[Bps-public-commit] rt-authen-oauth2 branch, auth0, created. 73ccfc57ad44e09204f37274a70420f85beb3270
? sunnavy
sunnavy at bestpractical.com
Thu Mar 22 13:36:23 EDT 2018
The branch, auth0 has been created
at 73ccfc57ad44e09204f37274a70420f85beb3270 (commit)
- Log -----------------------------------------------------------------
commit 467f013baff7a74a1f91499925cb5e99f2e5c0dc
Author: Robert <rspier at pobox.com>
Date: Sun Nov 19 17:48:05 2017 -0800
Add IDP config for auth0
diff --git a/etc/OAuth2_Config.pm b/etc/OAuth2_Config.pm
index 0cc79fb..047291d 100644
--- a/etc/OAuth2_Config.pm
+++ b/etc/OAuth2_Config.pm
@@ -139,6 +139,28 @@ Set(%OAuthIDPs,
'client_secret' => '',
'state' => '',
},
+ 'auth0' => {
+ # You must Set($Auth0Host, "something.auth0.com");
+ 'MetadataHandler' => 'RT::Authen::OAuth2::Google',
+ 'MetadataMap' => {
+ EmailAddress => 'email',
+ RealName => 'name',
+ NickName => 'nickname',
+ Lang => 'not-provided',
+ Organization => 'not-provided',
+ VerifiedEmail => 'email_verified',
+ },
+ 'LoginPageButton' => '/static/images/btn_auth0_signin.png',
+ 'authorize_path' => '/authorize',
+ 'site' => 'https://' . RT->Config->Get('Auth0Host'),
+ 'name' => 'Auth0',
+ 'protected_resource_path' => '/userinfo',
+ 'scope' => 'openid profile email',
+ 'access_token_path' => '/oauth/token',
+ 'client_id' => '',
+ 'client_secret' => '',
+ 'state' => '',
+ },
'instagram' => {
'MetadataHandler' => 'RT::Authen::OAuth2::Unimplemented',
'access_token_path' => '/oauth/access_token',
diff --git a/static/images/btn_auth0_signin.png b/static/images/btn_auth0_signin.png
new file mode 100644
index 0000000..6616358
Binary files /dev/null and b/static/images/btn_auth0_signin.png differ
commit 3aba95ff2d6a345e565a6813a574362892018ac3
Author: Robert <rspier at pobox.com>
Date: Sun Nov 19 17:49:14 2017 -0800
Add support for autocreating users on oauth2 login.
diff --git a/etc/OAuth2_Config.pm b/etc/OAuth2_Config.pm
index 047291d..1280312 100644
--- a/etc/OAuth2_Config.pm
+++ b/etc/OAuth2_Config.pm
@@ -18,6 +18,35 @@ Set this to enable the OAuth2 button on the login page.
Set($EnableOAuth2, 1);
+=over 4
+
+=item C<$OAuthCreateNewUser>
+
+Set this to enable auto-creating new users based on the OAuth2 data.
+
+ Set($OAuthCreateNewUser, 1);
+
+=back
+
+=cut
+
+Set($OAuthCreateNewUser, 0);
+
+
+=over 4
+
+=item C<$OAuthNewUserOptions>
+
+Set this to enable auto-creating new users based on the OAuth2 data.
+
+ Set($OAuthNewUserOptions, {
+ Privileged => 1,
+ },
+ );
+
+=back
+
+=cut
=over 4
diff --git a/lib/RT/Authen/OAuth2.pm b/lib/RT/Authen/OAuth2.pm
index 46739ad..f80fb12 100644
--- a/lib/RT/Authen/OAuth2.pm
+++ b/lib/RT/Authen/OAuth2.pm
@@ -174,13 +174,35 @@ sub LogUserIn {
RT::Logger->info("OAuth2 server return content didn't include $loadcol, aborting. Request from $ip") unless $name;
return (0, $generic_error) unless $name;
+ if ( $idp_conf->{MetadataMap}->{VerifiedEmail} && !$metadata->{ $idp_conf->{MetadataMap}->{VerifiedEmail} } ) {
+ RT::Logger->info( "Email $name not verified." );
+ return ( 0, RT->SystemUser->loc( "Email [_1] not verified.", $name ) );
+ }
+
my $user = RT::User->new( RT->SystemUser );
$user->LoadByCol($loadcol, $name);
- # TODO future feature: auto-vivify a user based on config option, if email matches regex
+ # TODO future feature: add an option to auto-vivify only if email matches regex
# TODO e.g., allow all people from mycompany.com to access RT automatically
RT::Logger->info("OAuth2 user $name attempted login but no matching user found in RT. Request from $ip") unless $user->id;
+ if (RT->Config->Get('OAuthCreateNewUser') and not $user->id) {
+ my $additional = RT->Config->Get('OAuthNewUserOptions') || { Privileged => 1 };
+ my $newuser = RT::User->new( $RT::SystemUser );
+ RT::Logger->info("Attempting to create account for $name");
+ my ( $id, $msg ) = $newuser->Create(
+ %$additional,
+ Name => $name,
+ map { $_ => $metadata->{ $idp_conf->{MetadataMap}->{$_} } }
+ grep { $metadata->{ $idp_conf->{MetadataMap}->{$_} } }
+ qw(RealName NickName Organization Lang EmailAddress),
+ );
+ unless ($id) {
+ RT::Logger->info("Error $msg creating account for $name");
+ return (0, $generic_error);
+ }
+ $user = $newuser;
+ }
return(0, $generic_error) unless $user->id;
RT::Logger->info("OAuth2 user $name is disabled in RT; aborting OAuth2 login. Request from $ip") if $user->PrincipalObj->Disabled;
commit 73ccfc57ad44e09204f37274a70420f85beb3270
Author: Robert <rspier at pobox.com>
Date: Wed Nov 22 22:49:29 2017 -0800
Add logout support.
