Re: [pgAdmin][PATCH] Add OAUTH2_SCOPE variable for scope configuration

Khushboo Vashi Tue, 31 Aug 2021 00:23:24 -0700

Hi,

The patch looks good to me.
Please find the attached patch for the same.


Thanks,
Khushbo

On Sun, Aug 29, 2021 at 7:46 PM Akshay Joshi <akshay.jo...@enterprisedb.com>
wrote:

> Hi Khushboo
>
> Can you please review/test the patch?
>
> On Fri, Aug 27, 2021 at 7:46 PM Nico Rikken <nico.rik...@alliander.com>
> wrote:
>
>> In certain cases like with OpenID Connect, a different scope is needed.
>> This
>> patch adds an additional variable `OAUTH2_SCOPE` that can be used to
>> configure
>> the appropriate scope for the deployment. Already there are runtime
>> checks to
>> ensure that the email claim is included in the user profile, so there is
>> no need
>> for similar checks on the configuration. This commit does introduce a
>> check in
>> the oauth2.py if a value for OAUTH2_SCOPE is set, to prevent a breaking
>> change.
>>
>> Related issue: https://redmine.postgresql.org/issues/6627
>> OIDC docs:
>> https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
>>
>> I haven't yet tested this, as I'm still in the process of setting up a
>> local
>> development environment. I hope somebody else here can help me with the
>> quality
>> assurance.
>>
>> Signed-off-by: Nico Rikken <nico.rik...@alliander.com>
>> ---
>>  docs/en_US/oauth2.rst                                 | 1 +
>>  web/config.py                                         | 3 +++
>>  web/pgadmin/authenticate/oauth2.py                    | 6 +++++-
>>  web/pgadmin/browser/tests/test_oauth2_with_mocking.py | 1 +
>>  4 files changed, 10 insertions(+), 1 deletion(-)
>>
>> diff --git a/docs/en_US/oauth2.rst b/docs/en_US/oauth2.rst
>> index 8947b509e..4cc2628f5 100644
>> --- a/docs/en_US/oauth2.rst
>> +++ b/docs/en_US/oauth2.rst
>> @@ -30,6 +30,7 @@ and modify the values for the following parameters:
>>      "OAUTH2_AUTHORIZATION_URL", "Endpoint for user authorization"
>>      "OAUTH2_API_BASE_URL", "Oauth2 base URL endpoint to make requests
>> simple, ex: *https://api.github.com/*";
>>      "OAUTH2_USERINFO_ENDPOINT", "User Endpoint, ex: *user* (for github)
>> and *useinfo* (for google)"
>> +    "OAUTH2_SCOPE", "Oauth scope, ex: 'openid email profile'. Note that
>> an 'email' claim is required in the resulting profile."
>>      "OAUTH2_ICON", "The Font-awesome icon to be placed on the oauth2
>> button,  ex: fa-github"
>>      "OAUTH2_BUTTON_COLOR", "Oauth2 button color"
>>      "OAUTH2_AUTO_CREATE_USER", "Set the value to *True* if you want to
>> automatically
>> diff --git a/web/config.py b/web/config.py
>> index d797e26f7..e932d17fc 100644
>> --- a/web/config.py
>> +++ b/web/config.py
>> @@ -711,6 +711,9 @@ OAUTH2_CONFIG = [
>>          # Name of the Endpoint, ex: user
>>          'OAUTH2_USERINFO_ENDPOINT': None,
>>          # Font-awesome icon, ex: fa-github
>> +        'OAUTH2_SCOPE': None,
>> +        # Oauth scope, ex: 'openid email profile'
>> +        # Note that an 'email' claim is required in the resulting profile
>>          'OAUTH2_ICON': None,
>>          # UI button colour, ex: #0000ff
>>          'OAUTH2_BUTTON_COLOR': None,
>> diff --git a/web/pgadmin/authenticate/oauth2.py
>> b/web/pgadmin/authenticate/oauth2.py
>> index 91903165a..5e60d35dd 100644
>> --- a/web/pgadmin/authenticate/oauth2.py
>> +++ b/web/pgadmin/authenticate/oauth2.py
>> @@ -104,7 +104,11 @@ class OAuth2Authentication(BaseAuthentication):
>>                  access_token_url=oauth2_config['OAUTH2_TOKEN_URL'],
>>                  authorize_url=oauth2_config['OAUTH2_AUTHORIZATION_URL'],
>>                  api_base_url=oauth2_config['OAUTH2_API_BASE_URL'],
>> -                client_kwargs={'scope': 'email profile'}
>> +                # Resort to previously hardcoded scope 'email profile'
>> in case
>> +                # no OAUTH2_SCOPE is provided. This prevents a breaking
>> change.
>> +                client_kwargs={'scope':
>> +                               oauth2_config.get('OAUTH2_SCOPE',
>> +                                                 'email profile')}
>>              )
>>
>>      def get_source_name(self):
>> diff --git a/web/pgadmin/browser/tests/test_oauth2_with_mocking.py
>> b/web/pgadmin/browser/tests/test_oauth2_with_mocking.py
>> index b170720a8..71706ebe6 100644
>> --- a/web/pgadmin/browser/tests/test_oauth2_with_mocking.py
>> +++ b/web/pgadmin/browser/tests/test_oauth2_with_mocking.py
>> @@ -58,6 +58,7 @@ class Oauth2LoginMockTestCase(BaseTestGenerator):
>>                      'https://github.com/login/oauth/authorize',
>>                  'OAUTH2_API_BASE_URL': 'https://api.github.com/',
>>                  'OAUTH2_USERINFO_ENDPOINT': 'user',
>> +                'OAUTH2_SCOPE': 'email profile',
>>                  'OAUTH2_ICON': 'fa-github',
>>                  'OAUTH2_BUTTON_COLOR': '#3253a8',
>>              }
>> --
>> 2.25.1
>>
>>
>>
>>
>
> --
> *Thanks & Regards*
> *Akshay Joshi*
> *pgAdmin Hacker | Principal Software Architect*
> *EDB Postgres <http://edbpostgres.com>*
>
> *Mobile: +91 976-788-8246*
>

RM_6627.patch
Description: Binary data

Re: [pgAdmin][PATCH] Add OAUTH2_SCOPE variable for scope configuration

Reply via email to