Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Oauth2 granular scopes #32180

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Oauth2 granular scopes #32180

wants to merge 2 commits into from
+520 −15

Conversation

marcellmars
Copy link

@marcellmars marcellmars commented Oct 2, 2024
edited
Loading

Enhancing Gitea OAuth2 Provider with Granular Scopes for Resource Access

This PR was initiated following my personal research to find the lightest possible Single Sign-On solution for self-hosted setups. The existing solutions often seemed too enterprise-oriented, involving many moving parts and services, demanding significant resources while promising planetary-scale capabilities. Others were adequate in supporting basic OAuth2 flows but lacked proper user management features, such as a change password UI.

Gitea hits the sweet spot for me, provided it supports more granular access permissions for resources under users who accept the OAuth2 application.

This PR aims to introduce this capability as nonintrusively and simply as possible. It acknowledges that the default scope is all and begins to process only additional scopes typical for OIDC/OAuth2: openid, profile, email, and groups. These then should be the ones already established with personal tokens.

Personal tokens define scopes around specific resources: user info, repositories, issues, packages, organizations, notifications, miscellaneous, admin, and activitypub, with access delineated by read and/or write permissions.

The initial case I wanted to address was to have Gitea act as an OAuth2 Identity Provider. To achieve that, with this PR, I would only add public-only and have no access to any API endpoint. The rest of the scopes should be provided as it is now, combining the existing Gitea OAuth2 scopes: openid, profile, email, and groups.

Another example: if a third party wanted to interact solely with Issues, it would need to add read:issue/write:issue to manage Issues.

Another scenario could involve adding read:user and public-only, preventing the third party from accessing anything the user has kept private.

My approach is based on my understanding of how scopes can be utilized, supported by examples like Sample Use Cases: Scopes and Claims on auth0.com.

I added an additional check to CheckOAuthAccessToken that returns AccessTokenScopeAll if no additional scopes or AccessTokenScope with whatever requested instead. That AccessTokenScope is then assigned to store.GetData()["ApiTokenScope"] in userIDFromToken to be checked against the accepted/stored grant scopes. The main difference is the opportunity to reduce the permissions from all, as is currently the case, to what is provided by the additional scopes described above.

The intent of this PR is to ensure that if nothing is added, or if scopes are added to openid, profile, email, groups but not in AccessTokenScope, everything continues to work as it currently does.

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Oct 2, 2024
@pull-request-size pull-request-size bot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Oct 2, 2024
@github-actions github-actions bot added modifies/translation modifies/api This PR adds API routes or modifies them modifies/go Pull requests that update Go code modifies/templates This PR modifies the template files labels Oct 2, 2024
@marcellmars marcellmars mentioned this pull request Oct 2, 2024
Closed
@marcellmars marcellmars force-pushed the oauth2-granular-scopes branch 2 times, most recently from b024305 to d4591b4 Compare October 2, 2024 10:55
@marcellmars marcellmars marked this pull request as draft October 2, 2024 11:17
@marcellmars marcellmars force-pushed the oauth2-granular-scopes branch 5 times, most recently from 603dba5 to 6bcde48 Compare October 2, 2024 18:14
lunny
lunny reviewed Oct 8, 2024
View reviewed changes
modules/setting/oauth2.go Outdated Show resolved Hide resolved
@techknowlogick
Copy link
Member

Apologies if this is out of scope, but it might be useful to give a description next to the used scopes as a plain language would likely lower any chance at additional scopes are accepted mistakenly (def out of scope for this PR is including a warning if admin scope is requested)

@marcellmars
Copy link
Author

Apologies if this is out of scope, but it might be useful to give a description next to the used scopes as a plain language would likely lower any chance at additional scopes are accepted mistakenly (def out of scope for this PR is including a warning if admin scope is requested)

are you thinking of adding plain language descriptions as code comments, or user interface changes that would warn users while they approve the required scopes?

currently, users are warned in the web ui about full access to all resources. are you suggesting we provide a clearer explanation of what happens when someone grants more limited or restrictive access?

@pull-request-size pull-request-size bot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Oct 10, 2024
@pull-request-size pull-request-size bot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Oct 13, 2024
@pull-request-size pull-request-size bot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Oct 17, 2024
@github-actions github-actions bot removed modifies/translation modifies/api This PR adds API routes or modifies them labels Oct 17, 2024
@marcellmars marcellmars force-pushed the oauth2-granular-scopes branch 2 times, most recently from 0374545 to c0a2316 Compare October 17, 2024 18:11
@marcellmars marcellmars force-pushed the oauth2-granular-scopes branch 5 times, most recently from e1f2e13 to e79101d Compare October 18, 2024 07:00
@marcellmars marcellmars marked this pull request as ready for review October 18, 2024 08:04
@marcellmars
oauth2 additional scopes
5d05df4
@marcellmars
no setting requirement for additional grant scopes
87a15b3 
- the logic introduced with this PR will be applied by default, even though it
introduces breaking changes if anyone relied on the previous behavior
regarding personal access tokens or full access for OAuth2 third parties.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lunny lunny Awaiting requested review from lunny

Assignees
No one assigned
Labels
lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. modifies/go Pull requests that update Go code modifies/templates This PR modifies the template files modifies/translation size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@marcellmars @techknowlogick @lunny @GiteaBot