1
1
mirror of https://github.com/go-gitea/gitea synced 2024-12-22 08:34:26 +00:00
gitea/services
Marcell Mars a3881ffa3d
Enhancing Gitea OAuth2 Provider with Granular Scopes for Resource Access (#32573)
Resolve #31609

This PR was initiated following my personal research to find the
lightest possible Single Sign-On solution for self-hosted setups. The
existing solutions often seemed too enterprise-oriented, involving many
moving parts and services, demanding significant resources while
promising planetary-scale capabilities. Others were adequate in
supporting basic OAuth2 flows but lacked proper user management
features, such as a change password UI.

Gitea hits the sweet spot for me, provided it supports more granular
access permissions for resources under users who accept the OAuth2
application.

This PR aims to introduce granularity in handling user resources as
nonintrusively and simply as possible. It allows third parties to inform
users about their intent to not ask for the full access and instead
request a specific, reduced scope. If the provided scopes are **only**
the typical ones for OIDC/OAuth2—`openid`, `profile`, `email`, and
`groups`—everything remains unchanged (currently full access to user's
resources). Additionally, this PR supports processing scopes already
introduced with [personal
tokens](https://docs.gitea.com/development/oauth2-provider#scopes) (e.g.
`read:user`, `write:issue`, `read:group`, `write:repository`...)

Personal tokens define scopes around specific resources: user info,
repositories, issues, packages, organizations, notifications,
miscellaneous, admin, and activitypub, with access delineated by read
and/or write permissions.

The initial case I wanted to address was to have Gitea act as an OAuth2
Identity Provider. To achieve that, with this PR, I would only add
`openid public-only` to provide access token to the third party to
authenticate the Gitea's user but no further access to the API and users
resources.

Another example: if a third party wanted to interact solely with Issues,
it would need to add `read:user` (for authorization) and
`read:issue`/`write:issue` to manage Issues.

My approach is based on my understanding of how scopes can be utilized,
supported by examples like [Sample Use Cases: Scopes and
Claims](https://auth0.com/docs/get-started/apis/scopes/sample-use-cases-scopes-and-claims)
on auth0.com.

I renamed `CheckOAuthAccessToken` to `GetOAuthAccessTokenScopeAndUserID`
so now it returns AccessTokenScope and user's ID. In the case of
additional scopes in `userIDFromToken` the default `all` would be
reduced to whatever was asked via those scopes. The main difference is
the opportunity to reduce the permissions from `all`, as is currently
the case, to what is provided by the additional scopes described above.

Screenshots:

![Screenshot_20241121_121405](https://github.com/user-attachments/assets/29deaed7-4333-4b02-8898-b822e6f2463e)

![Screenshot_20241121_120211](https://github.com/user-attachments/assets/7a4a4ef7-409c-4116-9d5f-2fe00eb37167)

![Screenshot_20241121_120119](https://github.com/user-attachments/assets/aa52c1a2-212d-4e64-bcdf-7122cee49eb6)

![Screenshot_20241121_120018](https://github.com/user-attachments/assets/9eac318c-e381-4ea9-9e2c-3a3f60319e47)
---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2024-11-22 12:06:41 +08:00
..
actions allow the actions user to login via the jwt token (#32527) 2024-11-20 15:24:09 +00:00
agit Add reviewers selection to new pull request (#32403) 2024-11-09 04:48:31 +00:00
asymkey Fix some pending problems (#29985) 2024-03-22 19:17:30 +08:00
attachment Include file extension checks in attachment API (#32151) 2024-11-06 21:34:32 +00:00
auth Enhancing Gitea OAuth2 Provider with Granular Scopes for Resource Access (#32573) 2024-11-22 12:06:41 +08:00
automerge Add new event commit status creation and webhook implementation (#27151) 2024-11-07 06:41:49 +00:00
context Remove unnecessary code (#32560) 2024-11-19 16:21:13 +00:00
contexttest Check if reverse proxy is correctly configured (#30890) 2024-05-10 20:07:01 +08:00
convert Fix milestone deadline and date related problems (#32339) 2024-11-05 07:46:40 +00:00
cron Support repo license (#24872) 2024-10-01 15:25:08 -04:00
doctor Add a doctor check to disable the "Actions" unit for mirrors (#32424) 2024-11-10 23:37:24 +00:00
externalaccount allow synchronizing user status from OAuth2 login providers (#31572) 2024-07-16 20:33:16 +02:00
feed Move AddCollabrator and CreateRepositoryByExample to service layer (#32419) 2024-11-07 11:28:11 +08:00
forms Refactor push mirror find and add check for updating push mirror (#32539) 2024-11-18 05:59:04 +00:00
gitdiff Reduce integration test overhead (#32475) 2024-11-14 19:28:46 +00:00
indexer Update issue indexer after merging a PR (#30715) 2024-05-08 14:45:15 +00:00
issue Add reviewers selection to new pull request (#32403) 2024-11-09 04:48:31 +00:00
lfs Fix LFS route mock, realm, middleware names (#32488) 2024-11-13 16:58:09 +08:00
mailer Add reviewers selection to new pull request (#32403) 2024-11-09 04:48:31 +00:00
markup Enable more revive linter rules (#30608) 2024-04-22 11:48:42 +00:00
migrations Support migrating GitHub/GitLab PR draft status (#32242) 2024-10-13 22:58:13 +03:00
mirror Refactor push mirror find and add check for updating push mirror (#32539) 2024-11-18 05:59:04 +00:00
notify Add new event commit status creation and webhook implementation (#27151) 2024-11-07 06:41:49 +00:00
oauth2_provider Enhancing Gitea OAuth2 Provider with Granular Scopes for Resource Access (#32573) 2024-11-22 12:06:41 +08:00
org Update misspell to 0.5.1 and add misspellings.csv (#30573) 2024-04-27 08:03:49 +00:00
packages Fix missing signature key error when pulling Docker images with SERVE_DIRECT enabled (#32365) 2024-10-31 15:28:25 +00:00
projects Add issue comment when moving issues from one column to another of the project (#29311) 2024-08-09 01:29:02 +00:00
pull Add reviewers selection to new pull request (#32403) 2024-11-09 04:48:31 +00:00
release Trim title before insert/update to database to match the size requirements of database (#32498) 2024-11-14 07:19:14 +00:00
repository disable gravatar in test (#32529) 2024-11-21 04:30:48 +00:00
secrets Refactor deletion (#28610) 2023-12-25 21:25:29 +01:00
task Fix "force private" logic (#31012) 2024-05-20 00:56:45 +00:00
uinotification Penultimate round of db.DefaultContext refactor (#27414) 2023-10-11 04:24:07 +00:00
user Add warn log when deleting inactive users (#32318) 2024-10-23 09:28:28 +08:00
webhook Only provide the commit summary for Discord webhook push events (#32432) 2024-11-07 19:56:53 +00:00
webtheme Initial support for colorblindness-friendly themes (#30625) 2024-04-24 00:18:41 +08:00
wiki Use global lock instead of NewExclusivePool to allow distributed lock between multiple Gitea instances (#31813) 2024-09-06 10:12:41 +00:00