fix: facebook login exceptions (#508 )

* Fix the exception caused by "Username" being empty when logging in with facebook * fix: facebook login missing "Username" exception
fix: oidc jwks endpoint only return default cert (#506 )
2025-07-30 16:20:32 +08:00 · 2022-02-23 23:58:17 +08:00 · 2022-02-21 23:17:16 +08:00 · 2022-02-21 16:01:39 +08:00 · 2022-02-20 15:01:48 +08:00 · 2022-02-20 14:15:57 +08:00
58 changed files with 3334 additions and 162 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -13,7 +13,8 @@
 *.out

 # Dependency directories (remove the comment below to include it)
-# vendor/
+vendor/
+bin/

 .idea/
 *.iml
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -0,0 +1,42 @@
+linters:
+  disable-all: true
+  enable:
+    - deadcode
+    - dupl
+    - errcheck
+    - goconst
+    - gocyclo
+    - gofmt
+    - goimports
+    - gosec
+    - gosimple
+    - govet
+    - ineffassign
+    - lll
+    - misspell
+    - nakedret
+    - prealloc
+    - staticcheck
+    - structcheck
+    - typecheck
+    - unconvert
+    - unparam
+    - unused
+    - varcheck
+    - revive
+    - exportloopref
+run:
+  deadline: 5m
+  skip-dirs:
+    - api
+  # skip-files:
+  #   - ".*_test\\.go$"
+  modules-download-mode: vendor
+# all available settings of specific linters
+linters-settings:
+  lll:
+    # max line length, lines longer will be reported. Default is 120.
+    # '\t' is counted as 1 character by default, and can be changed with the tab-width option
+    line-length: 150
+    # tab width in spaces. Default to 1.
+    tab-width: 1
--- a/113
+++ b/113
@@ -0,0 +1,113 @@
+
+# Image URL to use all building/pushing image targets
+REGISTRY ?= casbin
+IMG ?= casdoor
+IMG_TAG ?=$(shell git --no-pager log -1 --format="%ad" --date=format:"%Y%m%d")-$(shell git describe --tags --always --dirty --abbrev=6)
+NAMESPACE ?= casdoor
+APP ?= casdoor
+HOST ?= test.com
+
+
+# Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
+ifeq (,$(shell go env GOBIN))
+GOBIN=$(shell go env GOPATH)/bin
+else
+GOBIN=$(shell go env GOBIN)
+endif
+
+# Setting SHELL to bash allows bash commands to be executed by recipes.
+# This is a requirement for 'setup-envtest.sh' in the test target.
+# Options are set to exit when a recipe line exits non-zero or a piped command fails.
+SHELL = /usr/bin/env bash -o pipefail
+.SHELLFLAGS = -ec
+
+.PHONY: all
+all: docker-build docker-push deploy
+
+##@ General
+
+# The help target prints out all targets with their descriptions organized
+# beneath their categories. The categories are represented by '##@' and the
+# target descriptions by '##'. The awk commands is responsible for reading the
+# entire set of makefiles included in this invocation, looking for lines of the
+# file as xyz: ## something, and then pretty-format the target and help. Then,
+# if there's a line with ##@ something, that gets pretty-printed as a category.
+# More info on the usage of ANSI control characters for terminal formatting:
+# https://en.wikipedia.org/wiki/ANSI_escape_code#SGR_parameters
+# More info on the awk command:
+# http://linuxcommand.org/lc3_adv_awk.php
+
+.PHONY: help
+help: ## Display this help.
+	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
+
+##@ Development
+
+.PHONY: fmt
+fmt: ## Run go fmt against code.
+	go fmt ./...
+
+.PHONY: vet
+vet: ## Run go vet against code.
+	go vet ./...
+
+.PHONY: ut
+ut: ## UT test
+	go test -v -cover -coverprofile=coverage.out ./...
+	go tool cover -func=coverage.out
+
+##@ Build
+
+.PHONY: backend
+backend: fmt vet ## Build backend binary.
+	go build -o bin/manager main.go
+
+.PHONY: backend-vendor
+backend-vendor: vendor fmt vet ## Build backend binary with vendor.
+	go build -mod=vendor -o bin/manager main.go
+
+.PHONY: frontend
+frontend: ## Build backend binary.
+	cd web/ && yarn && yarn run build && cd -
+
+.PHONY: vendor
+vendor: ## Update vendor.
+	go mod vendor
+
+.PHONY: run
+run: fmt vet ## Run backend in local 
+	go run ./main.go
+
+.PHONY: docker-build
+docker-build: ## Build docker image with the manager.
+	docker build -t ${REGISTRY}/${IMG}:${IMG_TAG} .
+
+.PHONY: docker-push
+docker-push: ## Push docker image with the manager.
+	docker push ${REGISTRY}/${IMG}:${IMG_TAG}
+
+lint-install: ## Install golangci-lint
+	@# The following installs a specific version of golangci-lint, which is appropriate for a CI server to avoid different results from build to build
+	go get github.com/golangci/golangci-lint/cmd/golangci-lint@v1.40.1
+
+lint: ## Run golangci-lint
+	@echo "---lint---"
+	golangci-lint run --modules-download-mode=vendor ./...
+
+##@ Deployment
+
+.PHONY: deploy
+deploy:  ## Deploy controller to the K8s cluster specified in ~/.kube/config.
+	helm upgrade --install ${APP} manifests/casdoor --create-namespace --set ingress.enabled=true \
+	--set "ingress.hosts[0].host=${HOST},ingress.hosts[0].paths[0].path=/,ingress.hosts[0].paths[0].pathType=ImplementationSpecific" \
+	--set image.tag=${IMG_TAG} --set image.repository=${REGISTRY} --set image.name=${IMG} --version ${IMG_TAG} -n ${NAMESPACE}
+
+.PHONY: dry-run
+dry-run: ## Dry run for helm install
+	helm upgrade --install ${APP} manifests/casdoor --set ingress.enabled=true \
+	--set "ingress.hosts[0].host=${HOST},ingress.hosts[0].paths[0].path=/,ingress.hosts[0].paths[0].pathType=ImplementationSpecific" \
+	--set image.tag=${IMG_TAG} --set image.repository=${REGISTRY} --set image.name=${IMG} --version ${IMG_TAG} -n ${NAMESPACE} --dry-run
+
+.PHONY: undeploy
+undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion.
