From f8f864c5b9a8e4298849e04369c9f8d8700f6ad6 Mon Sep 17 00:00:00 2001
From: DacongDA <dacongda1@sina.com>
Date: Sun, 11 May 2025 09:51:51 +0800
Subject: [PATCH] feat: add logged-in IDP provider info to access token (#3776)

---
 controllers/auth.go            |  2 +-
 object/token_jwt.go            | 17 ++++++++++++-----
 object/token_oauth.go          | 14 +++++++-------
 object/token_standard_jwt.go   |  2 ++
 routers/static_filter.go       |  2 +-
 web/src/ApplicationEditPage.js |  1 +
 6 files changed, 24 insertions(+), 14 deletions(-)

diff --git a/controllers/auth.go b/controllers/auth.go
index 86297411..7e377668 100644
--- a/controllers/auth.go
+++ b/controllers/auth.go
@@ -147,7 +147,7 @@ func (c *ApiController) HandleLoggedIn(application *object.Application, user *ob
 			c.ResponseError(c.T("auth:Challenge method should be S256"))
 			return
 		}
-		code, err := object.GetOAuthCode(userId, clientId, responseType, redirectUri, scope, state, nonce, codeChallenge, c.Ctx.Request.Host, c.GetAcceptLanguage())
+		code, err := object.GetOAuthCode(userId, clientId, form.Provider, responseType, redirectUri, scope, state, nonce, codeChallenge, c.Ctx.Request.Host, c.GetAcceptLanguage())
 		if err != nil {
 			c.ResponseError(err.Error(), nil)
 			return
diff --git a/object/token_jwt.go b/object/token_jwt.go
index ef8706d7..e8fcd36f 100644
--- a/object/token_jwt.go
+++ b/object/token_jwt.go
@@ -31,7 +31,8 @@ type Claims struct {
 	Tag       string `json:"tag"`
 	Scope     string `json:"scope,omitempty"`
 	// the `azp` (Authorized Party) claim. Optional. See https://openid.net/specs/openid-connect-core-1_0.html#IDToken
-	Azp string `json:"azp,omitempty"`
+	Azp      string `json:"azp,omitempty"`
+	Provider string `json:"provider,omitempty"`
 	jwt.RegisteredClaims
 }
 
@@ -140,6 +141,7 @@ type ClaimsShort struct {
 	Nonce     string `json:"nonce,omitempty"`
 	Scope     string `json:"scope,omitempty"`
 	Azp       string `json:"azp,omitempty"`
+	Provider  string `json:"provider,omitempty"`
 	jwt.RegisteredClaims
 }
 
@@ -159,6 +161,7 @@ type ClaimsWithoutThirdIdp struct {
 	Tag       string `json:"tag"`
 	Scope     string `json:"scope,omitempty"`
 	Azp       string `json:"azp,omitempty"`
+	Provider  string `json:"provider,omitempty"`
 	jwt.RegisteredClaims
 }
 
@@ -274,6 +277,7 @@ func getShortClaims(claims Claims) ClaimsShort {
 		Scope:            claims.Scope,
 		RegisteredClaims: claims.RegisteredClaims,
 		Azp:              claims.Azp,
+		Provider:         claims.Provider,
 	}
 	return res
 }
@@ -287,6 +291,7 @@ func getClaimsWithoutThirdIdp(claims Claims) ClaimsWithoutThirdIdp {
 		Scope:               claims.Scope,
 		RegisteredClaims:    claims.RegisteredClaims,
 		Azp:                 claims.Azp,
+		Provider:            claims.Provider,
 	}
 	return res
 }
@@ -308,6 +313,7 @@ func getClaimsCustom(claims Claims, tokenField []string) jwt.MapClaims {
 	res["tag"] = claims.Tag
 	res["scope"] = claims.Scope
 	res["azp"] = claims.Azp
+	res["provider"] = claims.Provider
 
 	for _, field := range tokenField {
 		userField := userValue.FieldByName(field)
@@ -342,7 +348,7 @@ func refineUser(user *User) *User {
 	return user
 }
 
-func generateJwtToken(application *Application, user *User, nonce string, scope string, host string) (string, string, string, error) {
+func generateJwtToken(application *Application, user *User, provider string, nonce string, scope string, host string) (string, string, string, error) {
 	nowTime := time.Now()
 	expireTime := nowTime.Add(time.Duration(application.ExpireInHours) * time.Hour)
 	refreshExpireTime := nowTime.Add(time.Duration(application.RefreshExpireInHours) * time.Hour)
@@ -362,9 +368,10 @@ func generateJwtToken(application *Application, user *User, nonce string, scope
 		TokenType: "access-token",
 		Nonce:     nonce,
 		// FIXME: A workaround for custom claim by reusing `tag` in user info
-		Tag:   user.Tag,
-		Scope: scope,
-		Azp:   application.ClientId,
+		Tag:      user.Tag,
+		Scope:    scope,
+		Azp:      application.ClientId,
+		Provider: provider,
 		RegisteredClaims: jwt.RegisteredClaims{
 			Issuer:    originBackend,
 			Subject:   user.Id,
diff --git a/object/token_oauth.go b/object/token_oauth.go
index babfb90d..1315c1f6 100644
--- a/object/token_oauth.go
+++ b/object/token_oauth.go
@@ -136,7 +136,7 @@ func CheckOAuthLogin(clientId string, responseType string, redirectUri string, s
 	return "", application, nil
 }
 
