Add OAuth2 userinfo endpoint

[titpetric]

This is an attempt to implement the userinfo endpoint in #8534

[techknowlogick]

Thanks for this PR!

There is a chance that user may be nil, could you do a check that user != nil to ensure a nil referenceerror doesn't happen?

[titpetric]

I think this may be more complicated. Not the nil check, but the correctness of the userinfo endpoint itself. AuthorizeOAuth reads the bearer token, and I suspect this code may need to do it too. I am relying on reqSignIn, but I didn't see any Authorization header parsing, so I suspect this may need a full rewrite.

Particularly, the reqSignIn requires a sign-in and should error out with a 403 before reaching this code.

Can you confirm that the required signed in context takes the Authorization header?

[lafriks]

userinfo endpoint should work exclusively with token provided as this is endpoint that is called as s2s request so there won't be user cookies etc for user session

[lunny]

It must be confirmed to user login

[titpetric]

Can you elaborate?

Should it be m.Get("/userinfo", reqSignIn, user.UserInfoOAuth)? Or should I read the Authorization HTTP header in the UserInfoOAuth, as it's done in AuthorizeOAuth?

[lunny]

We should also verify the access token here? See https://connect2id.com/products/server/docs/api/userinfo

[lunny]

reqSignIn will redirect to login page which is not suitable. An OAuth2 access token is required here.

[techknowlogick]

@lunny you can access this URL with an OAuth2 token, and a 302 redirect to login page would be treated as invalid from the oauth client.

[titpetric]

I figured this might be the case. I'll sort it out :) thanks for confirming

…

On Wed, Mar 10, 2021, 22:40 Lauris BH ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In routers/user/oauth_userinfo.go <#14938 (comment)>: > + + "code.gitea.io/gitea/modules/context" +) + +// UserInfoResponse represents a successful userinfo response +type UserInfoResponse struct { + Sub string `json:"sub"` + Name string `json:"name"` + Username string `json:"preffered_username"` + Email string `json:"email"` + Picture string `json:"picture"` +} + +// UserInfoOAauth responds with OAuth formatted userinfo +func UserInfoOAuth(ctx *context.Context) { + user := ctx.User userinfo endpoint should work exclusively with token provided as this is endpoint that is called as s2s request so there won't be user cookies etc for user session — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#14938 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AABY7EH3UBV62AUCF2TX42DTC7RNPANCNFSM4Y4ZSCAQ> .

[techknowlogick]

I've just resolved the conflicts with this PR

[lunny]

See #14938 (comment)

[techknowlogick]

Sometimes fullname is empty, this could have a fallback if fullname is empty then use Name

[techknowlogick]

technically per spec, this isn't required, but if it is empty they recommend not including it. So I won't block on this.

[mcansky]

that's looking very promising 🍻

[mcansky]

just a little nudge : anything we can do to help ? is it testable yet to provide some feedback ?

[6543]

@mcansky it is testable - the only nit is, it will redirect if user is not authenticated - witch is not the expected behaviour as by specs if I understand it correctly

If you can test & give us feedback, this would be awesome :)

[codecov-commenter]

Codecov Report

Merging #14938 (3ba7c55) into master (72e0ad8) will decrease coverage by 0.02%.
The diff coverage is 10.00%.

@@            Coverage Diff             @@
##           master   #14938      +/-   ##
==========================================
- Coverage   43.92%   43.90%   -0.03%     
==========================================
  Files         678      679       +1     
  Lines       81739    81749      +10     
==========================================
- Hits        35902    35890      -12     
- Misses      39982    39999      +17     
- Partials     5855     5860       +5     

Impacted Files	Coverage Δ
routers/user/oauth_userinfo.go	0.00% <0.00%> (ø)
routers/routes/web.go	86.45% <100.00%> (+0.01%)	⬆️
modules/util/timer.go	42.85% <0.00%> (-42.86%)	⬇️
modules/queue/manager.go	61.36% <0.00%> (-2.85%)	⬇️
routers/api/v1/repo/pull.go	28.14% <0.00%> (-0.60%)	⬇️
services/pull/pull.go	43.47% <0.00%> (-0.46%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 72e0ad8...3ba7c55. Read the comment docs.

[lunny]

@mcansky it is testable - the only nit is, it will redirect if user is not authenticated - witch is not the expected behaviour as by specs if I understand it correctly

If you can test & give us feedback, this would be awesome :)

I don't think so. The main problem is the endpoint has no token protected.

[techknowlogick]

Closing per #15721