- Fix: OAuth2 Requested Scopes are wrong / cannot be configured.

Thanks to DominikPf and xet7 !

Closes #2412

Dockerfile

@@ -40,6 +40,8 @@ ENV BUILD_DEPS="apt-utils bsdtar gnupg gosu wget curl bzip2 build-essential pyth
     OAUTH2_ID_MAP="" \
     OAUTH2_USERNAME_MAP="" \
     OAUTH2_FULLNAME_MAP="" \
+    OAUTH2_ID_TOKEN_WHITELIST_FIELDS=[] \
+    OAUTH2_REQUEST_PERMISSIONS=['openid','profiles','email'] \
     OAUTH2_EMAIL_MAP="" \
     LDAP_ENABLE=false \
     LDAP_PORT=389 \

docker-compose.yml

@@ -324,6 +324,10 @@ services:
       #- OAUTH2_USERINFO_ENDPOINT=/oauth/userinfo
       # OAuth2 Token Endpoint.
       #- OAUTH2_TOKEN_ENDPOINT=/oauth/token
+      # OAUTH2 ID Token Whitelist Fields.
+      #- OAUTH2_ID_TOKEN_WHITELIST_FIELDS=[]
+      # OAUTH2 Request Permissions.
+      #- OAUTH2_REQUEST_PERMISSIONS=['openid','profile','email']
       # OAuth2 ID Mapping
       #- OAUTH2_ID_MAP=
       # OAuth2 Username Mapping

releases/virtualbox/start-wekan.sh

@@ -81,6 +81,10 @@
         #export OAUTH2_AUTH_ENDPOINT=/oauth2/v2.0/authorize
         #export OAUTH2_USERINFO_ENDPOINT=https://graph.microsoft.com/oidc/userinfo
         #export OAUTH2_TOKEN_ENDPOINT=/oauth2/v2.0/token
+        # OAUTH2 ID Token Whitelist Fields.
+        #export OAUTH2_ID_TOKEN_WHITELIST_FIELDS=[]
+        # OAUTH2 Request Permissions.
+        #export OAUTH2_REQUEST_PERMISSIONS=['openid','profile','email']
         # The claim name you want to map to the unique ID field:
         #export OAUTH2_ID_MAP=email
         # The claim name you want to map to the username field:

server/authentication.js

@@ -76,8 +76,8 @@ Meteor.startup(() => {
             authorizationEndpoint: process.env.OAUTH2_AUTH_ENDPOINT,
             userinfoEndpoint: process.env.OAUTH2_USERINFO_ENDPOINT,
             tokenEndpoint: process.env.OAUTH2_TOKEN_ENDPOINT,
-            idTokenWhitelistFields: [],
-            requestPermissions: ['openid'],
+            idTokenWhitelistFields: process.env.OAUTH2_ID_TOKEN_WHITELIST_FIELDS || [],
+            requestPermissions: process.env.OAUTH2_REQUEST_PERMISSIONS || ['openid','profile','email'],
           },
         }
       );

snap-src/bin/wekan-help

@@ -130,6 +130,18 @@ echo -e "\t$ snap set $SNAP_NAME oauth2-token-endpoint='/oauth/token'"
 echo -e "\t-Disable the OAuth2 Token Endpoint of Wekan:"
 echo -e "\t$ snap set $SNAP_NAME oauth2-token-endpoint=''"
 echo -e "\n"
+echo -e "OAuth2 ID Token Whitelist Fields."
+echo -e "To enable the OAuth2 ID Token Whitelist Fields of Wekan:"
+echo -e "\t$ snap set $SNAP_NAME oauth2-id-token-whitelist-fields='[]'"
+echo -e "\t-Disable the OAuth2 ID Token Whitelist Fields of Wekan:"
+echo -e "\t$ snap set $SNAP_NAME oauth2-id-token-whitelist-fields=''"
+echo -e "\n"
+echo -e "OAuth2 Request Permissions."
+echo -e "To enable the OAuth2 Request Permissions of Wekan:"
+echo -e "\t$ snap set $SNAP_NAME oauth2-request-permissions=\"['openid','profile','email']\""
+echo -e "\t-Disable the OAuth2 Request Permissions of Wekan:"
+echo -e "\t$ snap set $SNAP_NAME oauth2-request-permissions=''"
+echo -e "\n"
 echo -e "OAuth2 ID Mapping."
 echo -e "To enable the OAuth2 ID Mapping of Wekan:"
 echo -e "\t$ snap set $SNAP_NAME oauth2-id-map='username.uid'"

start-wekan.bat

@@ -91,6 +91,25 @@ REM # OAuth2 Token Endpoint. Example: /oauth/token
 REM # example: OAUTH2_TOKEN_ENDPOINT=/oauth/token
 REM SET OAUTH2_TOKEN_ENDPOINT=
 
+
+REM # OAUTH2 ID Token Whitelist Fields.
+REM SET OAUTH2_ID_TOKEN_WHITELIST_FIELDS=[]
+
+REM # OAUTH2 Request Permissions.
+REM SET OAUTH2_REQUEST_PERMISSIONS=['openid','profile','email']
+
+REM # OAuth2 ID Mapping
+REM SET OAUTH2_ID_MAP=
+
+REM # OAuth2 Username Mapping
+REM SET OAUTH2_USERNAME_MAP=
+
+REM # OAuth2 Fullname Mapping
+REM SET OAUTH2_FULLNAME_MAP=
+
+REM # OAuth2 Email Mapping
+REM SET OAUTH2_EMAIL_MAP=
+
 REM ------------------------------------------------------------
 
 REM # LDAP_ENABLE : Enable or not the connection by the LDAP

start-wekan.sh

@@ -141,6 +141,10 @@ function wekan_repo_check(){
       #export OAUTH2_USERINFO_ENDPOINT=/oauth/userinfo
       # OAuth2 Token Endpoint.
       #export OAUTH2_TOKEN_ENDPOINT=/oauth/token
+      # OAUTH2 ID Token Whitelist Fields.
+      #export OAUTH2_ID_TOKEN_WHITELIST_FIELDS=[]
+      # OAUTH2 Request Permissions.
+      #export OAUTH2_REQUEST_PERMISSIONS=['openid','profile','email']
       # OAuth2 ID Mapping
       #export OAUTH2_ID_MAP=
       # OAuth2 Username Mapping