+	helm delete ${APP} -n ${NAMESPACE}
--- a/README.md
+++ b/README.md
@@ -158,6 +158,19 @@ dataSourceName = root:123456@tcp(db:3306)/
 docker-compose up
 ```

+### K8S
+You could use helm to deploy casdoor in k8s. At first, you should modify the [configmap](./manifests/casdoor/templates/configmap.yaml) for your application.
+And then run bellow command to deploy it.
+
+```bash
+IMG_TAG=latest make deploy 
+```
+
+And undeploy it with:
+```bash
+make undeploy
+```
+
 That's it! Try to visit http://localhost:8000/. :small_airplane:

 ## Detailed documentation
--- a/authz/authz.go
+++ b/authz/authz.go
@@ -98,7 +98,7 @@ p, *, *, GET, /api/get-human-check, *, *
 p, *, *, POST, /api/reset-email-or-phone, *, *
 p, *, *, POST, /api/upload-resource, *, *
 p, *, *, GET, /.well-known/openid-configuration, *, *
-p, *, *, *, /api/certs, *, *
+p, *, *, *, /.well-known/jwks, *, *
 p, *, *, GET, /api/get-saml-login, *, *
 p, *, *, POST, /api/acs, *, *
 `
--- a/controllers/account.go
+++ b/controllers/account.go
@@ -18,9 +18,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"strconv"
-	"strings"

-	"github.com/astaxie/beego"
 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
 )
@@ -69,18 +67,6 @@ type Response struct {
 	Data2  interface{} `json:"data2"`
 }

-type Userinfo struct {
-	Sub         string `json:"sub"`
-	Iss         string `json:"iss"`
-	Aud         string `json:"aud"`
-	Name        string `json:"name,omitempty"`
-	DisplayName string `json:"preferred_username,omitempty"`
-	Email       string `json:"email,omitempty"`
-	Avatar      string `json:"picture,omitempty"`
-	Address     string `json:"address,omitempty"`
-	Phone       string `json:"phone,omitempty"`
-}
-
 type HumanCheck struct {
 	Type         string      `json:"type"`
 	AppKey       string      `json:"appKey"`
@@ -145,7 +131,12 @@ func (c *ApiController) Signup() {
 	id := util.GenerateId()
 	if application.GetSignupItemRule("ID") == "Incremental" {
 		lastUser := object.GetLastUser(form.Organization)
-		lastIdInt := util.ParseInt(lastUser.Id)
+
+		lastIdInt := -1
+		if lastUser != nil {
+			lastIdInt = util.ParseInt(lastUser.Id)
+		}
+
 		id = strconv.Itoa(lastIdInt + 1)
 	}

@@ -249,38 +240,18 @@ func (c *ApiController) GetAccount() {
 // @Title UserInfo
 // @Tag Account API
 // @Description return user information according to OIDC standards
-// @Success 200 {object} controllers.Userinfo The Response object
+// @Success 200 {object} object.Userinfo The Response object
 // @router /userinfo [get]
 func (c *ApiController) GetUserinfo() {
 	userId, ok := c.RequireSignedIn()
 	if !ok {
 		return
 	}
-	user := object.GetUser(userId)
-	if user == nil {
-		c.ResponseError(fmt.Sprintf("The user: %s doesn't exist", userId))
-		return
-	}
 	scope, aud := c.GetSessionOidc()
-	iss := beego.AppConfig.String("origin")
-	resp := Userinfo{
-		Sub: user.Id,
-		Iss: iss,
-		Aud: aud,
-	}
-	if strings.Contains(scope, "profile") {
-		resp.Name = user.Name
-		resp.DisplayName = user.DisplayName
-		resp.Avatar = user.Avatar
-	}
-	if strings.Contains(scope, "email") {
-		resp.Email = user.Email
-	}
-	if strings.Contains(scope, "address") {
-		resp.Address = user.Location
-	}
-	if strings.Contains(scope, "phone") {
-		resp.Phone = user.Phone
+	host := c.Ctx.Request.Host
+	resp, err := object.GetUserInfo(userId, scope, aud, host)
+	if err != nil {
+		c.ResponseError(err.Error())
 	}
 	c.Data["json"] = resp
 	c.ServeJSON()
--- a/controllers/auth.go
+++ b/controllers/auth.go
@@ -59,7 +59,7 @@ func (c *ApiController) HandleLoggedIn(application *object.Application, user *ob
 			c.ResponseError("Challenge method should be S256")
 			return
 		}
-		code := object.GetOAuthCode(userId, clientId, responseType, redirectUri, scope, state, nonce, codeChallenge)
+		code := object.GetOAuthCode(userId, clientId, responseType, redirectUri, scope, state, nonce, codeChallenge, c.Ctx.Request.Host)
 		resp = codeToResponse(code)

 		if application.EnableSigninSession || application.HasPromptPage() {
@@ -109,7 +109,7 @@ func (c *ApiController) GetApplicationLogin() {
 }

 func setHttpClient(idProvider idp.IdProvider, providerType string) {
-	if providerType == "GitHub" || providerType == "Google" || providerType == "Facebook" || providerType == "LinkedIn" {
+	if providerType == "GitHub" || providerType == "Google" || providerType == "Facebook" || providerType == "LinkedIn" || providerType == "Steam" {
 		idProvider.SetHttpClient(proxy.ProxyHttpClient)
 	} else {
 		idProvider.SetHttpClient(proxy.DefaultHttpClient)
@@ -221,7 +221,7 @@ func (c *ApiController) Login() {
 				clientSecret = provider.ClientSecret2
 			}

-			idProvider := idp.GetIdProvider(provider.Type, provider.SubType, clientId, clientSecret, provider.AppId, form.RedirectUri)
+			idProvider := idp.GetIdProvider(provider.Type, provider.SubType, clientId, clientSecret, provider.AppId, form.RedirectUri, provider.Domain)
 			if idProvider == nil {
 				c.ResponseError(fmt.Sprintf("The provider type: %s is not supported", provider.Type))
 				return
--- a/controllers/ldap.go
+++ b/controllers/ldap.go
@@ -170,6 +170,7 @@ func (c *ApiController) UpdateLdap() {
 		return
 	}

+	prevLdap := object.GetLdap(ldap.Id)
 	affected := object.UpdateLdap(&ldap)
 	resp := wrapActionResponse(affected)
 	if affected {
@@ -177,6 +178,8 @@ func (c *ApiController) UpdateLdap() {
 	}
 	if ldap.AutoSync != 0 {
 		object.GetLdapAutoSynchronizer().StartAutoSync(ldap.Id)
+	} else if ldap.AutoSync == 0 && prevLdap.AutoSync != 0{
+		object.GetLdapAutoSynchronizer().StopAutoSync(ldap.Id)
 	}

 	c.Data["json"] = resp
--- a/controllers/oidc_discovery.go
+++ b/controllers/oidc_discovery.go
@@ -25,10 +25,10 @@ func (c *RootController) GetOidcDiscovery() {
 	c.ServeJSON()
 }

-// @Title GetOidcCert
+// @Title GetJwks
 // @Tag OIDC API
-// @router /api/certs [get]
-func (c *RootController) GetOidcCert() {
+// @router /.well-known/jwks [get]
+func (c *RootController) GetJwks() {
 	jwks, err := object.GetJsonWebKeySet()
 	if err != nil {
 		c.ResponseError(err.Error())
--- a/controllers/token.go
+++ b/controllers/token.go
@@ -149,8 +149,9 @@ func (c *ApiController) GetOAuthCode() {
 		c.ResponseError("Challenge method should be S256")
