providers/oauth2: fix incorrect scope permissions shown (#6696)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
Jens L 2023-08-30 17:27:40 +02:00 committed by GitHub
parent bfd0fb66b3
commit 3afff1bae9
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 10 additions and 4 deletions

View file

@ -375,7 +375,9 @@ class AuthorizationFlowInitView(PolicyAccessView):
):
self.request.session[SESSION_KEY_LAST_LOGIN_UID] = login_uid
return self.handle_no_permission()
scope_descriptions = UserInfoView().get_scope_descriptions(self.params.scope)
scope_descriptions = UserInfoView().get_scope_descriptions(
self.params.scope, self.params.provider
)
# Regardless, we start the planner and return to it
planner = FlowPlanner(self.provider.authorization_flow)
planner.allow_empty_flows = True

View file

@ -55,7 +55,7 @@ def validate_code(code: int, request: HttpRequest) -> Optional[HttpResponse]:
if not app:
return None
scope_descriptions = UserInfoView().get_scope_descriptions(token.scope)
scope_descriptions = UserInfoView().get_scope_descriptions(token.scope, token.provider)
planner = FlowPlanner(token.provider.authorization_flow)
planner.allow_empty_flows = True
try:

View file

@ -40,10 +40,14 @@ class UserInfoView(View):
token: Optional[RefreshToken]
def get_scope_descriptions(self, scopes: list[str]) -> list[PermissionDict]:
def get_scope_descriptions(
self, scopes: list[str], provider: OAuth2Provider
) -> list[PermissionDict]:
"""Get a list of all Scopes's descriptions"""
scope_descriptions = []
for scope in ScopeMapping.objects.filter(scope_name__in=scopes).order_by("scope_name"):
for scope in ScopeMapping.objects.filter(scope_name__in=scopes, provider=provider).order_by(
"scope_name"
):
scope_descriptions.append(PermissionDict(id=scope.scope_name, name=scope.description))
# GitHub Compatibility Scopes are handled differently, since they required custom paths
# Hence they don't exist as Scope objects