From ca99280e5a935beb88196f5f97350152a378e987 Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Fri, 20 Oct 2023 12:30:50 +0200 Subject: [PATCH] [Web] add configurable client scopes for generic-oidc --- data/web/inc/functions.inc.php | 9 +++++++-- data/web/lang/lang.en-gb.json | 1 + .../templates/admin/tab-config-identity-provider.twig | 8 +++++++- 3 files changed, 15 insertions(+), 3 deletions(-) diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php index efa34ef2e..221ef5c71 100644 --- a/data/web/inc/functions.inc.php +++ b/data/web/inc/functions.inc.php @@ -2108,6 +2108,10 @@ function identity_provider($_action, $_data = null, $_extra = null) { $settings[$row["key"]] = $row["value"]; } } + // return default client_scopes for generic-oidc if none is set + if ($settings["authsource"] == "generic-oidc" && empty($settings["client_scopes"])){ + $settings["client_scopes"] = "openid profile email"; + } if ($_extra['hide_sensitive']){ $settings['client_secret'] = ''; $settings['access_token'] = ''; @@ -2168,7 +2172,8 @@ function identity_provider($_action, $_data = null, $_extra = null) { $_data['authorize_url'] = (!empty($_data['authorize_url'])) ? $_data['authorize_url'] : null; $_data['token_url'] = (!empty($_data['token_url'])) ? $_data['token_url'] : null; $_data['userinfo_url'] = (!empty($_data['userinfo_url'])) ? $_data['userinfo_url'] : null; - $required_settings = array('authsource', 'authorize_url', 'token_url', 'client_id', 'client_secret', 'redirect_url', 'userinfo_url'); + $_data['client_scopes'] = (!empty($_data['client_scopes'])) ? $_data['client_scopes'] : "openid profile email"; + $required_settings = array('authsource', 'authorize_url', 'token_url', 'client_id', 'client_secret', 'redirect_url', 'userinfo_url', 'client_scopes'); } $pdo->beginTransaction(); @@ -2318,7 +2323,7 @@ function identity_provider($_action, $_data = null, $_extra = null) { 'urlAuthorize' => $iam_settings['authorize_url'], 'urlAccessToken' => $iam_settings['token_url'], 'urlResourceOwnerDetails' => $iam_settings['userinfo_url'], - 'scopes' => 'openid profile email' + 'scopes' => $iam_settings['client_scopes'] ]); } } diff --git a/data/web/lang/lang.en-gb.json b/data/web/lang/lang.en-gb.json index d77de7373..869e69d16 100644 --- a/data/web/lang/lang.en-gb.json +++ b/data/web/lang/lang.en-gb.json @@ -217,6 +217,7 @@ "iam_auth_flow_info": "In addition to the Authorization Code Flow (Standard Flow in Keycloak), which is used for Single-Sign On login, mailcow also supports Authentication Flow with direct Credentials. The Mailpassword Flow attempts to validate the user's credentials by using the Keycloak Admin REST API. mailcow retrieves the hashed password from the mailcow_password attribute, which is mapped in Keycloak.", "iam_client_id": "Client ID", "iam_client_secret": "Client Secret", + "iam_client_scopes": "Client Scopes", "iam_description": "Configure an external OIDC Provider for Authentication
User's mailboxes will be automatically created upon their first login, provided that an attribute mapping has been set.", "iam_extra_permission": "For the following settings to work, the mailcow client in Keycloak needs a Service account and the permission to view-users.", "iam_import_users": "Import Users", diff --git a/data/web/templates/admin/tab-config-identity-provider.twig b/data/web/templates/admin/tab-config-identity-provider.twig index 88ccc95ee..32c20feab 100644 --- a/data/web/templates/admin/tab-config-identity-provider.twig +++ b/data/web/templates/admin/tab-config-identity-provider.twig @@ -207,12 +207,18 @@ -
+
+
+ +
+ +
+