 		return
 	}
+	host := c.Ctx.Request.Host

-	c.Data["json"] = object.GetOAuthCode(userId, clientId, responseType, redirectUri, scope, state, nonce, codeChallenge)
+	c.Data["json"] = object.GetOAuthCode(userId, clientId, responseType, redirectUri, scope, state, nonce, codeChallenge, host)
 	c.ServeJSON()
 }

@@ -195,7 +196,8 @@ func (c *ApiController) RefreshToken() {
 	scope := c.Input().Get("scope")
 	clientId := c.Input().Get("client_id")
 	clientSecret := c.Input().Get("client_secret")
+	host := c.Ctx.Request.Host

-	c.Data["json"] = object.RefreshToken(grantType, refreshToken, scope, clientId, clientSecret)
+	c.Data["json"] = object.RefreshToken(grantType, refreshToken, scope, clientId, clientSecret, host)
 	c.ServeJSON()
 }
--- a/go.mod
+++ b/go.mod
@@ -17,6 +17,7 @@ require (
 	github.com/golang-jwt/jwt/v4 v4.1.0
 	github.com/google/uuid v1.2.0
 	github.com/jinzhu/configor v1.2.1 // indirect
+	github.com/lestrrat-go/jwx v0.9.0
 	github.com/markbates/goth v1.68.1-0.20211006204042-9dc8905b41c8
 	github.com/qiangmzsx/string-adapter/v2 v2.1.0
 	github.com/qor/oss v0.0.0-20191031055114-aef9ba66bf76
@@ -25,7 +26,7 @@ require (
 	github.com/russellhaering/goxmldsig v1.1.1
 	github.com/satori/go.uuid v1.2.0 // indirect
 	github.com/smartystreets/goconvey v1.6.4 // indirect
-	github.com/stretchr/testify v1.6.1
+	github.com/stretchr/testify v1.7.0
 	github.com/tealeg/xlsx v1.0.5
 	github.com/thanhpk/randstr v1.0.4
 	golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3
--- a/go.sum
+++ b/go.sum
@@ -343,8 +343,9 @@ github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXf
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
-github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/syndtr/goleveldb v0.0.0-20160425020131-cfa635847112/go.mod h1:Z4AUp2Km+PwemOoO/VB5AOx9XSsIItzFjoJlOSiYmn0=
 github.com/syndtr/goleveldb v0.0.0-20181127023241-353a9fca669c/go.mod h1:Z4AUp2Km+PwemOoO/VB5AOx9XSsIItzFjoJlOSiYmn0=
 github.com/syndtr/goleveldb v1.0.0 h1:fBdIW9lB4Iz0n9khmH8w27SJ3QEJ7+IgjPEwGSZiFdE=
--- a/idp/adfs.go
+++ b/idp/adfs.go
@@ -0,0 +1,136 @@
+// Copyright 2022 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package idp
+
+import (
+	"bytes"
+	"crypto/tls"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"time"
+
+	"github.com/lestrrat-go/jwx/jwa"
+	"github.com/lestrrat-go/jwx/jwk"
+	"github.com/lestrrat-go/jwx/jwt"
+	"golang.org/x/oauth2"
+)
+
+type AdfsIdProvider struct {
+	Client *http.Client
+	Config *oauth2.Config
+	Host   string
+}
+
+func NewAdfsIdProvider(clientId string, clientSecret string, redirectUrl string, hostUrl string) *AdfsIdProvider {
+	idp := &AdfsIdProvider{}
+
+	config := idp.getConfig(hostUrl)
+	config.ClientID = clientId
+	config.ClientSecret = clientSecret
+	config.RedirectURL = redirectUrl
+	idp.Config = config
+	idp.Host = hostUrl
+	return idp
+}
+
+func (idp *AdfsIdProvider) SetHttpClient(client *http.Client) {
+	tr := &http.Transport{
+		TLSClientConfig: &tls.Config{
+			InsecureSkipVerify: true,
+		},
+	}
+	idp.Client = client
+	idp.Client.Transport = tr
+}
+
+func (idp *AdfsIdProvider) getConfig(hostUrl string) *oauth2.Config {
+	var endpoint = oauth2.Endpoint{
+		AuthURL:  fmt.Sprintf("%s/adfs/oauth2/authorize", hostUrl),
+		TokenURL: fmt.Sprintf("%s/adfs/oauth2/token", hostUrl),
+	}
+
+	var config = &oauth2.Config{
+		Endpoint: endpoint,
+	}
+
+	return config
+}
+
+type AdfsToken struct {
+	IdToken   string `json:"id_token"`
+	ExpiresIn int    `json:"expires_in"`
+	ErrMsg    string `json:"error_description"`
+}
+
+// get more detail via: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-openid-connect-oauth-flows-scenarios#request-an-access-token
+func (idp *AdfsIdProvider) GetToken(code string) (*oauth2.Token, error) {
+	payload := url.Values{}
+	payload.Set("code", code)
+	payload.Set("grant_type", "authorization_code")
+	payload.Set("client_id", idp.Config.ClientID)
+	payload.Set("redirect_uri", idp.Config.RedirectURL)
+	resp, err := idp.Client.PostForm(idp.Config.Endpoint.TokenURL, payload)
+	if err != nil {
+		return nil, err
+	}
+	data, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	pToken := &AdfsToken{}
+	err = json.Unmarshal(data, pToken)
+	if err != nil {
+		return nil, fmt.Errorf("fail to unmarshal token response: %s", err.Error())
+	}
+	if pToken.ErrMsg != "" {
+		return nil, fmt.Errorf("pToken.Errmsg = %s", pToken.ErrMsg)
+	}
+
+	token := &oauth2.Token{
+		AccessToken: pToken.IdToken,
+		Expiry:      time.Unix(time.Now().Unix()+int64(pToken.ExpiresIn), 0),
+	}
+	return token, nil
+}
+
+// Since the userinfo endpoint of ADFS only returns sub,
+// the id_token is used to resolve the userinfo
+func (idp *AdfsIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
+	resp, err := idp.Client.Get(fmt.Sprintf("%s/adfs/discovery/keys", idp.Host))
+	if err != nil {
+		return nil, err
+	}
+	keyset, err := jwk.Parse(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+	tokenSrc := []byte(token.AccessToken)
+	publicKey, _ := keyset.Keys[0].Materialize()
+	id_token, _ := jwt.Parse(bytes.NewReader(tokenSrc), jwt.WithVerify(jwa.RS256, publicKey))
+	sid, _ := id_token.Get("sid")
+	upn, _ := id_token.Get("upn")
+	name, _ := id_token.Get("unique_name")
+	userinfo := &UserInfo{
+		Id:          sid.(string),
+		Username:    name.(string),
+		DisplayName: name.(string),
+		Email:       upn.(string),
+	}
+	return userinfo, nil
+}
--- a/idp/facebook.go
+++ b/idp/facebook.go
@@ -122,9 +122,9 @@ func (idp *FacebookIdProvider) GetToken(code string) (*oauth2.Token, error) {
 //}

 type FacebookUserInfo struct {
-	Id         string `json:"id"`          // The app user's App-Scoped User ID. This ID is unique to the app and cannot be used by other apps.
-	Name       string `json:"name"`        // The person's full name.
-	NameFormat string `json:"name_format"` // The person's name formatted to correctly handle Chinese, Japanese, or Korean ordering.
+	Id         string   `json:"id"`          // The app user's App-Scoped User ID. This ID is unique to the app and cannot be used by other apps.
+	Name       string   `json:"name"`        // The person's full name.
