Refactor OpenIDConnect to support SSH/FullName sync (#34978)

* Fix #26585 * Fix #28327 * Fix #34932
2025-08-05 00:58:19 +00:00 · 2025-07-11 02:35:59 +08:00
parent 6ab6d4e17f
commit a5a3d9b101
27 changed files with 459 additions and 206 deletions
--- a/services/auth/source/oauth2/providers.go
+++ b/services/auth/source/oauth2/providers.go
@@ -27,6 +27,7 @@ type Provider interface {
 	DisplayName() string
 	IconHTML(size int) template.HTML
 	CustomURLSettings() *CustomURLSettings
+	SupportSSHPublicKey() bool
 }

 // GothProviderCreator provides a function to create a goth.Provider
--- a/services/auth/source/oauth2/providers_base.go
+++ b/services/auth/source/oauth2/providers_base.go
@@ -14,6 +14,13 @@ import (
 type BaseProvider struct {
 	name        string
 	displayName string
+
+	// TODO: maybe some providers also support SSH public keys, then they can set this to true
+	supportSSHPublicKey bool
+}
+
+func (b *BaseProvider) SupportSSHPublicKey() bool {
+	return b.supportSSHPublicKey
 }

 // Name provides the technical name for this provider
--- a/services/auth/source/oauth2/providers_openid.go
+++ b/services/auth/source/oauth2/providers_openid.go
@@ -17,6 +17,10 @@ import (
 // OpenIDProvider is a GothProvider for OpenID
 type OpenIDProvider struct{}

+func (o *OpenIDProvider) SupportSSHPublicKey() bool {
+	return true
+}
+
 // Name provides the technical name for this provider
 func (o *OpenIDProvider) Name() string {
 	return "openidConnect"
--- a/services/auth/source/oauth2/source.go
+++ b/services/auth/source/oauth2/source.go
@@ -27,6 +27,9 @@ type Source struct {
 	GroupTeamMap        string
 	GroupTeamMapRemoval bool
 	RestrictedGroup     string
+
+	SSHPublicKeyClaimName string
+	FullNameClaimName     string
 }

 // FromDB fills up an OAuth2Config from serialized format.
--- a/services/externalaccount/link.go
+++ b/services/externalaccount/link.go
@@ -1,30 +0,0 @@
-// Copyright 2021 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package externalaccount
-
-import (
-	"context"
-	"errors"
-
-	user_model "code.gitea.io/gitea/models/user"
-
-	"github.com/markbates/goth"
-)
-
-// Store represents a thing that stores things
-type Store interface {
-	Get(any) any
-	Set(any, any) error
-	Release() error
-}
-
-// LinkAccountFromStore links the provided user with a stored external user
-func LinkAccountFromStore(ctx context.Context, store Store, user *user_model.User) error {
-	gothUser := store.Get("linkAccountGothUser")
-	if gothUser == nil {
-		return errors.New("not in LinkAccount session")
-	}
-
-	return LinkAccountToUser(ctx, user, gothUser.(goth.User))
-}
--- a/services/externalaccount/user.go
+++ b/services/externalaccount/user.go
@@ -8,7 +8,6 @@ import (
 	"strconv"
 	"strings"

-	"code.gitea.io/gitea/models/auth"
 	issues_model "code.gitea.io/gitea/models/issues"
 	repo_model "code.gitea.io/gitea/models/repo"
 	user_model "code.gitea.io/gitea/models/user"
@@ -17,15 +16,11 @@ import (
 	"github.com/markbates/goth"
 )

-func toExternalLoginUser(ctx context.Context, user *user_model.User, gothUser goth.User) (*user_model.ExternalLoginUser, error) {
-	authSource, err := auth.GetActiveOAuth2SourceByName(ctx, gothUser.Provider)
-	if err != nil {
-		return nil, err
-	}
+func toExternalLoginUser(authSourceID int64, user *user_model.User, gothUser goth.User) *user_model.ExternalLoginUser {
 	return &user_model.ExternalLoginUser{
 		ExternalID:        gothUser.UserID,
 		UserID:            user.ID,
-		LoginSourceID:     authSource.ID,
+		LoginSourceID:     authSourceID,
 		RawData:           gothUser.RawData,
 		Provider:          gothUser.Provider,
 		Email:             gothUser.Email,
@@ -40,15 +35,12 @@ func toExternalLoginUser(ctx context.Context, user *user_model.User, gothUser go
 		AccessTokenSecret: gothUser.AccessTokenSecret,
 		RefreshToken:      gothUser.RefreshToken,
 		ExpiresAt:         gothUser.ExpiresAt,
-	}, nil
+	}
 }

 // LinkAccountToUser link the gothUser to the user
-func LinkAccountToUser(ctx context.Context, user *user_model.User, gothUser goth.User) error {
-	externalLoginUser, err := toExternalLoginUser(ctx, user, gothUser)
-	if err != nil {
-		return err
-	}
+func LinkAccountToUser(ctx context.Context, authSourceID int64, user *user_model.User, gothUser goth.User) error {
+	externalLoginUser := toExternalLoginUser(authSourceID, user, gothUser)

 	if err := user_model.LinkExternalToUser(ctx, user, externalLoginUser); err != nil {
 		return err
@@ -72,12 +64,8 @@ func LinkAccountToUser(ctx context.Context, user *user_model.User, gothUser goth
 }

