[Bps-public-commit] rt-authen-oauth2 branch, auth0, created. 73ccfc57ad44e09204f37274a70420f85beb3270

? sunnavy sunnavy at bestpractical.com
Thu Mar 22 13:36:23 EDT 2018


The branch, auth0 has been created
        at  73ccfc57ad44e09204f37274a70420f85beb3270 (commit)

- Log -----------------------------------------------------------------
commit 467f013baff7a74a1f91499925cb5e99f2e5c0dc
Author: Robert <rspier at pobox.com>
Date:   Sun Nov 19 17:48:05 2017 -0800

    Add IDP config for auth0

diff --git a/etc/OAuth2_Config.pm b/etc/OAuth2_Config.pm
index 0cc79fb..047291d 100644
--- a/etc/OAuth2_Config.pm
+++ b/etc/OAuth2_Config.pm
@@ -139,6 +139,28 @@ Set(%OAuthIDPs,
         'client_secret' => '',
         'state' => '',
     },
+    'auth0' => {
+        # You must Set($Auth0Host, "something.auth0.com");
+        'MetadataHandler' => 'RT::Authen::OAuth2::Google',
+        'MetadataMap' => {
+            EmailAddress => 'email',
+            RealName => 'name',
+            NickName => 'nickname',
+            Lang => 'not-provided',
+            Organization => 'not-provided',
+            VerifiedEmail => 'email_verified',
+        },
+        'LoginPageButton' => '/static/images/btn_auth0_signin.png',
+        'authorize_path' => '/authorize',
+        'site' => 'https://' . RT->Config->Get('Auth0Host'),
+        'name' => 'Auth0',
+        'protected_resource_path' => '/userinfo',
+        'scope' => 'openid profile email',
+        'access_token_path' => '/oauth/token',
+        'client_id' => '',
+        'client_secret' => '',
+        'state' => '',
+    },
     'instagram' => {
         'MetadataHandler' => 'RT::Authen::OAuth2::Unimplemented',
         'access_token_path' => '/oauth/access_token',
diff --git a/static/images/btn_auth0_signin.png b/static/images/btn_auth0_signin.png
new file mode 100644
index 0000000..6616358
Binary files /dev/null and b/static/images/btn_auth0_signin.png differ

commit 3aba95ff2d6a345e565a6813a574362892018ac3
Author: Robert <rspier at pobox.com>
Date:   Sun Nov 19 17:49:14 2017 -0800

    Add support for autocreating users on oauth2 login.

diff --git a/etc/OAuth2_Config.pm b/etc/OAuth2_Config.pm
index 047291d..1280312 100644
--- a/etc/OAuth2_Config.pm
+++ b/etc/OAuth2_Config.pm
@@ -18,6 +18,35 @@ Set this to enable the OAuth2 button on the login page.
 
 Set($EnableOAuth2, 1);
 
+=over 4
+
+=item C<$OAuthCreateNewUser>
+
+Set this to enable auto-creating new users based on the OAuth2 data.
+
+    Set($OAuthCreateNewUser, 1);
+
+=back
+
+=cut
+
+Set($OAuthCreateNewUser, 0);
+
+
+=over 4
+
+=item C<$OAuthNewUserOptions>
+
+Set this to enable auto-creating new users based on the OAuth2 data.
+
+    Set($OAuthNewUserOptions, {
+            Privileged => 1,
+        },
+    );
+
+=back
+
+=cut
 
 =over 4
 
diff --git a/lib/RT/Authen/OAuth2.pm b/lib/RT/Authen/OAuth2.pm
index 46739ad..f80fb12 100644
--- a/lib/RT/Authen/OAuth2.pm
+++ b/lib/RT/Authen/OAuth2.pm
@@ -174,13 +174,35 @@ sub LogUserIn {
     RT::Logger->info("OAuth2 server return content didn't include $loadcol, aborting. Request from $ip") unless $name;
     return (0, $generic_error) unless $name;
 
+    if ( $idp_conf->{MetadataMap}->{VerifiedEmail} && !$metadata->{ $idp_conf->{MetadataMap}->{VerifiedEmail} } ) {
+      RT::Logger->info( "Email $name not verified." );
+      return ( 0, RT->SystemUser->loc( "Email [_1] not verified.", $name ) );
+    }
+
     my $user = RT::User->new( RT->SystemUser );
     $user->LoadByCol($loadcol, $name);
 
-    # TODO future feature: auto-vivify a user based on config option, if email matches regex
+    # TODO future feature: add an option to auto-vivify only if email matches regex
     # TODO e.g., allow all people from mycompany.com to access RT automatically
 
