feat(oidc): support for all in-spec attributes and scopes

Author: scottmckendry

frontend/src/lib/i18n/locales/en.json

@@ -79,5 +79,9 @@
     "profileScopeName": "Profile",
     "profileScopeDescription": "Allows the app to access your profile information.",
     "groupsScopeName": "Groups",
-    "groupsScopeDescription": "Allows the app to access your group information."
+    "groupsScopeDescription": "Allows the app to access your group information.",
+    "phoneScopeName": "Phone",
+    "phoneScopeDescription": "Allows the app to access your phone number.",
+    "addressScopeName": "Address",
+    "addressScopeDescription": "Allows the app to access your address."
 }

frontend/src/pages/authorize-page.tsx

@@ -17,7 +17,7 @@ import { toast } from "sonner";
 import { useOIDCParams } from "@/lib/hooks/oidc";
 import { useTranslation } from "react-i18next";
 import { TFunction } from "i18next";
-import { Mail, Shield, User, Users } from "lucide-react";
+import { Mail, MapPin, Phone, Shield, User, Users } from "lucide-react";
 import {
   Tooltip,
   TooltipContent,
@@ -61,6 +61,18 @@ const createScopeMap = (t: TFunction<"translation", undefined>): Scope[] => {
       description: t("groupsScopeDescription"),
       icon: <Users {...scopeMapIconProps} />,
     },
+    {
+      id: "phone",
+      name: t("phoneScopeName"),
+      description: t("phoneScopeDescription"),
+      icon: <Phone {...scopeMapIconProps} />,
+    },
+    {
+      id: "address",
+      name: t("addressScopeName"),
+      description: t("addressScopeDescription"),
+      icon: <MapPin {...scopeMapIconProps} />,
+    },
   ];
 };
 

internal/assets/migrations/000008_oidc_userinfo_profile.down.sql

@@ -0,0 +1,14 @@
+ALTER TABLE "oidc_userinfo" DROP COLUMN "given_name";
+ALTER TABLE "oidc_userinfo" DROP COLUMN "family_name";
+ALTER TABLE "oidc_userinfo" DROP COLUMN "middle_name";
+ALTER TABLE "oidc_userinfo" DROP COLUMN "nickname";
+ALTER TABLE "oidc_userinfo" DROP COLUMN "profile";
+ALTER TABLE "oidc_userinfo" DROP COLUMN "picture";
+ALTER TABLE "oidc_userinfo" DROP COLUMN "website";
+ALTER TABLE "oidc_userinfo" DROP COLUMN "gender";
+ALTER TABLE "oidc_userinfo" DROP COLUMN "birthdate";
+ALTER TABLE "oidc_userinfo" DROP COLUMN "zoneinfo";
+ALTER TABLE "oidc_userinfo" DROP COLUMN "locale";
+ALTER TABLE "oidc_userinfo" DROP COLUMN "phone_number";
+ALTER TABLE "oidc_userinfo" DROP COLUMN "phone_number_verified";
+ALTER TABLE "oidc_userinfo" DROP COLUMN "address";

internal/assets/migrations/000008_oidc_userinfo_profile.up.sql

@@ -0,0 +1,14 @@
+ALTER TABLE "oidc_userinfo" ADD COLUMN "given_name"             TEXT    NOT NULL DEFAULT "";
+ALTER TABLE "oidc_userinfo" ADD COLUMN "family_name"            TEXT    NOT NULL DEFAULT "";
+ALTER TABLE "oidc_userinfo" ADD COLUMN "middle_name"            TEXT    NOT NULL DEFAULT "";
+ALTER TABLE "oidc_userinfo" ADD COLUMN "nickname"               TEXT    NOT NULL DEFAULT "";
+ALTER TABLE "oidc_userinfo" ADD COLUMN "profile"                TEXT    NOT NULL DEFAULT "";
+ALTER TABLE "oidc_userinfo" ADD COLUMN "picture"                TEXT    NOT NULL DEFAULT "";
+ALTER TABLE "oidc_userinfo" ADD COLUMN "website"                TEXT    NOT NULL DEFAULT "";
+ALTER TABLE "oidc_userinfo" ADD COLUMN "gender"                 TEXT    NOT NULL DEFAULT "";
+ALTER TABLE "oidc_userinfo" ADD COLUMN "birthdate"              TEXT    NOT NULL DEFAULT "";
+ALTER TABLE "oidc_userinfo" ADD COLUMN "zoneinfo"               TEXT    NOT NULL DEFAULT "";
+ALTER TABLE "oidc_userinfo" ADD COLUMN "locale"                 TEXT    NOT NULL DEFAULT "";
+ALTER TABLE "oidc_userinfo" ADD COLUMN "phone_number"           TEXT    NOT NULL DEFAULT "";
+ALTER TABLE "oidc_userinfo" ADD COLUMN "phone_number_verified"  INTEGER NOT NULL DEFAULT 0;
+ALTER TABLE "oidc_userinfo" ADD COLUMN "address"                TEXT    NOT NULL DEFAULT "{}";