 // EnsureLinkExternalToUser link the gothUser to the user
-func EnsureLinkExternalToUser(ctx context.Context, user *user_model.User, gothUser goth.User) error {
-	externalLoginUser, err := toExternalLoginUser(ctx, user, gothUser)
-	if err != nil {
-		return err
-	}
-
+func EnsureLinkExternalToUser(ctx context.Context, authSourceID int64, user *user_model.User, gothUser goth.User) error {
+	externalLoginUser := toExternalLoginUser(authSourceID, user, gothUser)
 	return user_model.EnsureLinkExternalToUser(ctx, externalLoginUser)
 }

--- a/services/forms/auth_form.go
+++ b/services/forms/auth_form.go
@@ -18,45 +18,54 @@ type AuthenticationForm struct {
 	Type            int    `binding:"Range(2,7)"`
 	Name            string `binding:"Required;MaxSize(30)"`
 	TwoFactorPolicy string
+	IsActive        bool
+	IsSyncEnabled   bool

-	Host                          string
-	Port                          int
-	BindDN                        string
-	BindPassword                  string
-	UserBase                      string
-	UserDN                        string
-	AttributeUsername             string
-	AttributeName                 string
-	AttributeSurname              string
-	AttributeMail                 string
-	AttributeSSHPublicKey         string
-	AttributeAvatar               string
-	AttributesInBind              bool
-	UsePagedSearch                bool
-	SearchPageSize                int
-	Filter                        string
-	AdminFilter                   string
-	GroupsEnabled                 bool
-	GroupDN                       string
-	GroupFilter                   string
-	GroupMemberUID                string
-	UserUID                       string
-	RestrictedFilter              string
-	AllowDeactivateAll            bool
-	IsActive                      bool
-	IsSyncEnabled                 bool
-	SMTPAuth                      string
-	SMTPHost                      string
-	SMTPPort                      int
-	AllowedDomains                string
-	SecurityProtocol              int `binding:"Range(0,2)"`
-	TLS                           bool
-	SkipVerify                    bool
-	HeloHostname                  string
-	DisableHelo                   bool
-	ForceSMTPS                    bool
-	PAMServiceName                string
-	PAMEmailDomain                string
+	// LDAP
+	Host                  string
+	Port                  int
+	BindDN                string
+	BindPassword          string
+	UserBase              string
+	UserDN                string
+	AttributeUsername     string
+	AttributeName         string
+	AttributeSurname      string
+	AttributeMail         string
+	AttributeSSHPublicKey string
+	AttributeAvatar       string
+	AttributesInBind      bool
+	UsePagedSearch        bool
+	SearchPageSize        int
+	Filter                string
+	AdminFilter           string
+	GroupsEnabled         bool
+	GroupDN               string
+	GroupFilter           string
+	GroupMemberUID        string
+	UserUID               string
+	RestrictedFilter      string
+	AllowDeactivateAll    bool
+	GroupTeamMap          string `binding:"ValidGroupTeamMap"`
+	GroupTeamMapRemoval   bool
+
+	// SMTP
+	SMTPAuth         string
+	SMTPHost         string
+	SMTPPort         int
+	AllowedDomains   string
+	SecurityProtocol int `binding:"Range(0,2)"`
+	TLS              bool
+	SkipVerify       bool
+	HeloHostname     string
+	DisableHelo      bool
+	ForceSMTPS       bool
+
+	// PAM
+	PAMServiceName string
+	PAMEmailDomain string
+
+	// Oauth2 & OIDC
 	Oauth2Provider                string
 	Oauth2Key                     string
 	Oauth2Secret                  string
@@ -76,13 +85,15 @@ type AuthenticationForm struct {
 	Oauth2RestrictedGroup         string
 	Oauth2GroupTeamMap            string `binding:"ValidGroupTeamMap"`
 	Oauth2GroupTeamMapRemoval     bool
-	SSPIAutoCreateUsers           bool
-	SSPIAutoActivateUsers         bool
-	SSPIStripDomainNames          bool
-	SSPISeparatorReplacement      string `binding:"AlphaDashDot;MaxSize(5)"`
-	SSPIDefaultLanguage           string
-	GroupTeamMap                  string `binding:"ValidGroupTeamMap"`
-	GroupTeamMapRemoval           bool
+	Oauth2SSHPublicKeyClaimName   string
+	Oauth2FullNameClaimName       string
+
+	// SSPI
+	SSPIAutoCreateUsers      bool
+	SSPIAutoActivateUsers    bool
+	SSPIStripDomainNames     bool
+	SSPISeparatorReplacement string `binding:"AlphaDashDot;MaxSize(5)"`
+	SSPIDefaultLanguage      string
 }

 // Validate validates fields