Feature/ability to disable OIDC "profile" scope (#1207)

* PRFL-10747. Added ability to disable OIDC profile scope. * Added documentation to the appsettings. --------- Co-authored-by: Osipenko Maksim <MaViOsipenko@beeline.ru>
1 year ago · 13a3f3c034
3 changed files with 17 additions and 1 deletions
--- a/backend/src/Squidex/Config/Authentication/OidcServices.cs
+++ b/backend/src/Squidex/Config/Authentication/OidcServices.cs
@ -24,6 +24,12 @@ public static class OidcServices

            authBuilder.AddOpenIdConnect(Constants.ExternalScheme, displayName, options =>
            {
+                if (identityOptions.OidcDisableProfileScope)
+                {
+                    options.Scope.Clear();
+                    options.Scope.Add(OpenIddict.Abstractions.OpenIddictConstants.Scopes.OpenId);
+                }
+
                options.Events = new OidcHandler(identityOptions);
                options.Authority = identityOptions.OidcAuthority;
                options.Prompt = identityOptions.OidcPrompt;
--- a/backend/src/Squidex/Config/MyIdentityOptions.cs
+++ b/backend/src/Squidex/Config/MyIdentityOptions.cs
@ -61,6 +61,13 @@ public sealed class MyIdentityOptions

    public string[] OidcScopes { get; set; }

+    /// <summary>
+    /// <see cref="Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions"/>
+    /// by default contains scopes "openid" and "profile".
+    /// When <see cref="OidcDisableProfileScope"/> is set to true scope "profile" will be removed.
+    /// </summary>
+    public bool OidcDisableProfileScope { get; set; }
+
    public bool OidcGetClaimsFromUserInfoEndpoint { get; set; }

    public bool OidcOverridePermissionsWithCustomClaimsOnLogin { get; set; }
--- a/backend/src/Squidex/appsettings.json
+++ b/backend/src/Squidex/appsettings.json
@ -687,7 +687,10 @@
        "oidcResponseType": "id_token", // or "code"
        "oidcGetClaimsFromUserInfoEndpoint": false,
        "oidcOverridePermissionsWithCustomClaimsOnLogin": false,
-        "oidcOnSignoutRedirectUrl": "",
+        "oidcOnSignoutRedirectUrl": "", 
+        // Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions by default contains scopes "openid" and "profile".
+        // When oidcDisableProfileScope is set to true scope "profile" will be removed.
+        "oidcDisableProfileScope": true,

        // Lock new users automatically, the administrator must unlock them.
        "lockAutomatically": false,