OAuth2 auto-register

custom/conf/app.example.ini

@@ -617,6 +617,30 @@ WHITELISTED_URIS =
 ; Example value: loadaverage.org/badguy stackexchange.com/.*spammer
 BLACKLISTED_URIS =
 
+[oauth2_client]
+; Whether a new auto registered oauth2 user needs to confirm their email.
+; Do not include to use the REGISTER_EMAIL_CONFIRM setting from the `[service]` section.
+REGISTER_EMAIL_CONFIRM =
+; Scopes for the openid connect oauth2 provider (seperated by space, the openid scope is implicitly added).
+; Typical values are profile and email.
+; For more information about the possible values see https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
+OPENID_CONNECT_SCOPES =
+; Automatically create user accounts for new oauth2 users.
+ENABLE_AUTO_REGISTRATION = false
+; The source of the username for new oauth2 accounts:
+; userid = use the userid / sub attribute
+; nickname = use the nickname attribute
+; email = use the username part of the email attribute
+USERNAME = nickname
+; Update avatar if available from oauth2 provider.
+; Update will be performed on each login.
+UPDATE_AVATAR = false
+; How to handle if an account / email already exists:
+; disabled = show an error
+; login = show an account linking login
+; auto = link directly with the account
+ACCOUNT_LINKING = disabled
+
 [service]
 ; Time limit to confirm account/email registration
 ACTIVE_CODE_LIVE_MINUTES = 180

docs/content/doc/advanced/config-cheat-sheet.en-us.md

@@ -429,6 +429,15 @@ relation to port exhaustion.
 - `BLACKLISTED_URIS`: **\<empty\>**: If non-empty, list of POSIX regex patterns matching
    OpenID URI's to block.
 
+## OAuth2 Client (`oauth2_client`)
+
+- `REGISTER_EMAIL_CONFIRM`: *[service]* **REGISTER\_EMAIL\_CONFIRM**: Set this to enable or disable email confirmation of OAuth2 auto-registration. (Overwrites the REGISTER\_EMAIL\_CONFIRM setting of the `[service]` section)
+- `OPENID_CONNECT_SCOPES`: **\<empty\>**: List of additional openid connect scopes. (`openid` is implicitly added)
+- `ENABLE_AUTO_REGISTRATION`: **false**: Enable this to allow auto-registration for oauth2 authentication.
+- `USERNAME`: **nickname**: The source of the username for new oauth2 accounts: userid, nickname, email (username part).
+- `UPDATE_AVATAR`: **false**: Set this to update user avatar if available from the oauth2 provider.
+- `ACCOUNT_LINKING`: **disabled**: How to handle if an account / email already exists: disabled / login / auto.
+
 ## Service (`service`)
 
 - `ACTIVE_CODE_LIVE_MINUTES`: **180**: Time limit (min) to confirm account/email registration.

models/migrations/migrations.go

@@ -302,6 +302,8 @@ var migrations = []Migration{
 	NewMigration("Remove invalid labels from comments", removeInvalidLabels),
 	// v177 -> v178
 	NewMigration("Delete orphaned IssueLabels", deleteOrphanedIssueLabels),
+	// v178 -> v179
+	NewMigration("Convert avatar url to text", convertAvatarURLToText),
 }
 
 // GetCurrentDBVersion returns the current db version

models/migrations/v178.go

@@ -0,0 +1,26 @@
+// Copyright 2021 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package migrations
+
+import (
+	"xorm.io/xorm"
+	"xorm.io/xorm/schemas"
+)
+
+func convertAvatarURLToText(x *xorm.Engine) error {
+	dbType := x.Dialect().URI().DBType
+	if dbType == schemas.SQLITE { // For SQLITE, varchar or char will always be represented as TEXT
+		return nil
+	}
+
+	// Some oauth2 providers may give very long avatar urls (i.e. Google)
+	return modifyColumn(x, "external_login_user", &schemas.Column{
+		Name: "avatar_url",
+		SQLType: schemas.SQLType{
+			Name: schemas.Text,
+		},
+		Nullable: true,
+	})
+}

modules/auth/oauth2/oauth2.go

@@ -157,7 +157,11 @@ func createProvider(providerName, providerType, clientID, clientSecret, openIDCo
 				emailURL = customURLMapping.EmailURL
 			}
 		}
-		provider = github.NewCustomisedURL(clientID, clientSecret, callbackURL, authURL, tokenURL, profileURL, emailURL)
+		scopes := []string{}
+		if setting.OAuth2Client.EnableAutoRegistration {
+			scopes = append(scopes, "user:email")
+		}
+		provider = github.NewCustomisedURL(clientID, clientSecret, callbackURL, authURL, tokenURL, profileURL, emailURL, scopes...)
 	case "gitlab":
 		authURL := gitlab.AuthURL
 		tokenURL := gitlab.TokenURL
@@ -175,9 +179,13 @@ func createProvider(providerName, providerType, clientID, clientSecret, openIDCo
 		}
 		provider = gitlab.NewCustomisedURL(clientID, clientSecret, callbackURL, authURL, tokenURL, profileURL, "read_user")
 	case "gplus": // named gplus due to legacy gplus -> google migration (Google killed Google+). This ensures old connections still work
-		provider = google.New(clientID, clientSecret, callbackURL)
+		scopes := []string{"email"}
+		if setting.OAuth2Client.UpdateAvatar || setting.OAuth2Client.EnableAutoRegistration {
+			scopes = append(scopes, "profile")
+		}
+		provider = google.New(clientID, clientSecret, callbackURL, scopes...)
 	case "openidConnect":
-		if provider, err = openidConnect.New(clientID, clientSecret, callbackURL, openIDConnectAutoDiscoveryURL); err != nil {
+		if provider, err = openidConnect.New(clientID, clientSecret, callbackURL, openIDConnectAutoDiscoveryURL, setting.OAuth2Client.OpenIDConnectScopes...); err != nil {
 			log.Warn("Failed to create OpenID Connect Provider with name '%s' with url '%s': %v", providerName, openIDConnectAutoDiscoveryURL, err)
 		}
 	case "twitter":