internal/bootstrap/app_bootstrap.go

@@ -59,7 +59,7 @@ func (app *BootstrapApp) Setup() error {
 	}
 
 	// Parse users
-	users, err := utils.GetUsers(app.config.Auth.Users, app.config.Auth.UsersFile)
+	users, err := utils.GetUsers(app.config.Auth.Users, app.config.Auth.UsersFile, app.config.Auth.UserAttributes)
 
 	if err != nil {
 		return err

internal/config/config.go

@@ -113,15 +113,44 @@ type ServerConfig struct {
 }
 
 type AuthConfig struct {
-	IP                 IPConfig `description:"IP whitelisting config options." yaml:"ip"`
-	Users              []string `description:"Comma-separated list of users (username:hashed_password)." yaml:"users"`
-	UsersFile          string   `description:"Path to the users file." yaml:"usersFile"`
-	SecureCookie       bool     `description:"Enable secure cookies." yaml:"secureCookie"`
-	SessionExpiry      int      `description:"Session expiry time in seconds." yaml:"sessionExpiry"`
-	SessionMaxLifetime int      `description:"Maximum session lifetime in seconds." yaml:"sessionMaxLifetime"`
-	LoginTimeout       int      `description:"Login timeout in seconds." yaml:"loginTimeout"`
-	LoginMaxRetries    int      `description:"Maximum login retries." yaml:"loginMaxRetries"`
-	TrustedProxies     []string `description:"Comma-separated list of trusted proxy addresses." yaml:"trustedProxies"`
+	IP                 IPConfig                  `description:"IP whitelisting config options." yaml:"ip"`
+	Users              []string                  `description:"Comma-separated list of users (username:hashed_password)." yaml:"users"`
+	UserAttributes     map[string]UserAttributes `description:"Map of per-user OIDC attributes (username -> attributes)." yaml:"userAttributes"`
+	UsersFile          string                    `description:"Path to the users file." yaml:"usersFile"`
+	SecureCookie       bool                      `description:"Enable secure cookies." yaml:"secureCookie"`
+	SessionExpiry      int                       `description:"Session expiry time in seconds." yaml:"sessionExpiry"`
+	SessionMaxLifetime int                       `description:"Maximum session lifetime in seconds." yaml:"sessionMaxLifetime"`
+	LoginTimeout       int                       `description:"Login timeout in seconds." yaml:"loginTimeout"`
+	LoginMaxRetries    int                       `description:"Maximum login retries." yaml:"loginMaxRetries"`
+	TrustedProxies     []string                  `description:"Comma-separated list of trusted proxy addresses." yaml:"trustedProxies"`
+}
+
+type UserAttributes struct {
+	Name                string       `description:"Full name of the user." yaml:"name"`
+	GivenName           string       `description:"Given (first) name of the user." yaml:"givenName"`
+	FamilyName          string       `description:"Family (last) name of the user." yaml:"familyName"`
+	MiddleName          string       `description:"Middle name of the user." yaml:"middleName"`
+	Nickname            string       `description:"Nickname of the user." yaml:"nickname"`
+	Profile             string       `description:"URL of the user's profile page." yaml:"profile"`
+	Picture             string       `description:"URL of the user's profile picture." yaml:"picture"`
+	Website             string       `description:"URL of the user's website." yaml:"website"`
+	Email               string       `description:"Email address of the user." yaml:"email"`
+	Gender              string       `description:"Gender of the user." yaml:"gender"`
+	Birthdate           string       `description:"Birthdate of the user (YYYY-MM-DD)." yaml:"birthdate"`
+	Zoneinfo            string       `description:"Time zone of the user (e.g. Europe/Athens)." yaml:"zoneinfo"`
+	Locale              string       `description:"Locale of the user (e.g. en-US)." yaml:"locale"`
+	PhoneNumber         string       `description:"Phone number of the user." yaml:"phoneNumber"`
+	PhoneNumberVerified bool         `description:"Whether the phone number has been verified." yaml:"phoneNumberVerified"`
+	Address             AddressClaim `description:"Address of the user." yaml:"address"`
+}
+
+type AddressClaim struct {
+	Formatted     string `description:"Full mailing address, formatted for display." yaml:"formatted" json:"formatted,omitempty"`
+	StreetAddress string `description:"Street address." yaml:"streetAddress" json:"street_address,omitempty"`
+	Locality      string `description:"City or locality." yaml:"locality" json:"locality,omitempty"`
+	Region        string `description:"State, province, or region." yaml:"region" json:"region,omitempty"`
+	PostalCode    string `description:"Zip or postal code." yaml:"postalCode" json:"postal_code,omitempty"`
+	Country       string `description:"Country." yaml:"country" json:"country,omitempty"`
 }
 
