1
0
mirror of https://github.com/mailcow/mailcow-dockerized.git synced 2024-12-23 02:04:46 +02:00

[Web] add configurable client scopes for generic-oidc

This commit is contained in:
FreddleSpl0it 2023-10-20 12:30:50 +02:00 committed by DerLinkman
parent ba32f1131e
commit eb9e3b8391
No known key found for this signature in database
GPG Key ID: F109FD97469550A2
3 changed files with 15 additions and 3 deletions

View File

@ -2108,6 +2108,10 @@ function identity_provider($_action, $_data = null, $_extra = null) {
$settings[$row["key"]] = $row["value"];
}
}
// return default client_scopes for generic-oidc if none is set
if ($settings["authsource"] == "generic-oidc" && empty($settings["client_scopes"])){
$settings["client_scopes"] = "openid profile email";
}
if ($_extra['hide_sensitive']){
$settings['client_secret'] = '';
$settings['access_token'] = '';
@ -2168,7 +2172,8 @@ function identity_provider($_action, $_data = null, $_extra = null) {
$_data['authorize_url'] = (!empty($_data['authorize_url'])) ? $_data['authorize_url'] : null;
$_data['token_url'] = (!empty($_data['token_url'])) ? $_data['token_url'] : null;
$_data['userinfo_url'] = (!empty($_data['userinfo_url'])) ? $_data['userinfo_url'] : null;
$required_settings = array('authsource', 'authorize_url', 'token_url', 'client_id', 'client_secret', 'redirect_url', 'userinfo_url');
$_data['client_scopes'] = (!empty($_data['client_scopes'])) ? $_data['client_scopes'] : "openid profile email";
$required_settings = array('authsource', 'authorize_url', 'token_url', 'client_id', 'client_secret', 'redirect_url', 'userinfo_url', 'client_scopes');
}
$pdo->beginTransaction();
@ -2318,7 +2323,7 @@ function identity_provider($_action, $_data = null, $_extra = null) {
'urlAuthorize' => $iam_settings['authorize_url'],
'urlAccessToken' => $iam_settings['token_url'],
'urlResourceOwnerDetails' => $iam_settings['userinfo_url'],
'scopes' => 'openid profile email'
'scopes' => $iam_settings['client_scopes']
]);
}
}

View File

@ -217,6 +217,7 @@
"iam_auth_flow_info": "In addition to the Authorization Code Flow (Standard Flow in Keycloak), which is used for Single-Sign On login, mailcow also supports Authentication Flow with direct Credentials. The Mailpassword Flow attempts to validate the user's credentials by using the Keycloak Admin REST API. mailcow retrieves the hashed password from the <code>mailcow_password</code> attribute, which is mapped in Keycloak.",
"iam_client_id": "Client ID",
"iam_client_secret": "Client Secret",
"iam_client_scopes": "Client Scopes",
"iam_description": "Configure an external OIDC Provider for Authentication<br>User's mailboxes will be automatically created upon their first login, provided that an attribute mapping has been set.",
"iam_extra_permission": "For the following settings to work, the mailcow client in Keycloak needs a <code>Service account</code> and the permission to <code>view-users</code>.",
"iam_import_users": "Import Users",

View File

@ -207,12 +207,18 @@
</div>
</div>
</div>
<div class="row mb-4">
<div class="row mb-2">
<label class="control-label col-md-3 text-sm-end" for="iam_redirect_url">{{ lang.admin.iam_redirect_url }}:</label>
<div class="col-12 col-md-9 col-lg-4">
<input type="text" class="form-control" id="iam_redirect_url" name="redirect_url" value="{{ iam_settings.redirect_url }}" required>
</div>
</div>
<div class="row mb-4">
<label class="control-label col-md-3 text-sm-end" for="iam_client_scopes">{{ lang.admin.iam_client_scopes }}:</label>
<div class="col-12 col-md-9 col-lg-4">
<input type="text" placeholder="openid profile email" class="form-control" id="iam_client_scopes" name="client_scopes" value="{{ iam_settings.client_scopes }}">
</div>
</div>
<div class="row mb-2">
<label class="control-label col-md-3 text-sm-end">{{ lang.admin.iam_mapping }}:</label>
<div class="col-12 col-md-9 col-lg-4">