starred/BookStack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2026-02-13 19:06:31 +03:00
Code Issues 784 Packages Projects Releases 10 Wiki Activity

[PR #4955] [MERGED] OIDC userinfo endpoint support #6429

New Issue
Closed
opened 2026-02-05 10:32:01 +03:00 by OVERLORD · 0 comments
OVERLORD commented 2026-02-05 10:32:01 +03:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/BookStackApp/BookStack/pull/4955
Author: @ssddanbrown
Created: 4/16/2024
Status: Merged
Merged: 4/19/2024
Merged by: @ssddanbrown

Base: developmentHead: oidc_userinfo

📝 Commits (10+)

  • c76d12d Oidc: Properly query the UserInfo Endpoint
  • dc6013f Merge branch 'development' into lukeshu/oidc-development
  • d640411 OIDC: Cleaned up provider settings, added extra validation
  • 9183e7f OIDC Userinfo: Labelled changes to be made during review
  • a71c8c6 OIDC: Extracted user detail handling to own OidcUserDetails class
  • 7d7cd32 OIDC Userinfo: Added userinfo data validation, seperated from id token
  • fa543bb OIDC Userinfo: Started writing tests to cover userinfo calling
  • b18cee3 OIDC Userinfo: Added JWT signed response support
  • 0958909 OIDC Userinfo: Added additional tests to cover jwks usage
  • 8b14a70 OIDC Userinfo: Fixed issues with validation logic from changes

📊 Changes

11 files changed (+580 additions, -230 deletions)

View changed files

📝 .env.example.complete (+1 -0)
📝 app/Access/Oidc/OidcIdToken.php (+4 -142)
app/Access/Oidc/OidcJwtWithClaims.php (+174 -0)
📝 app/Access/Oidc/OidcProviderSettings.php (+19 -7)
📝 app/Access/Oidc/OidcService.php (+55 -76)
app/Access/Oidc/OidcUserDetails.php (+75 -0)
app/Access/Oidc/OidcUserinfoResponse.php (+67 -0)
app/Access/Oidc/ProvidesClaims.php (+17 -0)
📝 app/Config/oidc.php (+1 -0)
📝 tests/Auth/OidcTest.php (+166 -4)
📝 tests/Unit/OidcIdTokenTest.php (+1 -1)

📄 Description

Review and continuation of #4726.
Main functional change is to only call endpoint if missing data from ID token.
Reviewed original PR against spec, and app logic, in 9183e7f2fe.
Other OIDC code clean-up/improvements done while in this area.

Todo

  • Confirm if we'd need to support application/jwt (signed/encrypted) based responses.
  • Check and update existing testing.
  • Test cases for:
    • Ensuring discovery endpoints are https.
    • Ensuring userinfo endpoint only called if missing info.
    • Userinfo data fetched and used if expected claims missing.
    • Ensuring userinfo endpoint response is "application/json".
    • Ensuring userinfo sub claim is verified against token.
    • Ensure response validation is performed (5.3.4).
    • Name parsing from userinfo.
    • Group parsing (including nested) from userinfo.
    • Userinfo JWT use
    • Userinfo JWT validation
  • Test against real identity provider.

Doc Updates

  • Update OIDC docs to include OIDC_USERINFO_ENDPOINT option.
  • Update OIDC docs to expand non-encryption & algorithm limitations to also cover userinfo JWKs response data.
  • Update advisory to mention endpoint may now be called where not called before (in limited cases where all expected details were not coming back, check if relevant).