 type IPConfig struct {
@@ -228,6 +257,7 @@ type User struct {
 	Username   string
 	Password   string
 	TotpSecret string
+	Attributes UserAttributes
 }
 
 type LdapUser struct {
@@ -254,6 +284,7 @@ type UserContext struct {
 	OAuthName   string
 	OAuthSub    string
 	LdapGroups  string
+	Attributes  UserAttributes
 }
 
 // API responses and queries

internal/controller/user_controller.go

@@ -4,13 +4,14 @@ import (
 	"fmt"
 	"time"
 
+	"github.com/gin-gonic/gin"
+	"github.com/pquerna/otp/totp"
+
+	"github.com/steveiliop56/tinyauth/internal/config"
 	"github.com/steveiliop56/tinyauth/internal/repository"
 	"github.com/steveiliop56/tinyauth/internal/service"
 	"github.com/steveiliop56/tinyauth/internal/utils"
 	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
-
-	"github.com/gin-gonic/gin"
-	"github.com/pquerna/otp/totp"
 )
 
 type LoginRequest struct {
@@ -105,16 +106,32 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 
 	controller.auth.RecordLoginAttempt(req.Username, true)
 
+	var localUser *config.User
 	if userSearch.Type == "local" {
 		user := controller.auth.GetLocalUser(userSearch.Username)
+		localUser = &user
+	}
+
+	if userSearch.Type == "local" && localUser != nil {
+		user := *localUser
 
 		if user.TotpSecret != "" {
 			tlog.App.Debug().Str("username", req.Username).Msg("User has TOTP enabled, requiring TOTP verification")
 
+			name := user.Attributes.Name
+			if name == "" {
+				name = utils.Capitalize(user.Username)
+			}
+
+			email := user.Attributes.Email
+			if email == "" {
+				email = utils.CompileUserEmail(user.Username, controller.config.CookieDomain)
+			}
+
 			err := controller.auth.CreateSessionCookie(c, &repository.Session{
 				Username:    user.Username,
-				Name:        utils.Capitalize(user.Username),
-				Email:       utils.CompileUserEmail(user.Username, controller.config.CookieDomain),
+				Name:        name,
+				Email:       email,
 				Provider:    "local",
 				TotpPending: true,
 			})
@@ -144,6 +161,15 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 		Provider: "local",
 	}
 
+	if userSearch.Type == "local" && localUser != nil {
+		if localUser.Attributes.Name != "" {
+			sessionCookie.Name = localUser.Attributes.Name
+		}
+		if localUser.Attributes.Email != "" {
+			sessionCookie.Email = localUser.Attributes.Email
+		}
+	}
+
 	if userSearch.Type == "ldap" {
 		sessionCookie.Provider = "ldap"
 	}
@@ -258,6 +284,13 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 		Provider: "local",
 	}
 
