Add userinfo oauth endpoint (#32548)

This commit is contained in:
Emelia Smith 2024-10-30 15:38:10 +01:00 committed by GitHub
parent 0a599d08d8
commit e1b7382ea6
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
8 changed files with 112 additions and 12 deletions

View file

@ -0,0 +1,11 @@
# frozen_string_literal: true
class Oauth::UserinfoController < Api::BaseController
before_action -> { doorkeeper_authorize! :profile }, only: [:show]
before_action :require_user!
def show
@account = current_account
render json: @account, serializer: OauthUserinfoSerializer
end
end

View file

@ -26,6 +26,10 @@ class OauthMetadataPresenter < ActiveModelSerializers::Model
oauth_token_url oauth_token_url
end end
def userinfo_endpoint
oauth_userinfo_url
end
# As the api_v1_apps route doesn't technically conform to the specification # As the api_v1_apps route doesn't technically conform to the specification
# for OAuth 2.0 Dynamic Client Registration defined in RFC 7591 we use a # for OAuth 2.0 Dynamic Client Registration defined in RFC 7591 we use a
# non-standard property for now to indicate the mastodon specific registration # non-standard property for now to indicate the mastodon specific registration

View file

@ -2,7 +2,7 @@
class OauthMetadataSerializer < ActiveModel::Serializer class OauthMetadataSerializer < ActiveModel::Serializer
attributes :issuer, :authorization_endpoint, :token_endpoint, attributes :issuer, :authorization_endpoint, :token_endpoint,
:revocation_endpoint, :scopes_supported, :revocation_endpoint, :userinfo_endpoint, :scopes_supported,
:response_types_supported, :response_modes_supported, :response_types_supported, :response_modes_supported,
:grant_types_supported, :token_endpoint_auth_methods_supported, :grant_types_supported, :token_endpoint_auth_methods_supported,
:code_challenge_methods_supported, :code_challenge_methods_supported,

View file

@ -0,0 +1,31 @@
# frozen_string_literal: true
class OauthUserinfoSerializer < ActiveModel::Serializer
include RoutingHelper
attributes :iss, :sub, :name, :preferred_username, :profile, :picture
def iss
root_url
end
def sub
ActivityPub::TagManager.instance.uri_for(object)
end
def name
object.display_name
end
def preferred_username
object.username
end
def profile
ActivityPub::TagManager.instance.url_for(object)
end
def picture
full_asset_url(object.avatar_original_url)
end
end

View file

@ -23,6 +23,7 @@ Rails.application.config.middleware.insert_before 0, Rack::Cors do
methods: %i(post put delete get patch options) methods: %i(post put delete get patch options)
resource '/oauth/token', methods: [:post] resource '/oauth/token', methods: [:post]
resource '/oauth/revoke', methods: [:post] resource '/oauth/revoke', methods: [:post]
resource '/oauth/userinfo', methods: [:get, :post]
end end
end end
end end

View file

@ -64,6 +64,13 @@ Rails.application.routes.draw do
tokens: 'oauth/tokens' tokens: 'oauth/tokens'
end end
namespace :oauth do
# As this is borrowed from OpenID, the specification says we must also support
# POST for the userinfo endpoint:
# https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
match 'userinfo', via: [:get, :post], to: 'userinfo#show', defaults: { format: 'json' }
end
scope path: '.well-known' do scope path: '.well-known' do
scope module: :well_known do scope module: :well_known do
get 'oauth-authorization-server', to: 'oauth_metadata#show', as: :oauth_metadata, defaults: { format: 'json' } get 'oauth-authorization-server', to: 'oauth_metadata#show', as: :oauth_metadata, defaults: { format: 'json' }

View file

@ -0,0 +1,51 @@
# frozen_string_literal: true
require 'rails_helper'
RSpec.describe 'Oauth Userinfo Endpoint' do
include RoutingHelper
let(:user) { Fabricate(:user) }
let(:account) { user.account }
let(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: scopes) }
let(:scopes) { 'profile' }
let(:headers) { { 'Authorization' => "Bearer #{token.token}" } }
shared_examples 'returns successfully' do
it 'returns http success' do
subject
expect(response).to have_http_status(:success)
expect(response.content_type).to start_with('application/json')
expect(response.parsed_body).to include({
iss: root_url,
sub: account_url(account),
name: account.display_name,
preferred_username: account.username,
profile: short_account_url(account),
picture: full_asset_url(account.avatar_original_url),
})
end
end
describe 'GET /oauth/userinfo' do
subject do
get '/oauth/userinfo', headers: headers
end
it_behaves_like 'forbidden for wrong scope', 'read:accounts'
it_behaves_like 'returns successfully'
end
# As this is borrowed from OpenID, the specification says we must also support
# POST for the userinfo endpoint:
# https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
describe 'POST /oauth/userinfo' do
subject do
post '/oauth/userinfo', headers: headers
end
it_behaves_like 'forbidden for wrong scope', 'read:accounts'
it_behaves_like 'returns successfully'
end
end

View file

@ -3,12 +3,6 @@
require 'rails_helper' require 'rails_helper'
RSpec.describe 'The /.well-known/oauth-authorization-server request' do RSpec.describe 'The /.well-known/oauth-authorization-server request' do
let(:protocol) { ENV.fetch('LOCAL_HTTPS', true) ? :https : :http }
before do
host! Rails.configuration.x.local_domain
end
it 'returns http success with valid JSON response' do it 'returns http success with valid JSON response' do
get '/.well-known/oauth-authorization-server' get '/.well-known/oauth-authorization-server'
@ -22,11 +16,12 @@ RSpec.describe 'The /.well-known/oauth-authorization-server request' do
grant_types_supported << 'refresh_token' if Doorkeeper.configuration.refresh_token_enabled? grant_types_supported << 'refresh_token' if Doorkeeper.configuration.refresh_token_enabled?
expect(response.parsed_body).to include( expect(response.parsed_body).to include(
issuer: root_url(protocol: protocol), issuer: root_url,
service_documentation: 'https://docs.joinmastodon.org/', service_documentation: 'https://docs.joinmastodon.org/',
authorization_endpoint: oauth_authorization_url(protocol: protocol), authorization_endpoint: oauth_authorization_url,
token_endpoint: oauth_token_url(protocol: protocol), token_endpoint: oauth_token_url,
revocation_endpoint: oauth_revoke_url(protocol: protocol), userinfo_endpoint: oauth_userinfo_url,
revocation_endpoint: oauth_revoke_url,
scopes_supported: Doorkeeper.configuration.scopes.map(&:to_s), scopes_supported: Doorkeeper.configuration.scopes.map(&:to_s),
response_types_supported: Doorkeeper.configuration.authorization_response_types, response_types_supported: Doorkeeper.configuration.authorization_response_types,
response_modes_supported: Doorkeeper.configuration.authorization_response_flows.flat_map(&:response_mode_matches).uniq, response_modes_supported: Doorkeeper.configuration.authorization_response_flows.flat_map(&:response_mode_matches).uniq,
@ -34,7 +29,7 @@ RSpec.describe 'The /.well-known/oauth-authorization-server request' do
grant_types_supported: grant_types_supported, grant_types_supported: grant_types_supported,
code_challenge_methods_supported: ['S256'], code_challenge_methods_supported: ['S256'],
# non-standard extension: # non-standard extension:
app_registration_endpoint: api_v1_apps_url(protocol: protocol) app_registration_endpoint: api_v1_apps_url
) )
end end
end end