Quick Links

Re: [pgAdmin][PATCH] Add OAUTH2_SCOPE variable for scope configuration

From:	Akshay Joshi <akshay(dot)joshi(at)enterprisedb(dot)com>
To:	Khushboo Vashi <khushboo(dot)vashi(at)enterprisedb(dot)com>
Cc:	"pgadmin-hackers(at)lists(dot)postgresql(dot)org" <pgadmin-hackers(at)lists(dot)postgresql(dot)org>, Nico Rikken <nico(dot)rikken(at)alliander(dot)com>
Subject:	Re: [pgAdmin][PATCH] Add OAUTH2_SCOPE variable for scope configuration
Date:	2021-08-29 14:16:00
Message-ID:	CANxoLDfczVRQ4vYEham3Tab4x5MdvEwD+dL77fiyghCqDyVesA@mail.gmail.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgadmin-hackers

Hi Khushboo

Can you please review/test the patch?

On Fri, Aug 27, 2021 at 7:46 PM Nico Rikken <nico(dot)rikken(at)alliander(dot)com>
wrote:

> In certain cases like with OpenID Connect, a different scope is needed.
> This
> patch adds an additional variable `OAUTH2_SCOPE` that can be used to
> configure
> the appropriate scope for the deployment. Already there are runtime checks
> to
> ensure that the email claim is included in the user profile, so there is
> no need
> for similar checks on the configuration. This commit does introduce a
> check in
> the oauth2.py if a value for OAUTH2_SCOPE is set, to prevent a breaking
> change.
>
> Related issue: https://redmine.postgresql.org/issues/6627
> OIDC docs:
> https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
>
> I haven't yet tested this, as I'm still in the process of setting up a
> local
> development environment. I hope somebody else here can help me with the
> quality
> assurance.
>
> Signed-off-by: Nico Rikken <nico(dot)rikken(at)alliander(dot)com>
> ---
> docs/en_US/oauth2.rst | 1 +
> web/config.py | 3 +++
> web/pgadmin/authenticate/oauth2.py | 6 +++++-
> web/pgadmin/browser/tests/test_oauth2_with_mocking.py | 1 +
> 4 files changed, 10 insertions(+), 1 deletion(-)
>
> diff --git a/docs/en_US/oauth2.rst b/docs/en_US/oauth2.rst
> index 8947b509e..4cc2628f5 100644
> --- a/docs/en_US/oauth2.rst
> +++ b/docs/en_US/oauth2.rst
> @@ -30,6 +30,7 @@ and modify the values for the following parameters:
> "OAUTH2_AUTHORIZATION_URL", "Endpoint for user authorization"
> "OAUTH2_API_BASE_URL", "Oauth2 base URL endpoint to make requests
> simple, ex: *https://api.github.com/*"
> "OAUTH2_USERINFO_ENDPOINT", "User Endpoint, ex: *user* (for github)
> and *useinfo* (for google)"
> + "OAUTH2_SCOPE", "Oauth scope, ex: 'openid email profile'. Note that
> an 'email' claim is required in the resulting profile."
> "OAUTH2_ICON", "The Font-awesome icon to be placed on the oauth2
> button, ex: fa-github"
> "OAUTH2_BUTTON_COLOR", "Oauth2 button color"
> "OAUTH2_AUTO_CREATE_USER", "Set the value to *True* if you want to
> automatically
> diff --git a/web/config.py b/web/config.py
> index d797e26f7..e932d17fc 100644
> --- a/web/config.py
> +++ b/web/config.py
> @@ -711,6 +711,9 @@ OAUTH2_CONFIG = [
> # Name of the Endpoint, ex: user
> 'OAUTH2_USERINFO_ENDPOINT': None,
> # Font-awesome icon, ex: fa-github
> + 'OAUTH2_SCOPE': None,
> + # Oauth scope, ex: 'openid email profile'
> + # Note that an 'email' claim is required in the resulting profile
> 'OAUTH2_ICON': None,
> # UI button colour, ex: #0000ff
> 'OAUTH2_BUTTON_COLOR': None,
> diff --git a/web/pgadmin/authenticate/oauth2.py
> b/web/pgadmin/authenticate/oauth2.py
> index 91903165a..5e60d35dd 100644
> --- a/web/pgadmin/authenticate/oauth2.py
> +++ b/web/pgadmin/authenticate/oauth2.py
> @@ -104,7 +104,11 @@ class OAuth2Authentication(BaseAuthentication):
> access_token_url=oauth2_config['OAUTH2_TOKEN_URL'],
> authorize_url=oauth2_config['OAUTH2_AUTHORIZATION_URL'],
> api_base_url=oauth2_config['OAUTH2_API_BASE_URL'],
> - client_kwargs={'scope': 'email profile'}
> + # Resort to previously hardcoded scope 'email profile' in
> case
> + # no OAUTH2_SCOPE is provided. This prevents a breaking
> change.
> + client_kwargs={'scope':
> + oauth2_config.get('OAUTH2_SCOPE',
> + 'email profile')}
> )
>
> def get_source_name(self):
> diff --git a/web/pgadmin/browser/tests/test_oauth2_with_mocking.py
> b/web/pgadmin/browser/tests/test_oauth2_with_mocking.py
> index b170720a8..71706ebe6 100644
> --- a/web/pgadmin/browser/tests/test_oauth2_with_mocking.py
> +++ b/web/pgadmin/browser/tests/test_oauth2_with_mocking.py
> @@ -58,6 +58,7 @@ class Oauth2LoginMockTestCase(BaseTestGenerator):
> 'https://github.com/login/oauth/authorize',
> 'OAUTH2_API_BASE_URL': 'https://api.github.com/',
> 'OAUTH2_USERINFO_ENDPOINT': 'user',
> + 'OAUTH2_SCOPE': 'email profile',
> 'OAUTH2_ICON': 'fa-github',
> 'OAUTH2_BUTTON_COLOR': '#3253a8',
> }
> --
> 2.25.1
>
>
>
>

--
*Thanks & Regards*
*Akshay Joshi*
*pgAdmin Hacker | Principal Software Architect*
*EDB Postgres <http://edbpostgres.com>*

*Mobile: +91 976-788-8246*

In response to

[pgAdmin][PATCH] Add OAUTH2_SCOPE variable for scope configuration at 2021-08-27 14:16:25 from Nico Rikken

Responses

Re: [pgAdmin][PATCH] Add OAUTH2_SCOPE variable for scope configuration at 2021-08-31 07:22:58 from Khushboo Vashi

Browse pgadmin-hackers by date

	From	Date	Subject
Next Message	Nikhil Mohite	2021-08-30 04:30:27	[pgAdmin][RM-4815]: User can not paste the updated table header in safari 12 and 13 browsers
Previous Message	Nico Rikken	2021-08-27 14:16:25	[pgAdmin][PATCH] Add OAUTH2_SCOPE variable for scope configuration