search

openiddict / openiddict-core

Flexible and versatile OAuth 2.0/OpenID Connect stack for .NET
https://openiddict.com/
Apache License 2.0
4.48k stars 528 forks source link

Add Gitee to the list of supported providers #2092

Closed gehongyan closed 5 months ago

gehongyan commented 5 months ago

This pull request would like to add Gitee to the list of supported providers, which is also supported by AspNet.Security.OAuth.Providers - Gitee.

gehongyan commented 5 months ago

authorization_code and refresh_token authentication flows work.

image image

Docs:

Gitee OAuth: https://gitee.com/api/v8/oauth_doc#/ Get user info: https://gitee.com/api/v5/swagger#/getV5User Get user emails: https://gitee.com/api/v5/swagger#/getV5Emails Allowed scopes: (Translated by Google) image

Question 1:

In Gitee OAuth, the email address of an authorized user is provided through a separate API. In the ticket creation process of aspnet-contrib (See here), another HTTP request is made to retrieve it. How can this be achieved in OpenIddict?

Question 2:

Gitee supports the password authentication flow. However, it requires that the scope in the request body must match the values just like those used in the authorization_code flow, such as user_info emails. It also disallows unlisted values like offline_access. During testing, I found that the scope in the request for the password mode is fixed as offline_access, and it cannot be configured via the Provider.Environment.Scope XML node or by using options.AddScopes(). This might be a non-standard process, but how can we configure or write code to meet Gitee's requirements?

kevinchalet commented 5 months ago

Thanks for your PR!

Question 1:

In Gitee OAuth, the email address of an authorized user is provided through a separate API. In the ticket creation process of aspnet-contrib (See here), another HTTP request is made to retrieve it. How can this be achieved in OpenIddict?

OpenIddict (deliberately) only supports a single userinfo request and retrieving additional information (e.g the email or postal addresses of users) is something that must be done in your own code (for instance using the official SDK/REST API package provided by the vendor if one is available, or using a HttpClient).

Question 2:

Gitee supports the password authentication flow. However, it requires that the scope in the request body must match the values just like those used in the authorization_code flow, such as user_info emails. It also disallows unlisted values like offline_access. During testing, I found that the scope in the request for the password mode is fixed as offline_access, and it cannot be configured via the Provider.Environment.Scope XML node or by using options.AddScopes(). This might be a non-standard process, but how can we configure or write code to meet Gitee's requirements?

That scope is set here: https://github.com/openiddict/openiddict-core/blob/7cf4c28e40d34d98cd8d9377db92f71ef480d832/sandbox/OpenIddict.Sandbox.Console.Client/InteractiveService.cs#L240-L247

You should be able to remove/update that line to make the provider work (note that if you remove that line, no scope will be sent: the scopes attached to OpenIddictClientRegistration.Scopes or defined in the XML only apply to user-interactive/browser-based flows like the authorization code flow).

gehongyan commented 5 months ago

Thanks for such a quick response!

... retrieving additional information is something that must be done in your own code ...

Got it. So I will ignore the emails.

You should be able to remove/update that line to make the provider work ...

Oh, thank you. I didn't notice that the scopes in the console sandbox are set from the user code. I'm not very familiar with OpenIddict. To make Gitee's password mode work in the sandbox code, should I add a prompt asking users if they want to input custom scope values to override the default ones? Or should I just ensure it works correctly in my local tests without changing the sandbox code?

kevinchalet commented 5 months ago

Got it. So I will ignore the emails.

👍🏻

Oh, thank you. I didn't notice that the scopes in the console sandbox are set from the user code. I'm not very familiar with OpenIddict.

No worries: the OpenIddict client and its web providers support a lot more features than what we had in the aspnet-contrib providers, so there's definitely a learning curve 😄

Or should I just ensure it works correctly in my local tests without changing the sandbox code?

That's the easiest option 👍🏻

kevinchalet commented 5 months ago

Awesome! (thanks for taking the time to post these screenshots, it's very useful to see what's returned 👍🏻)

gehongyan commented 5 months ago

password mode and its refreshing now work.

image

Reposted the screenshot with hiding potential personal info leeks.

kevinchalet commented 5 months ago

Merged. Thanks for your contribution! 👏🏻

kevinchalet commented 5 months ago

Note: I updated https://github.com/openiddict/openiddict-core/issues/1801 to indicate that Gitee and Kook are now supported by OpenIddict 😃