+	NameFormat string   `json:"name_format"` // The person's name formatted to correctly handle Chinese, Japanese, or Korean ordering.
 	Picture    struct { // The person's profile picture.
 		Data struct { // This struct is different as https://developers.facebook.com/docs/graph-api/reference/user/picture/
 			Height       int    `json:"height"`
@@ -164,6 +164,7 @@ func (idp *FacebookIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, erro

 	userInfo := UserInfo{
 		Id:          facebookUserInfo.Id,
+		Username:    facebookUserInfo.Name,
 		DisplayName: facebookUserInfo.Name,
 		Email:       facebookUserInfo.Email,
 		AvatarUrl:   facebookUserInfo.Picture.Data.Url,
--- a/idp/goth.go
+++ b/idp/goth.go
@@ -45,6 +45,7 @@ import (
 	"github.com/markbates/goth/providers/salesforce"
 	"github.com/markbates/goth/providers/shopify"
 	"github.com/markbates/goth/providers/slack"
+	"github.com/markbates/goth/providers/steam"
 	"github.com/markbates/goth/providers/tumblr"
 	"github.com/markbates/goth/providers/twitter"
 	"github.com/markbates/goth/providers/yahoo"
@@ -171,6 +172,11 @@ func NewGothIdProvider(providerType string, clientId string, clientSecret string
 			Provider: slack.New(clientId, clientSecret, redirectUrl),
 			Session:  &slack.Session{},
 		}
+	case "Steam":
+		idp = GothIdProvider{
+			Provider: steam.New(clientSecret, redirectUrl),
+			Session:  &steam.Session{},
+		}
 	case "Tumblr":
 		idp = GothIdProvider{
 			Provider: tumblr.New(clientId, clientSecret, redirectUrl),
@@ -209,10 +215,21 @@ func (idp *GothIdProvider) SetHttpClient(client *http.Client) {

 func (idp *GothIdProvider) GetToken(code string) (*oauth2.Token, error) {
 	var expireAt time.Time
-	//Need to construct variables supported by goth
-	//to call the function to obtain accessToken
-	value := url.Values{}
-	value.Add("code", code)
+	var value url.Values
+	var err error
+	if idp.Provider.Name() == "steam" {
+		value, err = url.ParseQuery(code)
+		returnUrl := reflect.ValueOf(idp.Session).Elem().FieldByName("CallbackURL")
+		returnUrl.Set(reflect.ValueOf(value.Get("openid.return_to")))
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		//Need to construct variables supported by goth
+		//to call the function to obtain accessToken
+		value = url.Values{}
+		value.Add("code", code)
+	}
 	accessToken, err := idp.Session.Authorize(idp.Provider, value)
 	//Get ExpiresAt's value
 	valueOfExpire := reflect.ValueOf(idp.Session).Elem().FieldByName("ExpiresAt")
@@ -231,10 +248,10 @@ func (idp *GothIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
 	if err != nil {
 		return nil, err
 	}
-	return getUser(gothUser), nil
+	return getUser(gothUser, idp.Provider.Name()), nil
 }

-func getUser(gothUser goth.User) *UserInfo {
+func getUser(gothUser goth.User, provider string) *UserInfo {
 	user := UserInfo{
 		Id:          gothUser.UserID,
 		Username:    gothUser.Name,
@@ -258,7 +275,10 @@ func getUser(gothUser goth.User) *UserInfo {
 			user.DisplayName = user.Username
 		}
 	}
-
+	if provider == "steam" {
+		user.Username = user.DisplayName
+		user.Email = ""
+	}
 	return &user
 }

--- a/idp/provider.go
+++ b/idp/provider.go
@@ -35,7 +35,7 @@ type IdProvider interface {
 	GetUserInfo(token *oauth2.Token) (*UserInfo, error)
 }

-func GetIdProvider(typ string, subType string, clientId string, clientSecret string, appId string, redirectUrl string) IdProvider {
+func GetIdProvider(typ string, subType string, clientId string, clientSecret string, appId string, redirectUrl string, hostUrl string) IdProvider {
 	if typ == "GitHub" {
 		return NewGithubIdProvider(clientId, clientSecret, redirectUrl)
 	} else if typ == "Google" {
@@ -66,6 +66,8 @@ func GetIdProvider(typ string, subType string, clientId string, clientSecret str
 		return NewLarkIdProvider(clientId, clientSecret, redirectUrl)
 	} else if typ == "GitLab" {
 		return NewGitlabIdProvider(clientId, clientSecret, redirectUrl)
+	} else if typ == "Adfs" {
+		return NewAdfsIdProvider(clientId, clientSecret, redirectUrl, hostUrl)
 	} else if typ == "Baidu" {
 		return NewBaiduIdProvider(clientId, clientSecret, redirectUrl)
 	} else if typ == "Infoflow" {
@@ -83,7 +85,7 @@ func GetIdProvider(typ string, subType string, clientId string, clientSecret str
 	return nil
 }

-var gothList = []string{"Apple", "AzureAd", "Slack"}
+var gothList = []string{"Apple", "AzureAd", "Slack", "Steam"}

 func isGothSupport(provider string) bool {
 	for _, value := range gothList {
--- a/main.go
+++ b/main.go
@@ -16,6 +16,7 @@ package main

 import (
 	"flag"
+	"fmt"

 	"github.com/astaxie/beego"
 	"github.com/astaxie/beego/logs"
@@ -65,8 +66,8 @@ func main() {
 	if err != nil {
 		panic(err)
 	}
+	port := beego.AppConfig.DefaultInt("httpport", 8000)
 	//logs.SetLevel(logs.LevelInformational)
 	logs.SetLogFuncCall(false)
-
-	beego.Run()
+	beego.Run(fmt.Sprintf(":%v", port))
 }
--- a/manifests/casdoor/.helmignore
+++ b/manifests/casdoor/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
--- a/manifests/casdoor/Chart.yaml
+++ b/manifests/casdoor/Chart.yaml
@@ -0,0 +1,24 @@
+apiVersion: v2
+name: casdoor
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.16.0"
--- a/manifests/casdoor/templates/NOTES.txt
+++ b/manifests/casdoor/templates/NOTES.txt
@@ -0,0 +1,22 @@
+1. Get the application URL by running these commands:
+{{- if .Values.ingress.enabled }}
+{{- range $host := .Values.ingress.hosts }}
+  {{- range .paths }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
+  {{- end }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "casdoor.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "casdoor.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "casdoor.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+  echo http://$SERVICE_IP:{{ .Values.service.port }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "casdoor.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
+  echo "Visit http://127.0.0.1:8080 to use your application"
+  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
+{{- end }}
--- a/manifests/casdoor/templates/_helpers.tpl
+++ b/manifests/casdoor/templates/_helpers.tpl