     RT::Logger->info("OAuth2 user $name attempted login but no matching user found in RT. Request from $ip") unless $user->id;
+    if (RT->Config->Get('OAuthCreateNewUser') and not $user->id) {
+      my $additional = RT->Config->Get('OAuthNewUserOptions') || { Privileged => 1 };
+      my $newuser = RT::User->new( $RT::SystemUser );
+      RT::Logger->info("Attempting to create account for $name");
+      my ( $id, $msg ) = $newuser->Create(
+        %$additional,
+        Name => $name,
+        map { $_ => $metadata->{ $idp_conf->{MetadataMap}->{$_} } }
+          grep { $metadata->{ $idp_conf->{MetadataMap}->{$_} } }
+          qw(RealName NickName Organization Lang EmailAddress),
+      );
+      unless ($id) {
+        RT::Logger->info("Error $msg creating account for $name");
+        return (0, $generic_error);
+      }
+      $user = $newuser;
+    }
     return(0, $generic_error) unless $user->id;
 
     RT::Logger->info("OAuth2 user $name is disabled in RT; aborting OAuth2 login. Request from $ip") if $user->PrincipalObj->Disabled;

commit 73ccfc57ad44e09204f37274a70420f85beb3270
Author: Robert <rspier at pobox.com>
Date:   Wed Nov 22 22:49:29 2017 -0800

    Add logout support.

diff --git a/etc/OAuth2_Config.pm b/etc/OAuth2_Config.pm
index 1280312..33a8244 100644
--- a/etc/OAuth2_Config.pm
+++ b/etc/OAuth2_Config.pm
@@ -182,6 +182,7 @@ Set(%OAuthIDPs,
         'LoginPageButton' => '/static/images/btn_auth0_signin.png',
         'authorize_path' => '/authorize',
         'site' => 'https://' . RT->Config->Get('Auth0Host'),
+        'logout_path' => '/v2/logout?returnTo=__NEXT__&client_id=' . RT->Config->Get('OAuthIDPSecrets')->{'auth0'}->{'client_id'},
         'name' => 'Auth0',
         'protected_resource_path' => '/userinfo',
         'scope' => 'openid profile email',
diff --git a/html/Callbacks/OAuth/NoAuth/Logout.html/Default b/html/Callbacks/OAuth/NoAuth/Logout.html/Default
new file mode 100644
index 0000000..8a62ba8
--- /dev/null
+++ b/html/Callbacks/OAuth/NoAuth/Logout.html/Default
@@ -0,0 +1,10 @@
+<%ARGS>
+$URL => undef
+</%ARGS>
+<%INIT>
+# In RT 4.0, there are two Default callbacks. We want the one with $URL.
+return unless $URL;
+return unless RT->Config->Get('EnableOAuth2');
+
+$$URL = RT::Authen::OAuth2::LogoutURL( RT->Config->Get("WebURL") );
+</%INIT>
diff --git a/html/Callbacks/OAuth/NoAuth/Logout.html/ModifyLoginRedirect b/html/Callbacks/OAuth/NoAuth/Logout.html/ModifyLoginRedirect
new file mode 100644
index 0000000..cf051ec
--- /dev/null
+++ b/html/Callbacks/OAuth/NoAuth/Logout.html/ModifyLoginRedirect
@@ -0,0 +1,8 @@
+<%ARGS>
+$URL
+</%ARGS>
+<%INIT>
+return unless RT->Config->Get('EnableOAuth2');
+
+$$URL = RT::Authen::OAuth2::LogoutURL( RT->Config->Get("WebURL") );
+</%INIT>
diff --git a/lib/RT/Authen/OAuth2.pm b/lib/RT/Authen/OAuth2.pm
index f80fb12..e073e2d 100644
--- a/lib/RT/Authen/OAuth2.pm
+++ b/lib/RT/Authen/OAuth2.pm
@@ -9,6 +9,8 @@ use Net::OAuth2::Profile::WebServer;
 use RT::Authen::OAuth2::Unimplemented;
 use RT::Authen::OAuth2::Google;
 
+use URI::Escape;
+
 =head1 NAME
 
 RT-Authen-OAuth2 - External authentication for OAuth 2 sources, like Google, Twitter, GitHub, etc.
@@ -244,4 +246,29 @@ sub IDPLoginButtonImage {
     return RT->Config->Get('OAuthIDPs')->{$idp}->{LoginPageButton};
 }
 
+=item C<LogOutURL()>
+
+=over 4
+
+Returns the appropriate logout URL active OAuth 2 server.
+
+=back
+
+=cut
+
+sub LogoutURL {
+    my $next = shift;
+    my $idp = RT->Config->Get('OAuthIDP');
+    my $idp_config = RT->Config->Get('OAuthIDPs')->{$idp};
+
+    unless (exists $idp_config->{logout_path}) {
+      return $next;
+    }
+
+    my $url = $idp_config->{site} . $idp_config->{logout_path};
+    $next = uri_escape($next);
+    $url =~ s/__NEXT__/$next/;
+    return $url;
+}
+
 1;

-----------------------------------------------------------------------


More information about the Bps-public-commit mailing list