[Bps-public-commit] rt-authen-oauth2 branch, auth0, created. 9ad80d9dbe1a882ef8ff3b9ebbb8cbec9cedba66

? sunnavy sunnavy at bestpractical.com
Thu Mar 22 12:55:56 EDT 2018 

The branch, auth0 has been created
        at  9ad80d9dbe1a882ef8ff3b9ebbb8cbec9cedba66 (commit)

- Log -----------------------------------------------------------------
commit 08455513c9eb5b0d8e798d8bfcb4780e2583cf49
Author: Robert <rspier at pobox.com>
Date:   Sun Nov 19 17:48:05 2017 -0800

    Add IDP config for auth0

diff --git a/etc/OAuth2_Config.pm b/etc/OAuth2_Config.pm
index e8b7ad7..e234641 100644
--- a/etc/OAuth2_Config.pm
+++ b/etc/OAuth2_Config.pm
@@ -138,6 +138,28 @@ Set(%OAuthIDPs,
         'client_secret' => '',
         'state' => '',
     },
+    'auth0' => {
+        # You must Set($Auth0Host, "something.auth0.com");
+        'MetadataHandler' => 'RT::Authen::OAuth2::Google',
+        'MetadataMap' => {
+            EmailAddress => 'email',
+            RealName => 'name',
+            NickName => 'nickname',
+            Lang => 'not-provided',
+            Organization => 'not-provided',
+            VerifiedEmail => 'email_verified',
+        },
+        'LoginPageButton' => '/static/images/btn_auth0_signin.png',
+        'authorize_path' => '/authorize',
+        'site' => 'https://' . RT->Config->Get('Auth0Host'),
+        'name' => 'Auth0',
+        'protected_resource_path' => '/userinfo',
+        'scope' => 'openid profile email',
+        'access_token_path' => '/oauth/token',
+        'client_id' => '',
+        'client_secret' => '',
+        'state' => '',
+    },
     'instagram' => {
         'MetadataHandler' => 'RT::Authen::OAuth2::Unimplemented',
         'access_token_path' => '/oauth/access_token',
diff --git a/static/images/btn_auth0_signin.png b/static/images/btn_auth0_signin.png
new file mode 100644
index 0000000..6616358
Binary files /dev/null and b/static/images/btn_auth0_signin.png differ

commit fc007efebfab78bbfb1b4a4d56aafb5113c5198e
Author: Robert <rspier at pobox.com>
Date:   Sun Nov 19 17:49:14 2017 -0800

    Add support for autocreating users on oauth2 login.

diff --git a/etc/OAuth2_Config.pm b/etc/OAuth2_Config.pm
index e234641..22e48c8 100644
--- a/etc/OAuth2_Config.pm
+++ b/etc/OAuth2_Config.pm
@@ -18,6 +18,35 @@ Set this to enable the OAuth2 button on the login page.
 
 Set($EnableOAuth2, 1);
 
+=over 4
+
+=item C<$OAuthCreateNewUser>
+
+Set this to enable auto-creating new users based on the OAuth2 data.
+
+    Set($OAuthCreateNewUser, 1);
+
+=back
+
+=cut
+
+Set($OAuthCreateNewUser, 0);
+
+
+=over 4
+
+=item C<$OAuthNewUserOptions>
+
+Set this to enable auto-creating new users based on the OAuth2 data.
+
+    Set($OAuthNewUserOptions, {
+            Privileged => 1,
+        },
+    );
+
+=back
+
+=cut
 
 =over 4
 
diff --git a/lib/RT/Authen/OAuth2.pm b/lib/RT/Authen/OAuth2.pm
index d75124b..90f3dea 100644
--- a/lib/RT/Authen/OAuth2.pm
+++ b/lib/RT/Authen/OAuth2.pm
@@ -173,13 +173,37 @@ sub LogUserIn {
     RT::Logger->info("OAuth2 server return content didn't include email, aborting. Request from $ip") unless $email;
     return (0, $generic_error) unless $email;
 
+    if ( $idp_conf->{MetadataMap}->{VerifiedEmail} && !$metadata->{ $idp_conf->{MetadataMap}->{VerifiedEmail} } ) {
+      RT::Logger->info( "Email $email not verified." );
+      return ( 0, RT->SystemUser->loc( "Email [_1] not verified.", $email ) );
+    }
+
     my $user = RT::User->new( RT->SystemUser );
     $user->LoadByEmail($email);
 
-    # TODO future feature: auto-vivify a user based on config option, if email matches regex
+    # TODO future feature: add an option to auto-vivify only if email matches regex
     # TODO e.g., allow all people from mycompany.com to access RT automatically
 