@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "casdoor.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "casdoor.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "casdoor.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "casdoor.labels" -}}
+helm.sh/chart: {{ include "casdoor.chart" . }}
+{{ include "casdoor.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "casdoor.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "casdoor.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "casdoor.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "casdoor.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
--- a/manifests/casdoor/templates/configmap.yaml
+++ b/manifests/casdoor/templates/configmap.yaml
@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: casdoor-config
+data:
+  app.conf: |
+    appname = casdoor
+    httpport = 80
+    runmode = dev
+    SessionOn = true
+    copyrequestbody = true
+    driverName = mysql
+    dataSourceName = root:123456@tcp(localhost:3306)/
+    dbName = casdoor
+    redisEndpoint =
+    defaultStorageProvider = 
+    isCloudIntranet = false
+    authState = "casdoor"
+    httpProxy = "127.0.0.1:10808"
+    verificationCodeTimeout = 10
+    initScore = 2000
+    logPostOnly = true
+    origin = "https://door.casbin.com"
--- a/manifests/casdoor/templates/deployment.yaml
+++ b/manifests/casdoor/templates/deployment.yaml
@@ -0,0 +1,75 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "casdoor.fullname" . }}
+  labels:
+    {{- include "casdoor.labels" . | nindent 4 }}
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "casdoor.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "casdoor.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "casdoor.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}/{{ .Values.image.name }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          # command: ["sleep", "100000000"]
+          ports:
+            - name: http
+              containerPort: 80
+              protocol: TCP
+          # livenessProbe:
+          #   httpGet:
+          #     path: /
+          #     port: http
+          # readinessProbe:
+          #   httpGet:
+          #     path: /
+          #     port: http
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          volumeMounts:
+          - name: config-volume
+            mountPath: /conf
+      volumes:
+       - name: config-volume
+         projected:
+           defaultMode: 420
+           sources:
+           - configMap:
+               items:
+               - key: app.conf
+                 path: app.conf
+               name: casdoor-config
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
--- a/manifests/casdoor/templates/hpa.yaml
+++ b/manifests/casdoor/templates/hpa.yaml
@@ -0,0 +1,28 @@
+{{- if .Values.autoscaling.enabled }}
+apiVersion: autoscaling/v2beta1
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "casdoor.fullname" . }}
+  labels:
+    {{- include "casdoor.labels" . | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ include "casdoor.fullname" . }}
+  minReplicas: {{ .Values.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+  metrics:
+    {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: cpu
+        targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+    {{- end }}
+    {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: memory
+        targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    {{- end }}
+{{- end }}
--- a/manifests/casdoor/templates/ingress.yaml
+++ b/manifests/casdoor/templates/ingress.yaml
@@ -0,0 +1,61 @@
+{{- if .Values.ingress.enabled -}}
+{{- $fullName := include "casdoor.fullname" . -}}
+{{- $svcPort := .Values.service.port -}}
+{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
+  {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
+  {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
+  {{- end }}
+{{- end }}
+{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1
+{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  labels:
+    {{- include "casdoor.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
+  ingressClassName: {{ .Values.ingress.className }}
+  {{- end }}
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- range .paths }}
+          - path: {{ .path }}
+            {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
+            pathType: {{ .pathType }}
+            {{- end }}
+            backend:
+              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+              service:
+                name: {{ $fullName }}
+                port:
+                  number: {{ $svcPort }}
+              {{- else }}
+              serviceName: {{ $fullName }}
+              servicePort: {{ $svcPort }}
+              {{- end }}
+          {{- end }}
+    {{- end }}
+{{- end }}
--- a/manifests/casdoor/templates/service.yaml
+++ b/manifests/casdoor/templates/service.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "casdoor.fullname" . }}
+  labels:
+    {{- include "casdoor.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "casdoor.selectorLabels" . | nindent 4 }}
--- a/manifests/casdoor/templates/serviceaccount.yaml
+++ b/manifests/casdoor/templates/serviceaccount.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "casdoor.serviceAccountName" . }}
+  labels:
+    {{- include "casdoor.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
--- a/manifests/casdoor/templates/tests/test-connection.yaml
+++ b/manifests/casdoor/templates/tests/test-connection.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ include "casdoor.fullname" . }}-test-connection"
+  labels:
+    {{- include "casdoor.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": test
+spec:
+  containers:
+    - name: wget
+      image: busybox
+      command: ['wget']
+      args: ['{{ include "casdoor.fullname" . }}:{{ .Values.service.port }}']
+  restartPolicy: Never
--- a/manifests/casdoor/values.yaml
+++ b/manifests/casdoor/values.yaml
@@ -0,0 +1,83 @@
+# Default values for casdoor.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+replicaCount: 1
+
+image:
+  repository: casbin
+  name: casdoor-all-in-one
+  pullPolicy: IfNotPresent
+  # Overrides the image tag whose default is the chart appVersion.