-func GetOAuthCode(userId string, clientId string, responseType string, redirectUri string, scope string, state string, nonce string, challenge string, host string, lang string) (*Code, error) {
+func GetOAuthCode(userId string, clientId string, provider string, responseType string, redirectUri string, scope string, state string, nonce string, challenge string, host string, lang string) (*Code, error) {
 	user, err := GetUser(userId)
 	if err != nil {
 		return nil, err
@@ -171,7 +171,7 @@ func GetOAuthCode(userId string, clientId string, responseType string, redirectU
 	if err != nil {
 		return nil, err
 	}
-	accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, nonce, scope, host)
+	accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, provider, nonce, scope, host)
 	if err != nil {
 		return nil, err
 	}
@@ -379,7 +379,7 @@ func RefreshToken(grantType string, refreshToken string, scope string, clientId
 		return nil, err
 	}
 
-	newAccessToken, newRefreshToken, tokenName, err := generateJwtToken(application, user, "", scope, host)
+	newAccessToken, newRefreshToken, tokenName, err := generateJwtToken(application, user, "", "", scope, host)
 	if err != nil {
 		return &TokenError{
 			Error:            EndpointError,
@@ -558,7 +558,7 @@ func GetPasswordToken(application *Application, username string, password string
 		return nil, nil, err
 	}
 
-	accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, "", scope, host)
+	accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, "", "", scope, host)
 	if err != nil {
 		return nil, &TokenError{
 			Error:            EndpointError,
@@ -604,7 +604,7 @@ func GetClientCredentialsToken(application *Application, clientSecret string, sc
 		Type:  "application",
 	}
 
-	accessToken, _, tokenName, err := generateJwtToken(application, nullUser, "", scope, host)
+	accessToken, _, tokenName, err := generateJwtToken(application, nullUser, "", "", scope, host)
 	if err != nil {
 		return nil, &TokenError{
 			Error:            EndpointError,
@@ -668,7 +668,7 @@ func GetTokenByUser(application *Application, user *User, scope string, nonce st
 		return nil, err
 	}
 
-	accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, nonce, scope, host)
+	accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, "", nonce, scope, host)
 	if err != nil {
 		return nil, err
 	}
@@ -775,7 +775,7 @@ func GetWechatMiniProgramToken(application *Application, code string, host strin
 		return nil, nil, err
 	}
 
-	accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, "", "", host)
+	accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, "", "", "", host)
 	if err != nil {
 		return nil, &TokenError{
 			Error:            EndpointError,
diff --git a/object/token_standard_jwt.go b/object/token_standard_jwt.go
index 3a292aa7..4f470ba9 100644
--- a/object/token_standard_jwt.go
+++ b/object/token_standard_jwt.go
@@ -33,6 +33,7 @@ type ClaimsStandard struct {
 	Scope               string      `json:"scope,omitempty"`
 	Address             OIDCAddress `json:"address,omitempty"`
 	Azp                 string      `json:"azp,omitempty"`
+	Provider            string      `json:"provider,omitempty"`
 
 	jwt.RegisteredClaims
 }
@@ -54,6 +55,7 @@ func getStandardClaims(claims Claims) ClaimsStandard {
 		Scope:            claims.Scope,
 		RegisteredClaims: claims.RegisteredClaims,
 		Azp:              claims.Azp,
+		Provider:         claims.Provider,
 	}
 
 	res.Phone = ""
diff --git a/routers/static_filter.go b/routers/static_filter.go
index 2eb24eeb..d8e978e4 100644
--- a/routers/static_filter.go
+++ b/routers/static_filter.go
@@ -89,7 +89,7 @@ func fastAutoSignin(ctx *context.Context) (string, error) {
 		return "", nil
 	}
 
-	code, err := object.GetOAuthCode(userId, clientId, responseType, redirectUri, scope, state, nonce, codeChallenge, ctx.Request.Host, getAcceptLanguage(ctx))
+	code, err := object.GetOAuthCode(userId, clientId, "", responseType, redirectUri, scope, state, nonce, codeChallenge, ctx.Request.Host, getAcceptLanguage(ctx))
 	if err != nil {
 		return "", err
 	} else if code.Message != "" {
diff --git a/web/src/ApplicationEditPage.js b/web/src/ApplicationEditPage.js
index e2abb3e0..09fcc864 100644
--- a/web/src/ApplicationEditPage.js
+++ b/web/src/ApplicationEditPage.js
@@ -454,6 +454,7 @@ class ApplicationEditPage extends React.Component {
           </Col>
           <Col span={22} >
             <Select virtual={false} disabled={this.state.application.tokenFormat !== "JWT-Custom"} mode="tags" showSearch style={{width: "100%"}} value={this.state.application.tokenFields} onChange={(value => {this.updateApplicationField("tokenFields", value);})}>
+              <Option key={"provider"} value={"provider"}>{"Provider"}</Option>)
               {
                 Setting.getUserCommonFields().map((item, index) => <Option key={index} value={item}>{item}</Option>)
               }