Quick Links

Re: [pgAdmin][PATCH] Add OAUTH2_SCOPE variable for scope configuration

From:	Khushboo Vashi <khushboo(dot)vashi(at)enterprisedb(dot)com>
To:	Akshay Joshi <akshay(dot)joshi(at)enterprisedb(dot)com>
Cc:	"pgadmin-hackers(at)lists(dot)postgresql(dot)org" <pgadmin-hackers(at)lists(dot)postgresql(dot)org>, Nico Rikken <nico(dot)rikken(at)alliander(dot)com>
Subject:	Re: [pgAdmin][PATCH] Add OAUTH2_SCOPE variable for scope configuration
Date:	2021-08-31 07:22:58
Message-ID:	CAFOhELciKSsxu7jAzG5k8m-QAUo5Cb8p4U5_cjr=ayNb29b1Jg@mail.gmail.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgadmin-hackers

Hi,

The patch looks good to me.
Please find the attached patch for the same.

Thanks,
Khushbo

On Sun, Aug 29, 2021 at 7:46 PM Akshay Joshi <akshay(dot)joshi(at)enterprisedb(dot)com>
wrote:

> Hi Khushboo
>
> Can you please review/test the patch?
>
> On Fri, Aug 27, 2021 at 7:46 PM Nico Rikken <nico(dot)rikken(at)alliander(dot)com>
> wrote:
>
>> In certain cases like with OpenID Connect, a different scope is needed.
>> This
>> patch adds an additional variable `OAUTH2_SCOPE` that can be used to
>> configure
>> the appropriate scope for the deployment. Already there are runtime
>> checks to
>> ensure that the email claim is included in the user profile, so there is
>> no need
>> for similar checks on the configuration. This commit does introduce a
>> check in
>> the oauth2.py if a value for OAUTH2_SCOPE is set, to prevent a breaking
>> change.
>>
>> Related issue: https://redmine.postgresql.org/issues/6627
>> OIDC docs:
>> https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
>>
>> I haven't yet tested this, as I'm still in the process of setting up a
>> local
>> development environment. I hope somebody else here can help me with the
>> quality
>> assurance.
>>
>> Signed-off-by: Nico Rikken <nico(dot)rikken(at)alliander(dot)com>
>> ---
>> docs/en_US/oauth2.rst | 1 +
>> web/config.py | 3 +++
>> web/pgadmin/authenticate/oauth2.py | 6 +++++-
>> web/pgadmin/browser/tests/test_oauth2_with_mocking.py | 1 +
>> 4 files changed, 10 insertions(+), 1 deletion(-)
>>
>> diff --git a/docs/en_US/oauth2.rst b/docs/en_US/oauth2.rst
>> index 8947b509e..4cc2628f5 100644
>> --- a/docs/en_US/oauth2.rst
>> +++ b/docs/en_US/oauth2.rst
>> @@ -30,6 +30,7 @@ and modify the values for the following parameters:
>> "OAUTH2_AUTHORIZATION_URL", "Endpoint for user authorization"
>> "OAUTH2_API_BASE_URL", "Oauth2 base URL endpoint to make requests
>> simple, ex: *https://api.github.com/*"
>> "OAUTH2_USERINFO_ENDPOINT", "User Endpoint, ex: *user* (for github)
>> and *useinfo* (for google)"
>> + "OAUTH2_SCOPE", "Oauth scope, ex: 'openid email profile'. Note that
>> an 'email' claim is required in the resulting profile."
>> "OAUTH2_ICON", "The Font-awesome icon to be placed on the oauth2
>> button, ex: fa-github"
>> "OAUTH2_BUTTON_COLOR", "Oauth2 button color"
>> "OAUTH2_AUTO_CREATE_USER", "Set the value to *True* if you want to
>> automatically
>> diff --git a/web/config.py b/web/config.py
>> index d797e26f7..e932d17fc 100644
>> --- a/web/config.py
>> +++ b/web/config.py
>> @@ -711,6 +711,9 @@ OAUTH2_CONFIG = [
>> # Name of the Endpoint, ex: user
>> 'OAUTH2_USERINFO_ENDPOINT': None,
>> # Font-awesome icon, ex: fa-github
>> + 'OAUTH2_SCOPE': None,
>> + # Oauth scope, ex: 'openid email profile'
>> + # Note that an 'email' claim is required in the resulting profile
>> 'OAUTH2_ICON': None,
>> # UI button colour, ex: #0000ff
>> 'OAUTH2_BUTTON_COLOR': None,
>> diff --git a/web/pgadmin/authenticate/oauth2.py
>> b/web/pgadmin/authenticate/oauth2.py
>> index 91903165a..5e60d35dd 100644
>> --- a/web/pgadmin/authenticate/oauth2.py
>> +++ b/web/pgadmin/authenticate/oauth2.py
>> @@ -104,7 +104,11 @@ class OAuth2Authentication(BaseAuthentication):
>> access_token_url=oauth2_config['OAUTH2_TOKEN_URL'],
>> authorize_url=oauth2_config['OAUTH2_AUTHORIZATION_URL'],
>> api_base_url=oauth2_config['OAUTH2_API_BASE_URL'],
>> - client_kwargs={'scope': 'email profile'}
>> + # Resort to previously hardcoded scope 'email profile'
>> in case
>> + # no OAUTH2_SCOPE is provided. This prevents a breaking
>> change.
>> + client_kwargs={'scope':
>> + oauth2_config.get('OAUTH2_SCOPE',
>> + 'email profile')}
>> )
>>
>> def get_source_name(self):
>> diff --git a/web/pgadmin/browser/tests/test_oauth2_with_mocking.py
>> b/web/pgadmin/browser/tests/test_oauth2_with_mocking.py
>> index b170720a8..71706ebe6 100644
>> --- a/web/pgadmin/browser/tests/test_oauth2_with_mocking.py
>> +++ b/web/pgadmin/browser/tests/test_oauth2_with_mocking.py
>> @@ -58,6 +58,7 @@ class Oauth2LoginMockTestCase(BaseTestGenerator):
>> 'https://github.com/login/oauth/authorize',
>> 'OAUTH2_API_BASE_URL': 'https://api.github.com/',
>> 'OAUTH2_USERINFO_ENDPOINT': 'user',
>> + 'OAUTH2_SCOPE': 'email profile',
>> 'OAUTH2_ICON': 'fa-github',
>> 'OAUTH2_BUTTON_COLOR': '#3253a8',
>> }
>> --
>> 2.25.1
>>
>>
>>
>>
>
> --
> *Thanks & Regards*
> *Akshay Joshi*
> *pgAdmin Hacker | Principal Software Architect*
> *EDB Postgres <http://edbpostgres.com>*
>
> *Mobile: +91 976-788-8246*
>

Attachment	Content-Type	Size
RM_6627.patch	application/octet-stream	2.7 KB

In response to

Re: [pgAdmin][PATCH] Add OAUTH2_SCOPE variable for scope configuration at 2021-08-29 14:16:00 from Akshay Joshi

Responses

Re: [pgAdmin][PATCH] Add OAUTH2_SCOPE variable for scope configuration at 2021-08-31 07:30:56 from Khushboo Vashi

Browse pgadmin-hackers by date

	From	Date	Subject
Next Message	Khushboo Vashi	2021-08-31 07:30:56	Re: [pgAdmin][PATCH] Add OAUTH2_SCOPE variable for scope configuration
Previous Message	Ashesh Vashi	2021-08-30 12:52:52	Re: Patch: Two-factor Authentication (RM #6543)