+  tag: ""
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+podAnnotations: {}
+
+podSecurityContext: {}
+  # fsGroup: 2000
+
+securityContext: {}
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+
+service:
+  type: ClusterIP
+  port: 80
+
+ingress:
+  enabled: false
+  className: ""
+  annotations: {}
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+  hosts:
+    - host: chart-example.local
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
+  tls: []
+  #  - secretName: chart-example-tls
+  #    hosts:
+  #      - chart-example.local
+
+resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+autoscaling:
+  enabled: false
+  minReplicas: 1
+  maxReplicas: 100
+  targetCPUUtilizationPercentage: 80
+  # targetMemoryUtilizationPercentage: 80
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
--- a/object/ldap.go
+++ b/object/ldap.go
@@ -162,7 +162,7 @@ func (l *ldapConn) GetLdapUsers(baseDn string) ([]ldapUser, error) {
 	searchReq := goldap.NewSearchRequest(baseDn,
 		goldap.ScopeWholeSubtree, goldap.NeverDerefAliases, 0, 0, false,
 		SearchFilter, SearchAttributes, nil)
-	searchResult, err := l.Conn.Search(searchReq)
+	searchResult, err := l.Conn.SearchWithPaging(searchReq, 100)
 	if err != nil {
 		return nil, err
 	}
--- a/object/ldap_autosync.go
+++ b/object/ldap_autosync.go
@@ -65,6 +65,13 @@ func (l *LdapAutoSynchronizer) syncRoutine(ldap *Ldap, stopChan chan struct{}) {
 	ticker := time.NewTicker(time.Duration(ldap.AutoSync) * time.Minute)
 	defer ticker.Stop()
 	for {
+		select {
+		case <-stopChan:
+			logs.Info(fmt.Sprintf("autoSync goroutine for %s stopped", ldap.Id))
+			return
+		case <-ticker.C:
+		}
+
 		UpdateLdapSyncTime(ldap.Id)
 		//fetch all users
 		conn, err := GetLdapConn(ldap.Host, ldap.Port, ldap.Admin, ldap.Passwd)
@@ -84,12 +91,6 @@ func (l *LdapAutoSynchronizer) syncRoutine(ldap *Ldap, stopChan chan struct{}) {
 		} else {
 			logs.Info(fmt.Sprintf("ldap autosync success, %d new users, %d existing users", len(users)-len(*existed), len(*existed)))
 		}
-		select {
-		case <-stopChan:
-			logs.Info(fmt.Sprintf("autoSync goroutine for %s stopped", ldap.Id))
-			return
-		case <-ticker.C:
-		}
 	}

 }
--- a/object/oidc_discovery.go
+++ b/object/oidc_discovery.go
@@ -69,11 +69,11 @@ func GetOidcDiscovery(host string) OidcDiscovery {
 	// https://accounts.google.com/.well-known/openid-configuration
 	// https://access.line.me/.well-known/openid-configuration
 	oidcDiscovery := OidcDiscovery{
-		Issuer:                                 originFrontend,
+		Issuer:                                 originBackend,
 		AuthorizationEndpoint:                  fmt.Sprintf("%s/login/oauth/authorize", originFrontend),
 		TokenEndpoint:                          fmt.Sprintf("%s/api/login/oauth/access_token", originBackend),
 		UserinfoEndpoint:                       fmt.Sprintf("%s/api/userinfo", originBackend),
-		JwksUri:                                fmt.Sprintf("%s/api/certs", originBackend),
+		JwksUri:                                fmt.Sprintf("%s/.well-known/jwks", originBackend),
 		ResponseTypesSupported:                 []string{"id_token"},
 		ResponseModesSupported:                 []string{"login", "code", "link"},
 		GrantTypesSupported:                    []string{"password", "authorization_code"},
@@ -89,21 +89,22 @@ func GetOidcDiscovery(host string) OidcDiscovery {
 }

 func GetJsonWebKeySet() (jose.JSONWebKeySet, error) {
-	cert := GetDefaultCert()
-
+	certs := GetCerts("admin")
+	jwks := jose.JSONWebKeySet{}
 	//follows the protocol rfc 7517(draft)
 	//link here: https://self-issued.info/docs/draft-ietf-jose-json-web-key.html
 	//or https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key
-	certPemBlock := []byte(cert.PublicKey)
-	certDerBlock, _ := pem.Decode(certPemBlock)
-	x509Cert, _ := x509.ParseCertificate(certDerBlock.Bytes)
+	for _, cert := range certs {
+		certPemBlock := []byte(cert.PublicKey)
+		certDerBlock, _ := pem.Decode(certPemBlock)
+		x509Cert, _ := x509.ParseCertificate(certDerBlock.Bytes)

-	var jwk jose.JSONWebKey
-	jwk.Key = x509Cert.PublicKey
-	jwk.Certificates = []*x509.Certificate{x509Cert}
-	jwk.KeyID = cert.Name
+		var jwk jose.JSONWebKey
+		jwk.Key = x509Cert.PublicKey
+		jwk.Certificates = []*x509.Certificate{x509Cert}
+		jwk.KeyID = cert.Name
+		jwks.Keys = append(jwks.Keys, jwk)
+	}

-	var jwks jose.JSONWebKeySet
-	jwks.Keys = []jose.JSONWebKey{jwk}
 	return jwks, nil
 }
--- a/object/token.go
+++ b/object/token.go
@@ -204,7 +204,7 @@ func CheckOAuthLogin(clientId string, responseType string, redirectUri string, s
 	return "", application
 }

-func GetOAuthCode(userId string, clientId string, responseType string, redirectUri string, scope string, state string, nonce string, challenge string) *Code {
+func GetOAuthCode(userId string, clientId string, responseType string, redirectUri string, scope string, state string, nonce string, challenge string, host string) *Code {
