add `username` to OIDC introspection response (#31688)

This field is specified as optional here:
https://datatracker.ietf.org/doc/html/rfc7662#section-2.2

It's used by some OIDC integrations, e.g.
https://emersion.fr/blog/2022/irc-and-oauth2/

Co-authored-by: Giteabot <teabot@gitea.io>
This commit is contained in:
Shivaram Lingamneni 2024-07-25 14:36:05 +02:00 committed by GitHub
parent bae87dfb09
commit ecc8f2b047
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 10 additions and 4 deletions

View File

@ -353,8 +353,9 @@ func IntrospectOAuth(ctx *context.Context) {
} }
var response struct { var response struct {
Active bool `json:"active"` Active bool `json:"active"`
Scope string `json:"scope,omitempty"` Scope string `json:"scope,omitempty"`
Username string `json:"username,omitempty"`
jwt.RegisteredClaims jwt.RegisteredClaims
} }
@ -371,6 +372,9 @@ func IntrospectOAuth(ctx *context.Context) {
response.Audience = []string{app.ClientID} response.Audience = []string{app.ClientID}
response.Subject = fmt.Sprint(grant.UserID) response.Subject = fmt.Sprint(grant.UserID)
} }
if user, err := user_model.GetUserByID(ctx, grant.UserID); err == nil {
response.Username = user.Name
}
} }
} }

View File

@ -450,12 +450,14 @@ func TestOAuthIntrospection(t *testing.T) {
req.Header.Add("Authorization", "Basic ZGE3ZGEzYmEtOWExMy00MTY3LTg1NmYtMzg5OWRlMGIwMTM4OjRNSzhOYTZSNTVzbWRDWTBXdUNDdW1aNmhqUlBuR1k1c2FXVlJISGpKaUE9") req.Header.Add("Authorization", "Basic ZGE3ZGEzYmEtOWExMy00MTY3LTg1NmYtMzg5OWRlMGIwMTM4OjRNSzhOYTZSNTVzbWRDWTBXdUNDdW1aNmhqUlBuR1k1c2FXVlJISGpKaUE9")
resp = MakeRequest(t, req, http.StatusOK) resp = MakeRequest(t, req, http.StatusOK)
type introspectResponse struct { type introspectResponse struct {
Active bool `json:"active"` Active bool `json:"active"`
Scope string `json:"scope,omitempty"` Scope string `json:"scope,omitempty"`
Username string `json:"username"`
} }
introspectParsed := new(introspectResponse) introspectParsed := new(introspectResponse)
assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), introspectParsed)) assert.NoError(t, json.Unmarshal(resp.Body.Bytes(), introspectParsed))
assert.True(t, introspectParsed.Active) assert.True(t, introspectParsed.Active)
assert.Equal(t, "user1", introspectParsed.Username)
// successful request with a valid client_id/client_secret, but an invalid token // successful request with a valid client_id/client_secret, but an invalid token
req = NewRequestWithValues(t, "POST", "/login/oauth/introspect", map[string]string{ req = NewRequestWithValues(t, "POST", "/login/oauth/introspect", map[string]string{