Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
李少辉-开发者
gitlab-foss
提交
7a1c810d
G
gitlab-foss
项目概览
李少辉-开发者
/
gitlab-foss
通知
15
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
G
gitlab-foss
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
7a1c810d
编写于
2月 06, 2019
作者:
G
GotenXiao
提交者:
Nick Thomas
2月 06, 2019
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Fix #44332 - Add support for profile and email
上级
20c83bbd
变更
6
显示空白变更内容
内联
并排
Showing
6 changed file
with
79 addition
and
6 deletion
+79
-6
changelogs/unreleased/44332-add-openid-profile-scopes.yml
changelogs/unreleased/44332-add-openid-profile-scopes.yml
+5
-0
config/initializers/doorkeeper_openid_connect.rb
config/initializers/doorkeeper_openid_connect.rb
+21
-2
config/locales/doorkeeper.en.yml
config/locales/doorkeeper.en.yml
+6
-0
lib/gitlab/auth.rb
lib/gitlab/auth.rb
+4
-1
spec/lib/gitlab/auth_spec.rb
spec/lib/gitlab/auth_spec.rb
+1
-1
spec/requests/openid_connect_spec.rb
spec/requests/openid_connect_spec.rb
+42
-2
未找到文件。
changelogs/unreleased/44332-add-openid-profile-scopes.yml
0 → 100644
浏览文件 @
7a1c810d
---
title
:
GitLab now supports the profile and email scopes from OpenID Connect
merge_request
:
24335
author
:
Goten Xiao
type
:
added
config/initializers/doorkeeper_openid_connect.rb
浏览文件 @
7a1c810d
...
...
@@ -31,8 +31,27 @@ Doorkeeper::OpenidConnect.configure do
o
.
claim
(
:name
)
{
|
user
|
user
.
name
}
o
.
claim
(
:nickname
)
{
|
user
|
user
.
username
}
o
.
claim
(
:email
)
{
|
user
|
user
.
public_email
}
o
.
claim
(
:email_verified
)
{
|
user
|
true
if
user
.
public_email?
}
# Check whether the application has access to the email scope, and grant
# access to the user's primary email address if so, otherwise their
# public email address (if present)
# This allows existing solutions built for GitLab's old behavior to keep
# working without modification.
o
.
claim
(
:email
)
do
|
user
,
scopes
|
scopes
.
exists?
(
:email
)
?
user
.
email
:
user
.
public_email
end
o
.
claim
(
:email_verified
)
do
|
user
,
scopes
|
if
scopes
.
exists?
(
:email
)
user
.
primary_email_verified?
elsif
user
.
public_email?
user
.
verified_email?
(
user
.
public_email
)
else
# If there is no public email set, tell doorkicker-openid-connect to
# exclude the email_verified claim by returning nil.
nil
end
end
o
.
claim
(
:website
)
{
|
user
|
user
.
full_website_url
if
user
.
website_url?
}
o
.
claim
(
:profile
)
{
|
user
|
Gitlab
::
Routing
.
url_helpers
.
user_url
user
}
o
.
claim
(
:picture
)
{
|
user
|
user
.
avatar_url
(
only_path:
false
)
}
...
...
config/locales/doorkeeper.en.yml
浏览文件 @
7a1c810d
...
...
@@ -64,6 +64,8 @@ en:
read_registry
:
Grants permission to read container registry images
openid
:
Authenticate using OpenID Connect
sudo
:
Perform API actions as any user in the system
profile
:
Allows read-only access to the user's personal information using OpenID Connect
email
:
Allows read-only access to the user's primary email address using OpenID Connect
scope_desc
:
api
:
Grants complete read/write access to the API, including all groups and projects.
...
...
@@ -77,6 +79,10 @@ en:
Grants permission to authenticate with GitLab using OpenID Connect. Also gives read-only access to the user's profile and group memberships.
sudo
:
Grants permission to perform API actions as any user in the system, when authenticated as an admin user.
profile
:
Grants read-only access to the user's profile data using OpenID Connect.
email
:
Grants read-only access to the user's primary email address using OpenID Connect.
flash
:
applications
:
create
:
...
