go-gitea · 6543 · Apr 14, 2021 · Oct 19, 2018 · Oct 19, 2018 · Oct 19, 2018
diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
@@ -613,6 +613,33 @@ WHITELISTED_URIS =
 ; Example value: loadaverage.org/badguy stackexchange.com/.*spammer
 BLACKLISTED_URIS =
 
+[oauth2_client]
+; Whether a new auto registered oauth2 user needs to confirm their email.
+; Do not include to use the REGISTER_EMAIL_CONFIRM setting from the `[service]` section.
+REGISTER_EMAIL_CONFIRM =
+; Scopes for the openid connect oauth2 provider (seperated by space, the openid scope is implicitly added).
+; Typical values are profile and email.
+; For more information about the possible values see https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
+OPENID_CONNECT_SCOPES =
+; Scopes for the google oauth2 provider (seperated by space)
+; Default scopes will provide only email, but for registration we may need more: email, profile
+GOOGLE_SCOPES =
+; Automatically create user accounts for new oauth2 users.
+ENABLE_AUTO_REGISTRATION = false
+; The source of the username for new oauth2 accounts:
+; userid = use the userid / sub attribute
+; nickname = use the nickname attribute
+; email = use the username part of the email attribute
+USERNAME = userid
+; Update avatar if available from oauth2 provider.
+; Update will be performed on each login.
+UPDATE_AVATAR = false
+; How to handle if an account / email already exists:
+; disabled = show an error
+; login = show an account linking login
+; auto = link directly with the account
+ACCOUNT_LINKING = disabled
+
 [service]
 ; Time limit to confirm account/email registration
 ACTIVE_CODE_LIVE_MINUTES = 180

diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
@@ -425,6 +425,16 @@ relation to port exhaustion.
 - `BLACKLISTED_URIS`: **\<empty\>**: If non-empty, list of POSIX regex patterns matching
    OpenID URI's to block.
 
+## OAuth2 Client (`oauth2_client`)
+
+- `REGISTER_EMAIL_CONFIRM`: *[service]* **REGISTER\_EMAIL\_CONFIRM**: Set this to enable or disable email confirmation of OAuth2 auto-registration. (Overwrites the REGISTER\_EMAIL\_CONFIRM setting of the `[service]` section)
+- `OPENID_CONNECT_SCOPES`: **\<empty\>**: List of additional openid connect scopes. (`openid` is implicitly added)
+- `GOOGLE_SCOPES`: **\<empty\>**: List of additional google scopes (we may need to write here `email profile`)
+- `ENABLE_AUTO_REGISTRATION`: **false**: Enable this to allow auto-registration for oauth2 authentication.
+- `USERNAME`: **userid**: The source of the username for new oauth2 accounts: userid, nickname, email (username part). 
+- `UPDATE_AVATAR`: **false**: Set this to update user avatar if available from the oauth2 provider.
+- `ACCOUNT_LINKING`: **disabled**: How to handle if an account / email already exists: disabled / login / auto.
+
 ## Service (`service`)
 
 - `ACTIVE_CODE_LIVE_MINUTES`: **180**: Time limit (min) to confirm account/email registration.

diff --git a/models/migrations/migrations.go b/models/migrations/migrations.go
@@ -302,6 +302,8 @@ var migrations = []Migration{
 	NewMigration("Remove invalid labels from comments", removeInvalidLabels),
 	// v177 -> v178
 	NewMigration("Delete orphaned IssueLabels", deleteOrphanedIssueLabels),
+	// v178 -> v179
+	NewMigration("Convert avatar url to text", convertAvatarUrlToText),
 }
 
