From ecc8f2b047be405f39d81ae17280e478116845e3 Mon Sep 17 00:00:00 2001 From: Shivaram Lingamneni Date: Thu, 25 Jul 2024 14:36:05 +0200 Subject: [PATCH] add `username` to OIDC introspection response (#31688) This field is specified as optional here: https://datatracker.ietf.org/doc/html/rfc7662#section-2.2 It's used by some OIDC integrations, e.g. https://emersion.fr/blog/2022/irc-and-oauth2/ Co-authored-by: Giteabot --- routers/web/auth/oauth.go | 8 ++++++-- tests/integration/oauth_test.go | 6 ++++-- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/routers/web/auth/oauth.go b/routers/web/auth/oauth.go index 204248d63f..7988dc96a4 100644 --- a/routers/web/auth/oauth.go +++ b/routers/web/auth/oauth.go @@ -353,8 +353,9 @@ func IntrospectOAuth(ctx *context.Context) { } var response struct { - Active bool `json:"active"` - Scope string `json:"scope,omitempty"` + Active bool `json:"active"` + Scope string `json:"scope,omitempty"` + Username string `json:"username,omitempty"` jwt.RegisteredClaims } @@ -371,6 +372,9 @@ func IntrospectOAuth(ctx *context.Context) { response.Audience = []string{app.ClientID} response.Subject = fmt.Sprint(grant.UserID) } + if user, err := user_model.GetUserByID(ctx, grant.UserID); err == nil { + response.Username = user.Name + } } } diff --git a/tests/integration/oauth_test.go b/tests/integration/oauth_test.go index c3f0abbe1d..b1acf90d14 100644 --- a/tests/integration/oauth_test.go +++ b/tests/integration/oauth_test.go @@ -450,12 +450,14 @@ func TestOAuthIntrospection(t *testing.T) { req.Header.Add("Authorization", "Basic ZGE3ZGEzYmEtOWExMy00MTY3LTg1NmYtMzg5OWRlMGIwMTM4OjRNSzhOYTZSNTVzbWRDWTBXdUNDdW1aNmhqUlBuR1k1c2FXVlJISGpKaUE9") resp = MakeRequest(t, req, http.StatusOK) type introspectResponse struct { - Active bool `json:"active"` - Scope string `json:"scope,omitempty"` + Active bool `json:"active"` + Scope string `json:"scope,omitempty"` + Username string `json:"username"` } introspectParsed := new(introspectResponse) assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), introspectParsed)) assert.True(t, introspectParsed.Active) + assert.Equal(t, "user1", introspectParsed.Username) // successful request with a valid client_id/client_secret, but an invalid token req = NewRequestWithValues(t, "POST", "/login/oauth/introspect", map[string]string{