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/BookStackApp/BookStack/pull/4955 **Author:** [@ssddanbrown](https://github.com/ssddanbrown) **Created:** 4/16/2024 **Status:** ✅ Merged **Merged:** 4/19/2024 **Merged by:** [@ssddanbrown](https://github.com/ssddanbrown) **Base:** `development` ← **Head:** `oidc_userinfo` --- ### 📝 Commits (10+) - [`c76d12d`](https://github.com/BookStackApp/BookStack/commit/c76d12d1ded72b5bf74a51fdb1647f87bb935edc) Oidc: Properly query the UserInfo Endpoint - [`dc6013f`](https://github.com/BookStackApp/BookStack/commit/dc6013fd7e5b6c261da4ce8a88052dd3f7b5111f) Merge branch 'development' into lukeshu/oidc-development - [`d640411`](https://github.com/BookStackApp/BookStack/commit/d640411adb4d828cffefd1248407eb93db2eaee2) OIDC: Cleaned up provider settings, added extra validation - [`9183e7f`](https://github.com/BookStackApp/BookStack/commit/9183e7f2fed7c06c538e5e7258467fe0508538ca) OIDC Userinfo: Labelled changes to be made during review - [`a71c8c6`](https://github.com/BookStackApp/BookStack/commit/a71c8c60b7b6dc0bc20938029b14a86ab9cc95cd) OIDC: Extracted user detail handling to own OidcUserDetails class - [`7d7cd32`](https://github.com/BookStackApp/BookStack/commit/7d7cd32ca72397b635f7be597ad467ca27cffe6e) OIDC Userinfo: Added userinfo data validation, seperated from id token - [`fa543bb`](https://github.com/BookStackApp/BookStack/commit/fa543bbd4d4af333bd719fa75651841b1907d733) OIDC Userinfo: Started writing tests to cover userinfo calling - [`b18cee3`](https://github.com/BookStackApp/BookStack/commit/b18cee3dc4cec028ff9efa69dab960649bb38425) OIDC Userinfo: Added JWT signed response support - [`0958909`](https://github.com/BookStackApp/BookStack/commit/0958909cd999be772c045aada5bc426dffb0a0b1) OIDC Userinfo: Added additional tests to cover jwks usage - [`8b14a70`](https://github.com/BookStackApp/BookStack/commit/8b14a701a4792ecc0f8dc500d78e5810597eb4ac) OIDC Userinfo: Fixed issues with validation logic from changes ### 📊 Changes **11 files changed** (+580 additions, -230 deletions) <details> <summary>View changed files</summary> 📝 `.env.example.complete` (+1 -0) 📝 `app/Access/Oidc/OidcIdToken.php` (+4 -142) ➕ `app/Access/Oidc/OidcJwtWithClaims.php` (+174 -0) 📝 `app/Access/Oidc/OidcProviderSettings.php` (+19 -7) 📝 `app/Access/Oidc/OidcService.php` (+55 -76) ➕ `app/Access/Oidc/OidcUserDetails.php` (+75 -0) ➕ `app/Access/Oidc/OidcUserinfoResponse.php` (+67 -0) ➕ `app/Access/Oidc/ProvidesClaims.php` (+17 -0) 📝 `app/Config/oidc.php` (+1 -0) 📝 `tests/Auth/OidcTest.php` (+166 -4) 📝 `tests/Unit/OidcIdTokenTest.php` (+1 -1) </details> ### 📄 Description Review and continuation of #4726. Main functional change is to only call endpoint if missing data from ID token. Reviewed original PR against spec, and app logic, in 9183e7f2fed7c06c538e5e7258467fe0508538ca. Other OIDC code clean-up/improvements done while in this area. ### Todo - [x] Confirm if we'd need to support `application/jwt` (signed/encrypted) based responses. - [x] Check and update existing testing. - Test cases for: - [x] Ensuring discovery endpoints are https. - [x] Ensuring userinfo endpoint only called if missing info. - [x] Userinfo data fetched and used if expected claims missing. - [x] Ensuring userinfo endpoint response is "application/json". - [x] Ensuring userinfo sub claim is verified against token. - [x] Ensure response validation is performed (5.3.4). - [x] Name parsing from userinfo. - [x] Group parsing (including nested) from userinfo. - [x] Userinfo JWT use - [x] Userinfo JWT validation - [x] Test against real identity provider. ### Doc Updates - Update OIDC docs to include `OIDC_USERINFO_ENDPOINT` option. - Update OIDC docs to expand non-encryption & algorithm limitations to also cover userinfo JWKs response data. - Update advisory to mention endpoint may now be called where not called before (in limited cases where all expected details were not coming back, check if relevant). --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
OVERLORD added the pull-request label 2026-02-05 10:32:01 +03:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
🎨 Design
📖 Docs Update
🐛 Bug
🐛 Bug
:cat2:🐈 Possible duplicate
💿 Database
Open to discussion
💻 Front-End
🐕 Support
🚪 Authentication
🌍 Translations
🔌 API Task
🏭 Back-End
Upstream
🔨 Feature Request
🛠️ Enhancement
🛠️ Enhancement
🛠️ Enhancement
❤️ Happy feedback
🔒 Security
🔍 Pending Validation
💆 UX
📝 WYSIWYG Editor
🌔 Out of scope
🔩 API Request
:octocat: Admin/Meta
🖌️ View Customization
Question
🚀 Priority
🛡️ Blocked
🚚 Export System
A11y
🔧 Maintenance
> Markdown Editor
pull-request
Mirrored from GitHub Pull Request
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/BookStack#6429
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?