 	user := GetUser(userId)
 	if user == nil {
 		return &Code{
@@ -227,7 +227,7 @@ func GetOAuthCode(userId string, clientId string, responseType string, redirectU
 		}
 	}

-	accessToken, refreshToken, err := generateJwtToken(application, user, nonce, scope)
+	accessToken, refreshToken, err := generateJwtToken(application, user, nonce, scope, host)
 	if err != nil {
 		panic(err)
 	}
@@ -361,7 +361,7 @@ func GetOAuthToken(grantType string, clientId string, clientSecret string, code
 	return tokenWrapper
 }

-func RefreshToken(grantType string, refreshToken string, scope string, clientId string, clientSecret string) *TokenWrapper {
+func RefreshToken(grantType string, refreshToken string, scope string, clientId string, clientSecret string, host string) *TokenWrapper {
 	// check parameters
 	if grantType != "refresh_token" {
 		return &TokenWrapper{
@@ -420,7 +420,7 @@ func RefreshToken(grantType string, refreshToken string, scope string, clientId
 			Scope:       "",
 		}
 	}
-	newAccessToken, newRefreshToken, err := generateJwtToken(application, user, "", scope)
+	newAccessToken, newRefreshToken, err := generateJwtToken(application, user, "", scope, host)
 	if err != nil {
 		panic(err)
 	}
--- a/object/token_jwt.go
+++ b/object/token_jwt.go
@@ -61,12 +61,17 @@ func getShortClaims(claims Claims) ClaimsShort {
 	return res
 }

-func generateJwtToken(application *Application, user *User, nonce string, scope string) (string, string, error) {
+func generateJwtToken(application *Application, user *User, nonce string, scope string, host string) (string, string, error) {
 	nowTime := time.Now()
 	expireTime := nowTime.Add(time.Duration(application.ExpireInHours) * time.Hour)
 	refreshExpireTime := nowTime.Add(time.Duration(application.RefreshExpireInHours) * time.Hour)

 	user.Password = ""
+	origin := beego.AppConfig.String("origin")
+	_, originBackend := getOriginFromHost(host)
+	if origin != "" {
+		originBackend = origin
+	}

 	claims := Claims{
 		User:  user,
@@ -75,7 +80,7 @@ func generateJwtToken(application *Application, user *User, nonce string, scope
 		Tag:   user.Tag,
 		Scope: scope,
 		RegisteredClaims: jwt.RegisteredClaims{
-			Issuer:    beego.AppConfig.String("origin"),
+			Issuer:    originBackend,
 			Subject:   user.Id,
 			Audience:  []string{application.ClientId},
 			ExpiresAt: jwt.NewNumericDate(expireTime),
--- a/object/user.go
+++ b/object/user.go
@@ -18,6 +18,7 @@ import (
 	"fmt"
 	"strings"

+	"github.com/astaxie/beego"
 	"github.com/casdoor/casdoor/util"
 	"xorm.io/core"
 )
@@ -79,16 +80,30 @@ type User struct {
 	Wecom    string `xorm:"wecom varchar(100)" json:"wecom"`
 	Lark     string `xorm:"lark varchar(100)" json:"lark"`
 	Gitlab   string `xorm:"gitlab varchar(100)" json:"gitlab"`
+	Adfs     string `xorm:"adfs varchar(100)" json:"adfs"`
 	Baidu    string `xorm:"baidu varchar(100)" json:"baidu"`
 	Infoflow string `xorm:"infoflow varchar(100)" json:"infoflow"`
 	Apple    string `xorm:"apple varchar(100)" json:"apple"`
 	AzureAD  string `xorm:"azuread varchar(100)" json:"azuread"`
 	Slack    string `xorm:"slack varchar(100)" json:"slack"`
+	Steam    string `xorm:"steam varchar(100)" json:"steam"`

 	Ldap       string            `xorm:"ldap varchar(100)" json:"ldap"`
 	Properties map[string]string `json:"properties"`
 }

+type Userinfo struct {
+	Sub         string `json:"sub"`
+	Iss         string `json:"iss"`
+	Aud         string `json:"aud"`
+	Name        string `json:"name,omitempty"`
+	DisplayName string `json:"preferred_username,omitempty"`
+	Email       string `json:"email,omitempty"`
+	Avatar      string `json:"picture,omitempty"`
+	Address     string `json:"address,omitempty"`
+	Phone       string `json:"phone,omitempty"`
+}
+
 func GetGlobalUserCount(field, value string) int {
 	session := GetSession("", -1, -1, field, value, "", "")
 	count, err := session.Count(&User{})
@@ -401,6 +416,39 @@ func DeleteUser(user *User) bool {
 	return affected != 0
 }

+func GetUserInfo(userId string, scope string, aud string, host string) (*Userinfo, error) {
+	user := GetUser(userId)
+	if user == nil {
+		return nil, fmt.Errorf("the user: %s doesn't exist", userId)
+	}
+	origin := beego.AppConfig.String("origin")
+	_, originBackend := getOriginFromHost(host)
+	if origin != "" {
+		originBackend = origin
+	}
+
+	resp := Userinfo{
+		Sub: user.Id,
+		Iss: originBackend,
+		Aud: aud,
+	}
+	if strings.Contains(scope, "profile") {
+		resp.Name = user.Name
+		resp.DisplayName = user.DisplayName
+		resp.Avatar = user.Avatar
+	}
+	if strings.Contains(scope, "email") {
+		resp.Email = user.Email
+	}
+	if strings.Contains(scope, "address") {
+		resp.Address = user.Location
+	}
+	if strings.Contains(scope, "phone") {
+		resp.Phone = user.Phone
+	}
+	return &resp, nil
+}
+
 func LinkUserAccount(user *User, field string, value string) bool {
 	return SetUserField(user, field, value)
