Allow admins to configure the login scopes for OIDC login
Some OIDC implementations return a larger set of scopes than is necessary, so we allow admins to override.
This commit is contained in:
Joseph Schorr
parent
4a5626e64b
commit
c55ad59f1f
3 changed files with 35 additions and 4 deletions
|
|
@ -60,7 +60,9 @@ class OIDCLoginService(OAuthService):
|
|||
if self._mailing:
|
||||
default_scopes.append('email')
|
||||
|
||||
return self._oidc_config().get('scopes_supported', default_scopes)
|
||||
supported_scopes = self._oidc_config().get('scopes_supported', default_scopes)
|
||||
login_scopes = self.config.get('LOGIN_SCOPES') or supported_scopes
|
||||
return list(set(login_scopes) & set(supported_scopes))
|
||||
|
||||
def authorize_endpoint(self):
|
||||
return self._oidc_config().get('authorization_endpoint', '') + '?response_type=code&'
|
||||
|
|
@ -72,7 +74,7 @@ class OIDCLoginService(OAuthService):
|
|||
return self._oidc_config().get('userinfo_endpoint')
|
||||
|
||||
def validate(self):
|
||||
return bool(self.token_endpoint())
|
||||
return bool(self.get_login_scopes())
|
||||
|
||||
def validate_client_id_and_secret(self, http_client, app_config):
|
||||
# TODO: find a way to verify client secret too.
|
||||
|
|
|
|||
Reference in a new issue