Re: [pgAdmin][PATCH] Add OAUTH2_SCOPE variable for scope configuration

Hi,

Note that this patch just includes the configurable Scope (which would be
helpful in OpenID connect), it does not include the proper OIDC
implementation.

Thanks,
Khushboo

On Tue, Aug 31, 2021 at 12:52 PM Khushboo Vashi <
khushboo(dot)vashi(at)enterprisedb(dot)com> wrote:

> Hi,
>
> The patch looks good to me.
> Please find the attached patch for the same.
>
> Thanks,
> Khushbo
>
> On Sun, Aug 29, 2021 at 7:46 PM Akshay Joshi <
> akshay(dot)joshi(at)enterprisedb(dot)com> wrote:
>
>> Hi Khushboo
>>
>> Can you please review/test the patch?
>>
>> On Fri, Aug 27, 2021 at 7:46 PM Nico Rikken <nico(dot)rikken(at)alliander(dot)com>
>> wrote:
>>
>>> In certain cases like with OpenID Connect, a different scope is needed.
>>> This
>>> patch adds an additional variable `OAUTH2_SCOPE` that can be used to
>>> configure
>>> the appropriate scope for the deployment. Already there are runtime
>>> checks to
>>> ensure that the email claim is included in the user profile, so there is
>>> no need
>>> for similar checks on the configuration. This commit does introduce a
>>> check in
>>> the oauth2.py if a value for OAUTH2_SCOPE is set, to prevent a breaking
>>> change.
>>>
>>> Related issue: https://redmine.postgresql.org/issues/6627
>>> OIDC docs:
>>> https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
>>>
>>> I haven't yet tested this, as I'm still in the process of setting up a
>>> local
>>> development environment. I hope somebody else here can help me with the
>>> quality
>>> assurance.
>>>
>>> Signed-off-by: Nico Rikken <nico(dot)rikken(at)alliander(dot)com>
>>> ---
>>> docs/en_US/oauth2.rst | 1 +
>>> web/config.py | 3 +++
>>> web/pgadmin/authenticate/oauth2.py | 6 +++++-
>>> web/pgadmin/browser/tests/test_oauth2_with_mocking.py | 1 +
>>> 4 files changed, 10 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/docs/en_US/oauth2.rst b/docs/en_US/oauth2.rst
>>> index 8947b509e..4cc2628f5 100644
>>> --- a/docs/en_US/oauth2.rst
>>> +++ b/docs/en_US/oauth2.rst
>>> @@ -30,6 +30,7 @@ and modify the values for the following parameters:
>>> "OAUTH2_AUTHORIZATION_URL", "Endpoint for user authorization"
>>> "OAUTH2_API_BASE_URL", "Oauth2 base URL endpoint to make requests
>>> simple, ex: *https://api.github.com/*"
>>> "OAUTH2_USERINFO_ENDPOINT", "User Endpoint, ex: *user* (for github)
>>> and *useinfo* (for google)"
>>> + "OAUTH2_SCOPE", "Oauth scope, ex: 'openid email profile'. Note that
>>> an 'email' claim is required in the resulting profile."
>>> "OAUTH2_ICON", "The Font-awesome icon to be placed on the oauth2
>>> button, ex: fa-github"
>>> "OAUTH2_BUTTON_COLOR", "Oauth2 button color"
>>> "OAUTH2_AUTO_CREATE_USER", "Set the value to *True* if you want to
>>> automatically
>>> diff --git a/web/config.py b/web/config.py
>>> index d797e26f7..e932d17fc 100644
>>> --- a/web/config.py
>>> +++ b/web/config.py
>>> @@ -711,6 +711,9 @@ OAUTH2_CONFIG = [
>>> # Name of the Endpoint, ex: user
>>> 'OAUTH2_USERINFO_ENDPOINT': None,
>>> # Font-awesome icon, ex: fa-github
>>> + 'OAUTH2_SCOPE': None,
>>> + # Oauth scope, ex: 'openid email profile'
>>> + # Note that an 'email' claim is required in the resulting
>>> profile
>>> 'OAUTH2_ICON': None,
>>> # UI button colour, ex: #0000ff
>>> 'OAUTH2_BUTTON_COLOR': None,
>>> diff --git a/web/pgadmin/authenticate/oauth2.py
>>> b/web/pgadmin/authenticate/oauth2.py
>>> index 91903165a..5e60d35dd 100644
>>> --- a/web/pgadmin/authenticate/oauth2.py
>>> +++ b/web/pgadmin/authenticate/oauth2.py
>>> @@ -104,7 +104,11 @@ class OAuth2Authentication(BaseAuthentication):
>>> access_token_url=oauth2_config['OAUTH2_TOKEN_URL'],
>>> authorize_url=oauth2_config['OAUTH2_AUTHORIZATION_URL'],
>>> api_base_url=oauth2_config['OAUTH2_API_BASE_URL'],
>>> - client_kwargs={'scope': 'email profile'}
>>> + # Resort to previously hardcoded scope 'email profile'
>>> in case
>>> + # no OAUTH2_SCOPE is provided. This prevents a breaking
>>> change.
>>> + client_kwargs={'scope':
>>> + oauth2_config.get('OAUTH2_SCOPE',
>>> + 'email profile')}
>>> )
>>>
>>> def get_source_name(self):
>>> diff --git a/web/pgadmin/browser/tests/test_oauth2_with_mocking.py
>>> b/web/pgadmin/browser/tests/test_oauth2_with_mocking.py
>>> index b170720a8..71706ebe6 100644
>>> --- a/web/pgadmin/browser/tests/test_oauth2_with_mocking.py
>>> +++ b/web/pgadmin/browser/tests/test_oauth2_with_mocking.py
>>> @@ -58,6 +58,7 @@ class Oauth2LoginMockTestCase(BaseTestGenerator):
>>> 'https://github.com/login/oauth/authorize',
>>> 'OAUTH2_API_BASE_URL': 'https://api.github.com/',
>>> 'OAUTH2_USERINFO_ENDPOINT': 'user',
>>> + 'OAUTH2_SCOPE': 'email profile',
>>> 'OAUTH2_ICON': 'fa-github',
>>> 'OAUTH2_BUTTON_COLOR': '#3253a8',
>>> }
>>> --
>>> 2.25.1
>>>
>>>
>>>
>>>
>>
>> --
>> *Thanks & Regards*
>> *Akshay Joshi*
>> *pgAdmin Hacker | Principal Software Architect*
>> *EDB Postgres <http://edbpostgres.com>*
>>
>> *Mobile: +91 976-788-8246*
>>
>