Hi Khushboo Can you please review/test the patch?
On Fri, Aug 27, 2021 at 7:46 PM Nico Rikken <nico.rik...@alliander.com> wrote: > In certain cases like with OpenID Connect, a different scope is needed. > This > patch adds an additional variable `OAUTH2_SCOPE` that can be used to > configure > the appropriate scope for the deployment. Already there are runtime checks > to > ensure that the email claim is included in the user profile, so there is > no need > for similar checks on the configuration. This commit does introduce a > check in > the oauth2.py if a value for OAUTH2_SCOPE is set, to prevent a breaking > change. > > Related issue: https://redmine.postgresql.org/issues/6627 > OIDC docs: > https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims > > I haven't yet tested this, as I'm still in the process of setting up a > local > development environment. I hope somebody else here can help me with the > quality > assurance. > > Signed-off-by: Nico Rikken <nico.rik...@alliander.com> > --- > docs/en_US/oauth2.rst | 1 + > web/config.py | 3 +++ > web/pgadmin/authenticate/oauth2.py | 6 +++++- > web/pgadmin/browser/tests/test_oauth2_with_mocking.py | 1 + > 4 files changed, 10 insertions(+), 1 deletion(-) > > diff --git a/docs/en_US/oauth2.rst b/docs/en_US/oauth2.rst > index 8947b509e..4cc2628f5 100644 > --- a/docs/en_US/oauth2.rst > +++ b/docs/en_US/oauth2.rst > @@ -30,6 +30,7 @@ and modify the values for the following parameters: > "OAUTH2_AUTHORIZATION_URL", "Endpoint for user authorization" > "OAUTH2_API_BASE_URL", "Oauth2 base URL endpoint to make requests > simple, ex: *https://api.github.com/*"; > "OAUTH2_USERINFO_ENDPOINT", "User Endpoint, ex: *user* (for github) > and *useinfo* (for google)" > + "OAUTH2_SCOPE", "Oauth scope, ex: 'openid email profile'. Note that > an 'email' claim is required in the resulting profile." > "OAUTH2_ICON", "The Font-awesome icon to be placed on the oauth2 > button, ex: fa-github" > "OAUTH2_BUTTON_COLOR", "Oauth2 button color" > "OAUTH2_AUTO_CREATE_USER", "Set the value to *True* if you want to > automatically > diff --git a/web/config.py b/web/config.py > index d797e26f7..e932d17fc 100644 > --- a/web/config.py > +++ b/web/config.py > @@ -711,6 +711,9 @@ OAUTH2_CONFIG = [ > # Name of the Endpoint, ex: user > 'OAUTH2_USERINFO_ENDPOINT': None, > # Font-awesome icon, ex: fa-github > + 'OAUTH2_SCOPE': None, > + # Oauth scope, ex: 'openid email profile' > + # Note that an 'email' claim is required in the resulting profile > 'OAUTH2_ICON': None, > # UI button colour, ex: #0000ff > 'OAUTH2_BUTTON_COLOR': None, > diff --git a/web/pgadmin/authenticate/oauth2.py > b/web/pgadmin/authenticate/oauth2.py > index 91903165a..5e60d35dd 100644 > --- a/web/pgadmin/authenticate/oauth2.py > +++ b/web/pgadmin/authenticate/oauth2.py > @@ -104,7 +104,11 @@ class OAuth2Authentication(BaseAuthentication): > access_token_url=oauth2_config['OAUTH2_TOKEN_URL'], > authorize_url=oauth2_config['OAUTH2_AUTHORIZATION_URL'], > api_base_url=oauth2_config['OAUTH2_API_BASE_URL'], > - client_kwargs={'scope': 'email profile'} > + # Resort to previously hardcoded scope 'email profile' in > case > + # no OAUTH2_SCOPE is provided. This prevents a breaking > change. > + client_kwargs={'scope': > + oauth2_config.get('OAUTH2_SCOPE', > + 'email profile')} > ) > > def get_source_name(self): > diff --git a/web/pgadmin/browser/tests/test_oauth2_with_mocking.py > b/web/pgadmin/browser/tests/test_oauth2_with_mocking.py > index b170720a8..71706ebe6 100644 > --- a/web/pgadmin/browser/tests/test_oauth2_with_mocking.py > +++ b/web/pgadmin/browser/tests/test_oauth2_with_mocking.py > @@ -58,6 +58,7 @@ class Oauth2LoginMockTestCase(BaseTestGenerator): > 'https://github.com/login/oauth/authorize', > 'OAUTH2_API_BASE_URL': 'https://api.github.com/', > 'OAUTH2_USERINFO_ENDPOINT': 'user', > + 'OAUTH2_SCOPE': 'email profile', > 'OAUTH2_ICON': 'fa-github', > 'OAUTH2_BUTTON_COLOR': '#3253a8', > } > -- > 2.25.1 > > > > -- *Thanks & Regards* *Akshay Joshi* *pgAdmin Hacker | Principal Software Architect* *EDB Postgres <http://edbpostgres.com>* *Mobile: +91 976-788-8246*
