Add OAuth2 userinfo endpoint #14938
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| package user | ||
titpetric marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| import ( | ||
| "fmt" | ||
|
|
||
| "code.gitea.io/gitea/modules/context" | ||
| ) | ||
|
|
||
| // UserInfoResponse represents a successful userinfo response | ||
| type UserInfoResponse struct { | ||
6543 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| Sub string `json:"sub"` | ||
| Name string `json:"name"` | ||
| Username string `json:"preferred_username"` | ||
| Email string `json:"email"` | ||
| Picture string `json:"picture"` | ||
| } | ||
|
|
||
| // UserInfoOAauth responds with OAuth formatted userinfo | ||
| func UserInfoOAuth(ctx *context.Context) { | ||
6543 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| user := ctx.User | ||
|
There was a problem hiding this comment. Thanks for this PR! There is a chance that user may be nil, could you do a check that user != nil to ensure a nil referenceerror doesn't happen? There was a problem hiding this comment. I think this may be more complicated. Not the nil check, but the correctness of the userinfo endpoint itself. AuthorizeOAuth reads the bearer token, and I suspect this code may need to do it too. I am relying on Particularly, the Can you confirm that the required signed in context takes the Authorization header? There was a problem hiding this comment. userinfo endpoint should work exclusively with token provided as this is endpoint that is called as s2s request so there won't be user cookies etc for user session |
||
| response := &UserInfoResponse{ | ||
6543 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| Sub: fmt.Sprint(user.ID), | ||
| Name: user.FullName, | ||
|
There was a problem hiding this comment. Sometimes fullname is empty, this could have a fallback if fullname is empty then use Name There was a problem hiding this comment. technically per spec, this isn't required, but if it is empty they recommend not including it. So I won't block on this. |
||
| Username: user.Name, | ||
| Email: user.Email, | ||
6543 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| Picture: user.Avatar, | ||
titpetric marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| } | ||
| ctx.JSON(200, response) | ||
techknowlogick marked this conversation as resolved.
Show resolved
Hide resolved
techknowlogick marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| } | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It must be confirmed to user login
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you elaborate?
Should it be
m.Get("/userinfo", reqSignIn, user.UserInfoOAuth)? Or should I read the Authorization HTTP header in the UserInfoOAuth, as it's done in AuthorizeOAuth?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should also verify the access token here? See https://connect2id.com/products/server/docs/api/userinfo
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
reqSignInwill redirect to login page which is not suitable. An OAuth2 access token is required here.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@lunny you can access this URL with an OAuth2 token, and a 302 redirect to login page would be treated as invalid from the oauth client.