Add support for oauth scopes

As defined in RFC6749: * https://www.rfc-editor.org/rfc/rfc6749#section-4.1.1 * https://www.rfc-editor.org/rfc/rfc6749#section-3.3 Scopes can be configured per-provider in engelsystem config.
2022-05-01 00:01:14 +02:00 · 2022-05-01 00:01:14 +02:00 · 6917f7805b
parent 44821019b6
commit 6917f7805b
3 changed files with 12 additions and 2 deletions
--- a/config/config.default.php
+++ b/config/config.default.php
@ -88,6 +88,8 @@ return [
            'url_token' => '[generated by provider]',
            // User info URL which provides userdata
            'url_info' => '[generated by provider]',
+            // OAuth Scopes
+            // 'scope' => ['openid'],
            // Info unique user id field
            'id' => 'uuid',
            // The following fields are used for registration
--- a/src/Controllers/OAuthController.php
+++ b/src/Controllers/OAuthController.php
@ -88,6 +88,7 @@ class OAuthController extends BaseController
    {
        $providerName = $request->getAttribute('provider');
        $provider = $this->getProvider($providerName);
+        $config = $this->config->get('oauth')[$providerName];

        // Handle OAuth error response according to https://www.rfc-editor.org/rfc/rfc6749#section-4.1.2.1
        if ($request->has('error')) {
@ -95,7 +96,13 @@ class OAuthController extends BaseController
        }

        if (!$request->has('code')) {
-            $authorizationUrl = $provider->getAuthorizationUrl();
+            $authorizationUrl = $provider->getAuthorizationUrl(
+                [
+                    // Leauge separates scopes by comma, which is wrong, so we do it
+                    // here properly by spaces. See https://www.rfc-editor.org/rfc/rfc6749#section-3.3
+                    'scope' => join(' ', $config['scope'] ?? [])
+                ]
+            );
            $this->session->set('oauth2_state', $provider->getState());

            return $this->redirector->to($authorizationUrl);
@ -178,7 +185,6 @@ class OAuthController extends BaseController
            $this->addNotification('oauth.connected');
        }

-        $config = $this->config->get('oauth')[$providerName];
        $resourceData = $resourceOwner->toArray();
        if (!empty($config['nested_info'])) {
            $resourceData = Arr::dot($resourceData);
--- a/tests/Unit/Controllers/OAuthControllerTest.php
+++ b/tests/Unit/Controllers/OAuthControllerTest.php
@ -76,6 +76,7 @@ class OAuthControllerTest extends TestCase
            'first_name'    => 'given-name',
            'last_name'     => 'last-name',
            'url'           => 'http://localhost/',
+            'scope'         => ['foo', 'bar'],
        ],
    ];

@ -197,6 +198,7 @@ class OAuthControllerTest extends TestCase
                $this->assertStringStartsWith('http://localhost/auth', $url);
                $this->assertStringContainsString('testsystem', $url);
                $this->assertStringContainsString('code', $url);
+                $this->assertStringContainsString('scope=foo%20bar', $url);
                return new Response();
            });