Skip to content

Commit be1f4cf

Browse files
jackycutejackycute
authored
Merge pull request #1626 from joachimmathes/oauth2_authorization
2 parents ae38fd3 + 0ec949d commit be1f4cf

2 files changed

Lines changed: 16 additions & 1 deletion

File tree

lib/auth/oauth2/strategy.js

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ const { Strategy, InternalOAuthError } = require('passport-oauth2')
44
const config = require('../../config')
55

66
function parseProfile (data) {
7+
const id = extractProfileAttribute(data, config.oauth2.userProfileIdAttr)
78
const username = extractProfileAttribute(data, config.oauth2.userProfileUsernameAttr)
89
const displayName = extractProfileAttribute(data, config.oauth2.userProfileDisplayNameAttr)
910
const email = extractProfileAttribute(data, config.oauth2.userProfileEmailAttr)
@@ -14,7 +15,7 @@ function parseProfile (data) {
1415
}
1516

1617
return {
17-
id: username,
18+
id: id || username,
1819
username: username,
1920
displayName: displayName,
2021
email: email,
@@ -41,6 +42,16 @@ function extractProfileAttribute (data, path) {
4142
return data
4243
}
4344

45+
function checkAuthorization (data, done) {
46+
const roles = extractProfileAttribute(data, config.oauth2.rolesClaim)
47+
48+
if (config.oauth2.accessRole && roles) {
49+
if (!roles.includes(config.oauth2.accessRole)) {
50+
return done('Permission denied', null)
51+
}
52+
}
53+
}
54+
4455
class OAuth2CustomStrategy extends Strategy {
4556
constructor (options, verify) {
4657
options.customHeaders = options.customHeaders || {}
@@ -59,6 +70,7 @@ class OAuth2CustomStrategy extends Strategy {
5970
let profile, json
6071
try {
6172
json = JSON.parse(body)
73+
checkAuthorization(json, done)
6274
profile = parseProfile(json)
6375
} catch (ex) {
6476
return done(new InternalOAuthError('Failed to parse user profile' + ex.toString()))

lib/config/environment.js

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -98,6 +98,9 @@ module.exports = {
9898
userProfileURL: process.env.CMD_OAUTH2_USER_PROFILE_URL,
9999
scope: process.env.CMD_OAUTH2_SCOPE,
100100
state: process.env.CMD_OAUTH2_STATE,
101+
rolesClaim: process.env.CMD_OAUTH2_ROLES_CLAIM,
102+
accessRole: process.env.CMD_OAUTH2_ACCESS_ROLE,
103+
userProfileIdAttr: process.env.CMD_OAUTH2_USER_PROFILE_ID_ATTR,
101104
userProfileUsernameAttr: process.env.CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR,
102105
userProfileDisplayNameAttr: process.env.CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR,
103106
userProfileEmailAttr: process.env.CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR,

0 commit comments

Comments
 (0)