modules/setting/oauth2_client.go

@@ -0,0 +1,90 @@
+// Copyright 2021 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package setting
+
+import (
+	"code.gitea.io/gitea/modules/log"
+
+	"gopkg.in/ini.v1"
+)
+
+// OAuth2UsernameType is enum describing the way gitea 'name' should be generated from oauth2 data
+type OAuth2UsernameType string
+
+const (
+	// OAuth2UsernameUserid oauth2 userid field will be used as gitea name
+	OAuth2UsernameUserid OAuth2UsernameType = "userid"
+	// OAuth2UsernameNickname oauth2 nickname field will be used as gitea name
+	OAuth2UsernameNickname OAuth2UsernameType = "nickname"
+	// OAuth2UsernameEmail username of oauth2 email filed will be used as gitea name
+	OAuth2UsernameEmail OAuth2UsernameType = "email"
+)
+
+func (username OAuth2UsernameType) isValid() bool {
+	switch username {
+	case OAuth2UsernameUserid, OAuth2UsernameNickname, OAuth2UsernameEmail:
+		return true
+	}
+	return false
+}
+
+// OAuth2AccountLinkingType is enum describing behaviour of linking with existing account
+type OAuth2AccountLinkingType string
+
+const (
+	// OAuth2AccountLinkingDisabled error will be displayed if account exist
+	OAuth2AccountLinkingDisabled OAuth2AccountLinkingType = "disabled"
+	// OAuth2AccountLinkingLogin account linking login will be displayed if account exist
+	OAuth2AccountLinkingLogin OAuth2AccountLinkingType = "login"
+	// OAuth2AccountLinkingAuto account will be automatically linked if account exist
+	OAuth2AccountLinkingAuto OAuth2AccountLinkingType = "auto"
+)
+
+func (accountLinking OAuth2AccountLinkingType) isValid() bool {
+	switch accountLinking {
+	case OAuth2AccountLinkingDisabled, OAuth2AccountLinkingLogin, OAuth2AccountLinkingAuto:
+		return true
+	}
+	return false
+}
+
+// OAuth2Client settings
+var OAuth2Client struct {
+	RegisterEmailConfirm   bool
+	OpenIDConnectScopes    []string
+	EnableAutoRegistration bool
+	Username               OAuth2UsernameType
+	UpdateAvatar           bool
+	AccountLinking         OAuth2AccountLinkingType
+}
+
+func newOAuth2Client() {
+	sec := Cfg.Section("oauth2_client")
+	OAuth2Client.RegisterEmailConfirm = sec.Key("REGISTER_EMAIL_CONFIRM").MustBool(Service.RegisterEmailConfirm)
+	OAuth2Client.OpenIDConnectScopes = parseScopes(sec, "OPENID_CONNECT_SCOPES")
+	OAuth2Client.EnableAutoRegistration = sec.Key("ENABLE_AUTO_REGISTRATION").MustBool()
+	OAuth2Client.Username = OAuth2UsernameType(sec.Key("USERNAME").MustString(string(OAuth2UsernameNickname)))
+	if !OAuth2Client.Username.isValid() {
+		log.Warn("Username setting is not valid: '%s', will fallback to '%s'", OAuth2Client.Username, OAuth2UsernameNickname)
+		OAuth2Client.Username = OAuth2UsernameNickname
+	}
+	OAuth2Client.UpdateAvatar = sec.Key("UPDATE_AVATAR").MustBool()
+	OAuth2Client.AccountLinking = OAuth2AccountLinkingType(sec.Key("ACCOUNT_LINKING").MustString(string(OAuth2AccountLinkingDisabled)))
+	if !OAuth2Client.AccountLinking.isValid() {
+		log.Warn("Account linking setting is not valid: '%s', will fallback to '%s'", OAuth2Client.AccountLinking, OAuth2AccountLinkingDisabled)
+		OAuth2Client.AccountLinking = OAuth2AccountLinkingDisabled
+	}
+}
+
+func parseScopes(sec *ini.Section, name string) []string {
+	parts := sec.Key(name).Strings(" ")
+	scopes := make([]string, 0, len(parts))
+	for _, scope := range parts {
+		if scope != "" {
+			scopes = append(scopes, scope)
+		}
+	}
+	return scopes
+}

modules/setting/setting.go

@@ -1168,6 +1168,7 @@ func MakeManifestData(appName string, appURL string, absoluteAssetURL string) []
 func NewServices() {
 	InitDBConfig()
 	newService()
+	newOAuth2Client()
 	NewLogServices(false)
 	newCacheService()
 	newSessionService()