/virtualbox/start-wekan.sh index cb48db37..ae320df5 100755 --- a/releases/virtualbox/start-wekan.sh +++ b/releases/virtualbox/start-wekan.sh @@ -84,7 +84,7 @@ # OAUTH2 ID Token Whitelist Fields. #export OAUTH2_ID_TOKEN_WHITELIST_FIELDS=[] # OAUTH2 Request Permissions. - #export OAUTH2_REQUEST_PERMISSIONS=['openid','profile','email'] + #export OAUTH2_REQUEST_PERMISSIONS='openid profile email' # The claim name you want to map to the unique ID field: #export OAUTH2_ID_MAP=email # The claim name you want to map to the username field: diff --git a/server/authentication.js b/server/authentication.js index 328b1cb3..b0da74f8 100644 --- a/server/authentication.js +++ b/server/authentication.js @@ -77,7 +77,7 @@ Meteor.startup(() => { userinfoEndpoint: process.env.OAUTH2_USERINFO_ENDPOINT, tokenEndpoint: process.env.OAUTH2_TOKEN_ENDPOINT, idTokenWhitelistFields: process.env.OAUTH2_ID_TOKEN_WHITELIST_FIELDS || [], - requestPermissions: process.env.OAUTH2_REQUEST_PERMISSIONS || ['openid','profile','email'], + requestPermissions: process.env.OAUTH2_REQUEST_PERMISSIONS || 'openid profile email', }, } ); diff --git a/snap-src/bin/config b/snap-src/bin/config index b950c9e5..9ff01455 100755 --- a/snap-src/bin/config +++ b/snap-src/bin/config @@ -170,8 +170,8 @@ DESCRIPTION_OAUTH2_ID_TOKEN_WHITELIST_FIELDS="OAuth2 ID Token Whitelist Fields. DEFAULT_OAUTH2_ID_TOKEN_WHITELIST_FIELDS="[]" KEY_OAUTH2_ID_TOKEN_WHITELIST_FIELDS="oauth2-id-token-whitelist-fields" -DESCRIPTION_OAUTH2_REQUEST_PERMISSIONS="OAuth2 Request Permissions. Example: ['openid','profile','email']" -DEFAULT_OAUTH2_REQUEST_PERMISSIONS="['openid','profile','email']" +DESCRIPTION_OAUTH2_REQUEST_PERMISSIONS="OAuth2 Request Permissions. Example: 'openid profile email'" +DEFAULT_OAUTH2_REQUEST_PERMISSIONS="'openid profile email'" KEY_OAUTH2_REQUEST_PERMISSIONS="oauth2-request-permissions" DESCRIPTION_OAUTH2_EMAIL_MAP="OAuth2 Email Mapping. Example: email" diff --git a/snap-src/bin/wekan-help b/snap-src/bin/wekan-help index 56f418ff..642b6b5f 100755 --- a/snap-src/bin/wekan-help +++ b/snap-src/bin/wekan-help @@ -138,7 +138,7 @@ echo -e "\t$ snap set $SNAP_NAME oauth2-id-token-whitelist-fields=''" echo -e "\n" echo -e "OAuth2 Request Permissions." echo -e "To enable the OAuth2 Request Permissions of Wekan:" -echo -e "\t$ snap set $SNAP_NAME oauth2-request-permissions=\"['openid','profile','email']\"" +echo -e "\t$ snap set $SNAP_NAME oauth2-request-permissions=\"'openid profile email'\"" echo -e "\t-Disable the OAuth2 Request Permissions of Wekan:" echo -e "\t$ snap set $SNAP_NAME oauth2-request-permissions=''" echo -e "\n" diff --git a/start-wekan.bat b/start-wekan.bat index 72ab1fea..3c8da9a3 100755 --- a/start-wekan.bat +++ b/start-wekan.bat @@ -96,7 +96,7 @@ REM # OAUTH2 ID Token Whitelist Fields. REM SET OAUTH2_ID_TOKEN_WHITELIST_FIELDS=[] REM # OAUTH2 Request Permissions. -REM SET OAUTH2_REQUEST_PERMISSIONS=['openid','profile','email'] +REM SET OAUTH2_REQUEST_PERMISSIONS='openid profile email' REM # OAuth2 ID Mapping REM SET OAUTH2_ID_MAP= diff --git a/start-wekan.sh b/start-wekan.sh index 25fd9bb1..a904a179 100755 --- a/start-wekan.sh +++ b/start-wekan.sh @@ -144,7 +144,7 @@ function wekan_repo_check(){ # OAUTH2 ID Token Whitelist Fields. #export OAUTH2_ID_TOKEN_WHITELIST_FIELDS=[] # OAUTH2 Request Permissions. - #export OAUTH2_REQUEST_PERMISSIONS=['openid','profile','email'] + #export OAUTH2_REQUEST_PERMISSIONS='openid profile email' # OAuth2 ID Mapping #export OAUTH2_ID_MAP= # OAuth2 Username Mapping -- cgit v1.2.3-1-g7c22