OAuth2 provider: support for granular scopes

- `CheckOAuthAccessToken` returns both user ID and additional scopes - `grantAdditionalScopes` returns AccessTokenScope ready string (grantScopes) compiled from requested additional scopes by the client - `userIDFromToken` sets returned grantScopes (if any) instead of default `all`
author: Marcell Mars <ki.ber@kom.uni.st> 2024-07-11 11:12:51 +0200
committer: Marcell Mars <ki.ber@kom.uni.st> 2024-08-09 14:58:15 +0200
commit: 4eb8d8c4960b7d26679be31824f91218eba1ed55 (patch)
tree: b1ef1d2642976820bc7a911fa915bb9048719edd /modules
parent: Merge pull request 'Update dependency vue to v3.4.37 (forgejo)' (#4893) from ... (diff)
download: forgejo-4eb8d8c4960b7d26679be31824f91218eba1ed55.tar.xz
forgejo-4eb8d8c4960b7d26679be31824f91218eba1ed55.zip
1 files changed, 18 insertions, 16 deletions
diff --git a/modules/setting/oauth2.go b/modules/setting/oauth2.go
index 86617f7513..49288e2639 100644
--- a/modules/setting/oauth2.go
+++ b/modules/setting/oauth2.go
@@ -92,23 +92,25 @@ func parseScopes(sec ConfigSection, name string) []string {
 }
 
 var OAuth2 = struct {
-	Enabled                    bool
-	AccessTokenExpirationTime  int64
-	RefreshTokenExpirationTime int64
-	InvalidateRefreshTokens    bool
-	JWTSigningAlgorithm        string `ini:"JWT_SIGNING_ALGORITHM"`
-	JWTSigningPrivateKeyFile   string `ini:"JWT_SIGNING_PRIVATE_KEY_FILE"`
-	MaxTokenLength             int
-	DefaultApplications        []string
+	Enabled                     bool
+	AccessTokenExpirationTime   int64
+	RefreshTokenExpirationTime  int64
+	InvalidateRefreshTokens     bool
+	JWTSigningAlgorithm         string `ini:"JWT_SIGNING_ALGORITHM"`
+	JWTSigningPrivateKeyFile    string `ini:"JWT_SIGNING_PRIVATE_KEY_FILE"`
+	MaxTokenLength              int
+	DefaultApplications         []string
+	EnableAdditionalGrantScopes bool
 }{
-	Enabled:                    true,
-	AccessTokenExpirationTime:  3600,
-	RefreshTokenExpirationTime: 730,
-	InvalidateRefreshTokens:    true,
-	JWTSigningAlgorithm:        "RS256",
-	JWTSigningPrivateKeyFile:   "jwt/private.pem",
-	MaxTokenLength:             math.MaxInt16,
-	DefaultApplications:        []string{"git-credential-oauth", "git-credential-manager", "tea"},
+	Enabled:                     true,
+	AccessTokenExpirationTime:   3600,
+	RefreshTokenExpirationTime:  730,
+	InvalidateRefreshTokens:     true,
+	JWTSigningAlgorithm:         "RS256",
+	JWTSigningPrivateKeyFile:    "jwt/private.pem",
+	MaxTokenLength:              math.MaxInt16,
+	DefaultApplications:         []string{"git-credential-oauth", "git-credential-manager", "tea"},
+	EnableAdditionalGrantScopes: false,
 }
 
 func loadOAuth2From(rootCfg ConfigProvider) {
author	Marcell Mars <ki.ber@kom.uni.st>	2024-07-11 11:12:51 +0200
committer	Marcell Mars <ki.ber@kom.uni.st>	2024-08-09 14:58:15 +0200
commit	4eb8d8c4960b7d26679be31824f91218eba1ed55 (patch)
tree	b1ef1d2642976820bc7a911fa915bb9048719edd /modules
parent	Merge pull request 'Update dependency vue to v3.4.37 (forgejo)' (#4893) from ... (diff)
download	forgejo-4eb8d8c4960b7d26679be31824f91218eba1ed55.tar.xz forgejo-4eb8d8c4960b7d26679be31824f91218eba1ed55.zip