diff --git a/etc/OAuth2_Config.pm b/etc/OAuth2_Config.pm
index 1280312..33a8244 100644
--- a/etc/OAuth2_Config.pm
+++ b/etc/OAuth2_Config.pm
@@ -182,6 +182,7 @@ Set(%OAuthIDPs,
'LoginPageButton' => '/static/images/btn_auth0_signin.png',
'authorize_path' => '/authorize',
'site' => 'https://' . RT->Config->Get('Auth0Host'),
+ 'logout_path' => '/v2/logout?returnTo=__NEXT__&client_id=' . RT->Config->Get('OAuthIDPSecrets')->{'auth0'}->{'client_id'},
'name' => 'Auth0',
'protected_resource_path' => '/userinfo',
'scope' => 'openid profile email',
diff --git a/html/Callbacks/OAuth/NoAuth/Logout.html/Default b/html/Callbacks/OAuth/NoAuth/Logout.html/Default
new file mode 100644
index 0000000..8a62ba8
--- /dev/null
+++ b/html/Callbacks/OAuth/NoAuth/Logout.html/Default
@@ -0,0 +1,10 @@
+<%ARGS>
+$URL => undef
+</%ARGS>
+<%INIT>
+# In RT 4.0, there are two Default callbacks. We want the one with $URL.
+return unless $URL;
+return unless RT->Config->Get('EnableOAuth2');
+
+$$URL = RT::Authen::OAuth2::LogoutURL( RT->Config->Get("WebURL") );
+</%INIT>
diff --git a/html/Callbacks/OAuth/NoAuth/Logout.html/ModifyLoginRedirect b/html/Callbacks/OAuth/NoAuth/Logout.html/ModifyLoginRedirect
new file mode 100644
index 0000000..cf051ec
--- /dev/null
+++ b/html/Callbacks/OAuth/NoAuth/Logout.html/ModifyLoginRedirect
@@ -0,0 +1,8 @@
+<%ARGS>
+$URL
+</%ARGS>
+<%INIT>
+return unless RT->Config->Get('EnableOAuth2');
+
+$$URL = RT::Authen::OAuth2::LogoutURL( RT->Config->Get("WebURL") );
+</%INIT>
diff --git a/lib/RT/Authen/OAuth2.pm b/lib/RT/Authen/OAuth2.pm
index f80fb12..e073e2d 100644
--- a/lib/RT/Authen/OAuth2.pm
+++ b/lib/RT/Authen/OAuth2.pm
@@ -9,6 +9,8 @@ use Net::OAuth2::Profile::WebServer;
use RT::Authen::OAuth2::Unimplemented;
use RT::Authen::OAuth2::Google;
+use URI::Escape;
+
=head1 NAME
RT-Authen-OAuth2 - External authentication for OAuth 2 sources, like Google, Twitter, GitHub, etc.
@@ -244,4 +246,29 @@ sub IDPLoginButtonImage {
return RT->Config->Get('OAuthIDPs')->{$idp}->{LoginPageButton};
}
+=item C<LogOutURL()>
+
+=over 4
+
+Returns the appropriate logout URL active OAuth 2 server.
+
+=back
+
+=cut
+
+sub LogoutURL {
+ my $next = shift;
+ my $idp = RT->Config->Get('OAuthIDP');
+ my $idp_config = RT->Config->Get('OAuthIDPs')->{$idp};
+
+ unless (exists $idp_config->{logout_path}) {
+ return $next;
+ }
+
+ my $url = $idp_config->{site} . $idp_config->{logout_path};
+ $next = uri_escape($next);
+ $url =~ s/__NEXT__/$next/;
+ return $url;
+}
+
1;
-----------------------------------------------------------------------
More information about the Bps-public-commit
mailing list