Improvement in Generic OAuth

GibbonEdu · Apr 30, 2024 · e45e4e7 · e45e4e7
1 parent d360b63
commit e45e4e7
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 12 deletions.
diff --git a/modules/System Admin/thirdPartySettings_ssoEdit.php b/modules/System Admin/thirdPartySettings_ssoEdit.php
@@ -139,6 +139,20 @@
         $row = $form->addRow()->addClass('settingActive');
             $row->addLabel('userEndpoint', __('API User Endpoint'));
             $row->addURL('userEndpoint')->required();
+
+        $row = $form->addRow()->addHeading('Additional Parameters', __('Additional Parameters'))
+                    ->addClass('settingActive')
+                    ->append(__('Some systems require additional parameters for a login request in order to read the user\'s basic profile.'));
+
+        $row = $form->addRow()->addClass('settingActive');
+            $row->addLabel('scopes', __('Scopes'))
+                ->description(__('Scope is a mechanism in OAuth 2.0 to limit an application\'s access to a user\'s account. An application can request one or more scopes. The standard scopes for an OpenID Connect compliant system are: openid profile email.'));
+            $row->addTextField('scopes');
+
+        $row = $form->addRow()->addClass('settingActive');
+            $row->addLabel('usernameAttribute', __('Username attribute'))
+                ->description(__('Name of the attribute containing usernames in the OAuth service.'));
+            $row->addTextField('usernameAttribute')->required();                       
     }
 
     $row = $form->addRow();

diff --git a/modules/System Admin/thirdPartySettings_ssoEditProcess.php b/modules/System Admin/thirdPartySettings_ssoEditProcess.php
@@ -47,14 +47,16 @@
     $values = json_decode($values, true) ?? [];
 
     $data = [
-        'enabled'           => $_POST['enabled'] ?? 'N',
-        'clientName'        => $_POST['clientName'] ?? '',
-        'clientID'          => $_POST['clientID'] ?? '',
-        'clientSecret'      => $_POST['clientSecret'] ?? '',
-        'developerKey'      => $_POST['developerKey'] ?? '',
-        'authorizeEndpoint' => $_POST['authorizeEndpoint'] ?? '',
-        'tokenEndpoint'     => $_POST['tokenEndpoint'] ?? '',
-        'userEndpoint'      => $_POST['userEndpoint'] ?? '',
+        'enabled'            => $_POST['enabled'] ?? 'N',
+        'clientName'         => $_POST['clientName'] ?? '',
+        'clientID'           => $_POST['clientID'] ?? '',
+        'clientSecret'       => $_POST['clientSecret'] ?? '',
+        'developerKey'       => $_POST['developerKey'] ?? '',
+        'authorizeEndpoint'  => $_POST['authorizeEndpoint'] ?? '',
+        'tokenEndpoint'      => $_POST['tokenEndpoint'] ?? '',
+        'userEndpoint'       => $_POST['userEndpoint'] ?? '',
+        'scopes'             => $_POST['scopes'] ?? '',
+        'usernameAttribute'      => $_POST['usernameAttribute'] ?? '',
     ];
 
     $calendarFeed = $_POST['calendarFeed'] ?? '';

diff --git a/src/Auth/Adapter/OAuthGenericAdapter.php b/src/Auth/Adapter/OAuthGenericAdapter.php
@@ -26,6 +26,7 @@
 use Gibbon\Auth\Adapter\AuthenticationAdapter;
 use Gibbon\Contracts\Services\Session;
 use Gibbon\Domain\User\UserGateway;
+use Gibbon\Domain\System\SettingGateway;
 use League\OAuth2\Client\Provider\Exception\IdentityProviderException;
 
 /**
@@ -96,17 +97,28 @@ public function login(array $input)
         $resourceOwner = $oauthProvider->getResourceOwner($accessToken);
 
         $user = $resourceOwner->toArray();
-        $email = $user['email'] ?? $user['emailAddress'] ?? $user['email-address'] ?? $user['email_address'];
-        $_POST['usernameOAuth'] = $email;
+        $settingGateway = $this->getContainer()->get(SettingGateway::class);
+
+        $ssoSettings = $settingGateway->getSettingByScope('System Admin', 'ssoOther');
+        $ssoSettings = json_decode($ssoSettings, true);
+
+        // If usernameAttribute is empty the Gibbon version less than v27
+        if (empty($ssoSettings['usernameAttribute'])) {
+            $usernameOAuth = $user['email'] ?? $user['emailAddress'] ?? $user['email-address'] ?? $user['email_address'];
+        } else {
+            $usernameOAuth = $user[$ssoSettings['usernameAttribute']];
+        }
+
+        $_POST['usernameOAuth'] = $usernameOAuth;
 
-        if (empty($email)) {
+        if (empty($usernameOAuth)) {
             $session->forget('genericAPIAccessToken');
             throw new Exception\OAuthLoginError;
         }
 
         // Get basic user data needed to verify login access
         $this->userGateway = $this->getContainer()->get(UserGateway::class);
-        $userData = $this->getUserData(['username' => $email]);
+        $userData = $this->getUserData(['username' => $usernameOAuth]);
 
         if (empty($userData)) {
             $session->forget('genericAPIAccessToken');

diff --git a/src/Services/AuthServiceProvider.php b/src/Services/AuthServiceProvider.php
@@ -203,6 +203,7 @@ public function register()
                     'urlAuthorize'              => $ssoSettings['authorizeEndpoint'],
                     'urlAccessToken'            => $ssoSettings['tokenEndpoint'],
                     'urlResourceOwnerDetails'   => $ssoSettings['userEndpoint'],
+                    'scopes'                    => $ssoSettings['scopes'] ?? 'openid profile offline_access email groups'
                 ]);
             } catch (\League\OAuth2\Client\Provider\Exception\IdentityProviderException $e) {
                 throw new OAuthLoginError($e->getMessage());