impl oidc #1887

motoki317 · 2023-07-24T10:48:20Z

traefik-forward-authや別traQインスタンスでとりあえず動くような、Authorization Code Flowを利用した一部分のみの実装
どちらも現在のOAuth2で実際事足りているが、主に興味本位で実装した

limitations

(元々) OAuth2のimplicit flowが未実装
- response_mode で fragment をサポートしていない
  - response_type で token, id_token をサポートする場合、セキュリティ上 fragment に乗せる必要があるらしい
- grant_type で implicit をサポートしていない
id_token_signing_alg_values_supported で RS256 をサポートしていない
- OIDC spec では必要と書かれているが、必要...？
- 現在は決め打ちで ES256 だけ
- ちなみに Authorization Code Flow の場合はjwtにsignしない none でもいいらしい

マージしたあとに必要な改修:

traQ UIのconsentの画面でopenid, profile, emailスコープの説明が必要
bot-consoleでopenid, profile, emailスコープを登録できるようにする

refs

イメージをビルドするためのコマンドメモ
docker buildx build --platform "linux/amd64,linux/arm64" --build-arg "TRAQ_VERSION=3.15.1-p1" --build-arg "TRAQ_REVISION=$(git rev-parse --short HEAD)" -t registry.toki317.dev/pub/traq:3.15.1-p1 --push .

router/oauth2/oauth2.go

router/oauth2/token_endpoint.go

router/v3/users.go

cmd/serve.go

service/oidc/userinfo.go

motoki317 · 2024-01-13T09:49:50Z

email scopeでフェイク値を返すくらいならサポートしないほうが良さそうなので消す

motoki317 force-pushed the impl/oidc branch 2 times, most recently from f479e8d to 90a6a05 Compare July 25, 2023 02:51

motoki317 marked this pull request as ready for review September 30, 2023 03:50

motoki317 force-pushed the impl/oidc branch 2 times, most recently from 54b11a8 to 10b0812 Compare November 1, 2023 05:53

hijiki51 reviewed Nov 1, 2023

View reviewed changes

router/oauth2/oauth2.go Show resolved Hide resolved

hijiki51 reviewed Nov 12, 2023

View reviewed changes

router/oauth2/token_endpoint.go Show resolved Hide resolved

hijiki51 reviewed Nov 14, 2023

View reviewed changes

router/v3/users.go Outdated Show resolved Hide resolved

motoki317 commented Nov 16, 2023

View reviewed changes

cmd/serve.go Outdated Show resolved Hide resolved

motoki317 commented Nov 16, 2023

View reviewed changes

service/oidc/userinfo.go Outdated Show resolved Hide resolved

motoki317 force-pushed the impl/oidc branch 2 times, most recently from e4cfc06 to 29702db Compare December 13, 2023 11:00

motoki317 force-pushed the impl/oidc branch from 29702db to f782f28 Compare January 13, 2024 09:34

motoki317 force-pushed the impl/oidc branch from 2949950 to 06290e4 Compare March 16, 2024 00:45

motoki317 force-pushed the impl/oidc branch from 06290e4 to c192154 Compare May 8, 2024 01:15

motoki317 added 11 commits May 8, 2024 12:47

impl oidc

68c2454

handle well-known routes by server-side

13c15f4

add email scope

4e5889d

add openid user role for access token

2abd532

fix response type validation

396afc1

Do not issue refresh tokens to OIDC requests

0c5ec68

Update jwt gen comment

5aa7dd4

Pass in scopes to narrow UserInfo returned claims

d99dd36

Split get_me and get_oidc_userinfo permissions

17b4a5a

add userinfo endpoint swagger doc

db72236

Remove fake email scope value

82fe732

motoki317 force-pushed the impl/oidc branch from c192154 to 82fe732 Compare May 8, 2024 03:48

motoki317 added 2 commits May 8, 2024 13:05

Add .well-known backend route to document Caddyfile

5e7f62e

Always supply traQ name information with openid scope

0ab33b3

motoki317 mentioned this pull request May 8, 2024

OIDC実装の対応 traPtitech/traQ-bot-console#532

Merged

Add always present fields in openapi docs

9d0c19e

motoki317 merged commit d1bcc3f into master May 8, 2024
10 checks passed

motoki317 deleted the impl/oidc branch May 8, 2024 06:27

motoki317 added a commit that referenced this pull request May 8, 2024

Fix #1887: add new OAuth2 scopes

3754d71

motoki317 mentioned this pull request May 8, 2024

OAuth2の新しいスコープに対応 traPtitech/traQ_S-UI#4275

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

impl oidc #1887

impl oidc #1887

motoki317 commented Jul 24, 2023 •

edited

Loading

motoki317 commented Jan 13, 2024

impl oidc #1887

impl oidc #1887

Conversation

motoki317 commented Jul 24, 2023 • edited Loading

motoki317 commented Jan 13, 2024

motoki317 commented Jul 24, 2023 •

edited

Loading