 // GetCurrentDBVersion returns the current db version

diff --git a/models/migrations/v178.go b/models/migrations/v178.go
@@ -0,0 +1,22 @@
+package migrations
+
+import (
+	"xorm.io/xorm"
+	"xorm.io/xorm/schemas"
+)
+
+func convertAvatarUrlToText(x *xorm.Engine) error {
+	dbType := x.Dialect().URI().DBType
+	if dbType == schemas.SQLITE { // For SQLITE, varchar or char will always be represented as TEXT
+		return nil
+	}
+
+	// Some oauth2 providers may give very long avatar urls (i.e. Google)
+	return modifyColumn(x, "external_login_user", &schemas.Column{
+		Name: "avatar_url",
+		SQLType: schemas.SQLType{
+			Name: schemas.Text,
+		},
+		Nullable: true,
+	})
+}
diff --git a/modules/auth/oauth2/oauth2.go b/modules/auth/oauth2/oauth2.go
@@ -175,9 +175,9 @@ func createProvider(providerName, providerType, clientID, clientSecret, openIDCo
 		}
 		provider = gitlab.NewCustomisedURL(clientID, clientSecret, callbackURL, authURL, tokenURL, profileURL, "read_user")
 	case "gplus": // named gplus due to legacy gplus -> google migration (Google killed Google+). This ensures old connections still work
-		provider = google.New(clientID, clientSecret, callbackURL)
+		provider = google.New(clientID, clientSecret, callbackURL, setting.OAuth2Client.GoogleScopes...)
 	case "openidConnect":
-		if provider, err = openidConnect.New(clientID, clientSecret, callbackURL, openIDConnectAutoDiscoveryURL); err != nil {
+		if provider, err = openidConnect.New(clientID, clientSecret, callbackURL, openIDConnectAutoDiscoveryURL, setting.OAuth2Client.OpenIDConnectScopes...); err != nil {
 			log.Warn("Failed to create OpenID Connect Provider with name '%s' with url '%s': %v", providerName, openIDConnectAutoDiscoveryURL, err)
 		}
 	case "twitter":

diff --git a/modules/setting/service.go b/modules/setting/service.go
@@ -5,6 +5,7 @@
 package setting
 
 import (
+	"gopkg.in/ini.v1"
 	"regexp"
 	"time"
 
@@ -68,6 +69,17 @@ var Service struct {
 	} `ini:"service.explore"`
 }
 
+// OAuth2Client settings
+var OAuth2Client struct {
+	RegisterEmailConfirm   bool
+	OpenIDConnectScopes    []string
+	GoogleScopes           []string
+	EnableAutoRegistration bool
+	Username               string
+	UpdateAvatar           bool
+	AccountLinking         string
+}
+
 func newService() {
 	sec := Cfg.Section("service")
 	Service.ActiveCodeLives = sec.Key("ACTIVE_CODE_LIVE_MINUTES").MustInt(180)
@@ -136,4 +148,52 @@ func newService() {
 			Service.OpenIDBlacklist[i] = regexp.MustCompilePOSIX(p)
 		}
 	}
+
+	sec = Cfg.Section("oauth2_client")
+	OAuth2Client.RegisterEmailConfirm = sec.Key("REGISTER_EMAIL_CONFIRM").MustBool(Service.RegisterEmailConfirm)
+	OAuth2Client.OpenIDConnectScopes = parseScopes(sec, "OPENID_CONNECT_SCOPES")
+	OAuth2Client.GoogleScopes = parseScopes(sec, "GOOGLE_SCOPES")
+	OAuth2Client.EnableAutoRegistration = sec.Key("ENABLE_AUTO_REGISTRATION").MustBool()
+	OAuth2Client.Username = sec.Key("USERNAME").MustString("userid")
+	if !isValidUsername(OAuth2Client.Username) {
+		log.Warn("Username setting is not valid: '%s', will fallback to 'userid'", OAuth2Client.Username)
+		OAuth2Client.Username = "userid"
+	}
+	OAuth2Client.UpdateAvatar = sec.Key("UPDATE_AVATAR").MustBool()
+	OAuth2Client.AccountLinking = sec.Key("ACCOUNT_LINKING").MustString("ACCOUNT_LINKING")
+	if !isValidAccountLinking(OAuth2Client.AccountLinking) {
+		log.Warn("Account linking setting is not valid: '%s', will fallback to 'disabled'")
+		OAuth2Client.AccountLinking = "disabled"
+	}
+}
+
+func isValidUsername(username string) bool {
+	switch username {
+	case "userid":
+	case "nickname":
+	case "email":
+		return true
+	}
+	return false
+}
+
+func isValidAccountLinking(accountLinking string) bool {
+	switch accountLinking {
+	case "disabled":
+	case "login":
+	case "auto":
+		return true
+	}
+	return false
+}
+
+func parseScopes(sec *ini.Section, name string) []string {
+	parts := sec.Key(name).Strings(" ")
+	scopes := make([]string, 0, len(parts))
+	for _, scope :=	 range parts {
+		if scope != "" {
+			scopes = append(scopes, scope)
+		}
+	}
+	return scopes
 }