...
lib/gitlab/auth.rb
浏览文件 @
7a1c810d
...
...
@@ -12,6 +12,9 @@ module Gitlab
# Scopes used for OpenID Connect
OPENID_SCOPES
=
[
:openid
].
freeze
# OpenID Connect profile scopes
PROFILE_SCOPES
=
[
:profile
,
:email
].
freeze
# Default scopes for OAuth applications that don't define their own
DEFAULT_SCOPES
=
[
:api
].
freeze
...
...
@@ -284,7 +287,7 @@ module Gitlab
# Other available scopes
def
optional_scopes
available_scopes
+
OPENID_SCOPES
-
DEFAULT_SCOPES
available_scopes
+
OPENID_SCOPES
+
PROFILE_SCOPES
-
DEFAULT_SCOPES
end
def
registry_scopes
...
...
spec/lib/gitlab/auth_spec.rb
浏览文件 @
7a1c810d
...
...
@@ -19,7 +19,7 @@ describe Gitlab::Auth do
it
'optional_scopes contains all non-default scopes'
do
stub_container_registry_config
(
enabled:
true
)
expect
(
subject
.
optional_scopes
).
to
eq
%i[read_user sudo read_repository read_registry openid]
expect
(
subject
.
optional_scopes
).
to
eq
%i[read_user sudo read_repository read_registry openid
profile email
]
end
context
'registry_scopes'
do
...
...
spec/requests/openid_connect_spec.rb
浏览文件 @
7a1c810d
...
...
@@ -35,7 +35,7 @@ describe 'OpenID Connect requests' do
'name'
=>
'Alice'
,
'nickname'
=>
'alice'
,
'email'
=>
'public@example.com'
,
'email_verified'
=>
tru
e
,
'email_verified'
=>
fals
e
,
'website'
=>
'https://example.com'
,
'profile'
=>
'http://localhost/alice'
,
'picture'
=>
"http://localhost/uploads/-/system/user/avatar/
#{
user
.
id
}
/dk.png"
,
...
...
@@ -111,6 +111,18 @@ describe 'OpenID Connect requests' do
it
'does not include any unknown claims'
do
expect
(
json_response
.
keys
).
to
eq
%w[sub sub_legacy]
+
user_info_claims
.
keys
end
it
'includes email and email_verified claims'
do
expect
(
json_response
.
keys
).
to
include
(
'email'
,
'email_verified'
)
end
it
'has public email in email claim'
do
expect
(
json_response
[
'email'
]).
to
eq
(
user
.
public_email
)
end
it
'has false in email_verified claim'
do
expect
(
json_response
[
'email_verified'
]).
to
eq
(
false
)
end
end
context
'ID token payload'
do
...
...
@@ -175,7 +187,35 @@ describe 'OpenID Connect requests' do
expect
(
response
).
to
have_gitlab_http_status
(
200
)
expect
(
json_response
[
'issuer'
]).
to
eq
(
'http://localhost'
)
expect
(
json_response
[
'jwks_uri'
]).
to
eq
(
'http://www.example.com/oauth/discovery/keys'
)
expect
(
json_response
[
'scopes_supported'
]).
to
eq
(
%w[api read_user sudo read_repository openid]
)
expect
(
json_response
[
'scopes_supported'
]).
to
eq
(
%w[api read_user sudo read_repository openid profile email]
)
end
end
context
'Application with OpenID and email scopes'
do
let
(
:application
)
{
create
:oauth_application
,
scopes:
'openid email'
}
it
'token response includes an ID token'
do
request_access_token!
expect
(
json_response
).
to
include
'id_token'
end
context
'UserInfo payload'
do
before
do
request_user_info!
end
it
'includes the email and email_verified claims'
do
expect
(
json_response
.
keys
).
to
include
(
'email'
,
'email_verified'
)
end
it
'has private email in email claim'
do
expect
(
json_response
[
'email'
]).
to
eq
(
user
.
email
)
end
it
'has true in email_verified claim'
do
expect
(
json_response
[
'email_verified'
]).
to
eq
(
true
)
end
end
end
end
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录