     RT::Logger->info("OAuth2 user $email attempted login but no matching user found in RT. Request from $ip") unless $user->id;
+    if (RT->Config->Get('OAuthCreateNewUser') and not $user->id) {
+      my $additional = RT->Config->Get('OAuthNewUserOptions') || { Privileged => 1 };
+      my $newuser = RT::User->new( $RT::SystemUser );
+      my $name = $metadata->{ $idp_conf->{MetadataMap}->{RealName} };
+      RT::Logger->info("Attempting to create account for $name <$email>");
+      # TODO: Allow using 'nickname' as account name.  Requires
+      # testing for existence and fallback to email.
+      my ($id, $msg) = $newuser->Create(
+        %$additional,
+        Name         => $email,
+        RealName     => $name,
+        EmailAddress => $email,
+      );
+      unless ($id) {
+        RT::Logger->info("Error $msg creating account for $name <$email>");
+        return (0, $generic_error);
+      }
+      $user = $newuser;
+    }
     return(0, $generic_error) unless $user->id;
 
     RT::Logger->info("OAuth2 user $email is disabled in RT; aborting OAuth2 login. Request from $ip") if $user->PrincipalObj->Disabled;

commit 9ad80d9dbe1a882ef8ff3b9ebbb8cbec9cedba66
Author: Robert <rspier at pobox.com>
Date:   Wed Nov 22 22:49:29 2017 -0800

    Add logout support.

diff --git a/etc/OAuth2_Config.pm b/etc/OAuth2_Config.pm
index 22e48c8..fb2231d 100644
--- a/etc/OAuth2_Config.pm
+++ b/etc/OAuth2_Config.pm
@@ -181,6 +181,7 @@ Set(%OAuthIDPs,
         'LoginPageButton' => '/static/images/btn_auth0_signin.png',
         'authorize_path' => '/authorize',
         'site' => 'https://' . RT->Config->Get('Auth0Host'),
+        'logout_path' => '/v2/logout?returnTo=__NEXT__&client_id=' . RT->Config->Get('OAuthIDPSecrets')->{'auth0'}->{'client_id'},
         'name' => 'Auth0',
         'protected_resource_path' => '/userinfo',
         'scope' => 'openid profile email',
diff --git a/html/Callbacks/OAuth/NoAuth/Logout.html/Default b/html/Callbacks/OAuth/NoAuth/Logout.html/Default
new file mode 100644
index 0000000..8a62ba8
--- /dev/null
+++ b/html/Callbacks/OAuth/NoAuth/Logout.html/Default
@@ -0,0 +1,10 @@
+<%ARGS>
+$URL => undef
+</%ARGS>
+<%INIT>
+# In RT 4.0, there are two Default callbacks. We want the one with $URL.
+return unless $URL;
+return unless RT->Config->Get('EnableOAuth2');
+
+$$URL = RT::Authen::OAuth2::LogoutURL( RT->Config->Get("WebURL") );
+</%INIT>
diff --git a/html/Callbacks/OAuth/NoAuth/Logout.html/ModifyLoginRedirect b/html/Callbacks/OAuth/NoAuth/Logout.html/ModifyLoginRedirect
new file mode 100644
index 0000000..cf051ec
--- /dev/null
+++ b/html/Callbacks/OAuth/NoAuth/Logout.html/ModifyLoginRedirect
@@ -0,0 +1,8 @@
+<%ARGS>
+$URL
+</%ARGS>
+<%INIT>
+return unless RT->Config->Get('EnableOAuth2');
+
+$$URL = RT::Authen::OAuth2::LogoutURL( RT->Config->Get("WebURL") );
+</%INIT>
diff --git a/lib/RT/Authen/OAuth2.pm b/lib/RT/Authen/OAuth2.pm
index 90f3dea..1eff7ab 100644
--- a/lib/RT/Authen/OAuth2.pm
+++ b/lib/RT/Authen/OAuth2.pm
@@ -9,6 +9,8 @@ use Net::OAuth2::Profile::WebServer;
 use RT::Authen::OAuth2::Unimplemented;
 use RT::Authen::OAuth2::Google;
 
+use URI::Escape;
+
 =head1 NAME
 
 RT-Authen-OAuth2 - External authentication for OAuth 2 sources, like Google, Twitter, GitHub, etc.
@@ -245,4 +247,29 @@ sub IDPLoginButtonImage {
     return RT->Config->Get('OAuthIDPs')->{$idp}->{LoginPageButton};
 }
 
+=item C<LogOutURL()>
+
+=over 4
+
+Returns the appropriate logout URL active OAuth 2 server.
+
+=back
+
+=cut
+
+sub LogoutURL {
+    my $next = shift;
+    my $idp = RT->Config->Get('OAuthIDP');
+    my $idp_config = RT->Config->Get('OAuthIDPs')->{$idp};
+
+    unless (exists $idp_config->{logout_path}) {
+      return $next;
+    }
+
+    my $url = $idp_config->{site} . $idp_config->{logout_path};
+    $next = uri_escape($next);
+    $url =~ s/__NEXT__/$next/;
+    return $url;
+}
+
 1;

-----------------------------------------------------------------------

More information about the Bps-public-commit mailing list