+	if user.Attributes.Name != "" {
+		sessionCookie.Name = user.Attributes.Name
+	}
+	if user.Attributes.Email != "" {
+		sessionCookie.Email = user.Attributes.Email
+	}
+
 	tlog.App.Trace().Interface("session_cookie", sessionCookie).Msg("Creating session cookie")
 
 	err = controller.auth.CreateSessionCookie(c, &sessionCookie)

internal/controller/well_known_controller.go

@@ -59,7 +59,7 @@ func (controller *WellKnownController) OpenIDConnectConfiguration(c *gin.Context
 		SubjectTypesSupported:             []string{"pairwise"},
 		IDTokenSigningAlgValuesSupported:  []string{"RS256"},
 		TokenEndpointAuthMethodsSupported: []string{"client_secret_basic", "client_secret_post"},
-		ClaimsSupported:                   []string{"sub", "updated_at", "name", "preferred_username", "email", "email_verified", "groups"},
+		ClaimsSupported:                   []string{"sub", "updated_at", "name", "preferred_username", "email", "email_verified", "groups", "phone_number", "phone_number_verified", "address", "given_name", "family_name", "middle_name", "nickname", "profile", "picture", "website", "gender", "birthdate", "zoneinfo", "locale"},
 		ServiceDocumentation:              "https://tinyauth.app/docs/guides/oidc",
 	})
 }

internal/controller/well_known_controller_test.go

@@ -67,7 +67,7 @@ func TestWellKnownController(t *testing.T) {
 					SubjectTypesSupported:             []string{"pairwise"},
 					IDTokenSigningAlgValuesSupported:  []string{"RS256"},
 					TokenEndpointAuthMethodsSupported: []string{"client_secret_basic", "client_secret_post"},
-					ClaimsSupported:                   []string{"sub", "updated_at", "name", "preferred_username", "email", "email_verified", "groups"},
+					ClaimsSupported:                   []string{"sub", "updated_at", "name", "preferred_username", "email", "email_verified", "groups", "phone_number", "phone_number_verified", "address", "given_name", "family_name", "middle_name", "nickname", "profile", "picture", "website", "gender", "birthdate", "zoneinfo", "locale"},
 					ServiceDocumentation:              "https://tinyauth.app/docs/guides/oidc",
 				}
 

internal/middleware/context_middleware.go

@@ -99,6 +99,7 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 			}
 
 			var ldapGroups []string
+			var localAttributes config.UserAttributes
 
 			if cookie.Provider == "ldap" {
 				ldapUser, err := m.auth.GetLdapUser(userSearch.Username)
@@ -112,6 +113,11 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 				ldapGroups = ldapUser.Groups
 			}
 
+			if cookie.Provider == "local" {
+				localUser := m.auth.GetLocalUser(cookie.Username)
+				localAttributes = localUser.Attributes
+			}
+
 			m.auth.RefreshSessionCookie(c)
 			c.Set("context", &config.UserContext{
 				Username:   cookie.Username,
@@ -120,6 +126,7 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 				Provider:   cookie.Provider,
 				IsLoggedIn: true,
 				LdapGroups: strings.Join(ldapGroups, ","),
+				Attributes: localAttributes,
 			})
 			c.Next()
 			return
@@ -202,13 +209,23 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
 				return
 			}
 
+			name := utils.Capitalize(user.Username)
+			if user.Attributes.Name != "" {
+				name = user.Attributes.Name
+			}
+			email := utils.CompileUserEmail(user.Username, m.config.CookieDomain)
+			if user.Attributes.Email != "" {
+				email = user.Attributes.Email
+			}
+
 			c.Set("context", &config.UserContext{
 				Username:    user.Username,
-				Name:        utils.Capitalize(user.Username),
-				Email:       utils.CompileUserEmail(user.Username, m.config.CookieDomain),
+				Name:        name,
+				Email:       email,
 				Provider:    "local",
 				IsLoggedIn:  true,
 				IsBasicAuth: true,
+				Attributes:  user.Attributes,
 			})
 			c.Next()
 			return