 }
--- a/routers/router.go
+++ b/routers/router.go
@@ -159,5 +159,5 @@ func initAPI() {
 	beego.Router("/api/send-sms", &controllers.ApiController{}, "POST:SendSms")

 	beego.Router("/.well-known/openid-configuration", &controllers.RootController{}, "GET:GetOidcDiscovery")
-	beego.Router("/api/certs", &controllers.RootController{}, "*:GetOidcCert")
+	beego.Router("/.well-known/jwks", &controllers.RootController{}, "*:GetJwks")
 }
--- a/swagger/swagger.json
+++ b/swagger/swagger.json
--- a/swagger/swagger.yml
+++ b/swagger/swagger.yml
--- a/util/string.go
+++ b/util/string.go
@@ -49,11 +49,11 @@ func ParseBool(s string) bool {
 func BoolToString(b bool) string {
 	if b {
 		return "1"
-	} else {
-		return "0"
 	}
+	return "0"
 }

+//CamelToSnakeCase This function transform camelcase in snakecase LoremIpsum in lorem_ipsum
 func CamelToSnakeCase(camel string) string {
 	var buf bytes.Buffer
 	for _, c := range camel {
@@ -63,11 +63,11 @@ func CamelToSnakeCase(camel string) string {
 				buf.WriteRune('_')
 			}
 			buf.WriteRune(c - 'A' + 'a')
-		} else {
-			buf.WriteRune(c)
+			continue
 		}
+		buf.WriteRune(c)
 	}
-	return buf.String()
+	return strings.ReplaceAll(buf.String(), " ", "")
 }

 func GetOwnerAndNameFromId(id string) (string, string) {
@@ -124,7 +124,7 @@ func GetMinLenStr(strs ...string) string {
 	i := 0
 	for j, str := range strs {
 		l := len(str)
-		if l > m {
+		if l < m {
 			m = l
 			i = j
 		}
@@ -148,23 +148,7 @@ func WriteStringToPath(s string, path string) {
 	}
 }

-func ReadBytesFromPath(path string) []byte {
-	data, err := os.ReadFile(path)
-	if err != nil {
-		panic(err)
-	}
-
-	return data
-}
-
-func WriteBytesToPath(b []byte, path string) {
-	err := os.WriteFile(path, b, 0644)
-	if err != nil {
-		panic(err)
-	}
-}
-
-// SnakeString XxYy to xx_yy
+// SnakeString transform XxYy to xx_yy
 func SnakeString(s string) string {
 	data := make([]byte, 0, len(s)*2)
 	j := false
@@ -179,7 +163,8 @@ func SnakeString(s string) string {
 		}
 		data = append(data, d)
 	}
-	return strings.ToLower(string(data[:]))
+	result := strings.ToLower(string(data[:]))
+	return strings.ReplaceAll(result, " ", "")
 }

 func IsChinese(str string) bool {
--- a/util/string_test.go
+++ b/util/string_test.go
@@ -0,0 +1,247 @@
+// Copyright 2021 The casbin Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package util
+
+import (
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
+	"testing"
+)
+
+func TestParseInt(t *testing.T) {
+	scenarios := []struct {
+		description string
+		input       string
+		expected    interface{}
+	}{
+		{"Should be return zero when value is empty", "", 0},
+		{"Should be return 0", "0", 0},
+		{"Should be return 5", "5", 5},
+		{"Should be return 10", "10", 10},
+		{"Should be return -1", "-1", -1},
+		{"Should be return -5", "-5", -5},
+		{"Should be return -10", "-10", -10},
+		{"Should be return -10", "string", "panic"},
+	}
+	for _, scenery := range scenarios {
+		t.Run(scenery.description, func(t *testing.T) {
+			if scenery.expected == "panic" {
+				defer func() {
+					if r := recover(); r == nil {
+						t.Error("function should panic")
+					}
+				}()
+				ParseInt(scenery.input)
+
+			} else {
+				actual := ParseInt(scenery.input)
+				assert.Equal(t, scenery.expected, actual, "The returned value not is expected")
+			}
+		})
+	}
+}
+
+func TestParseBool(t *testing.T) {
+	scenarios := []struct {
+		description string
+		input       string
+		expected    interface{}
+	}{
+		{"Should be return false", "0", false},
+		{"Should be return true", "5", true},
+		{"Should be return true", "10", true},
+		{"Should be return true", "-1", true},
+		{"Should be return false", "", false},
+	}
+	for _, scenery := range scenarios {
+		t.Run(scenery.description, func(t *testing.T) {
+			actual := ParseBool(scenery.input)
+			assert.Equal(t, scenery.expected, actual, "The returned value not is expected")
+		})
+	}
+}
+
+func TestBoolToString(t *testing.T) {
+	scenarios := []struct {
+		description string
+		input       bool
+		expected    interface{}
+	}{
+		{"Should be return 1", true, "1"},
+		{"Should be return 0", false, "0"},
+	}
+	for _, scenery := range scenarios {
+		t.Run(scenery.description, func(t *testing.T) {
+			actual := BoolToString(scenery.input)
+			assert.Equal(t, scenery.expected, actual, "The returned value not is expected")
+		})
+	}
+}
+
+func TestCamelToSnakeCase(t *testing.T) {
+	scenarios := []struct {
+		description string
+		input       string
+		expected    interface{}
+	}{
+		{"Should be return casdor_is_the_best", "CasdoorIsTheBest", "casdoor_is_the_best"},
+		{"Should be return lorem_ipsum", "Lorem Ipsum", "lorem_ipsum"},
+		{"Should be return Lorem Ipsum", "lorem Ipsum", "lorem_ipsum"},
+		{"Should be return lorem_ipsum", "lorem ipsum", "loremipsum"},
+	}
+	for _, scenery := range scenarios {
+		t.Run(scenery.description, func(t *testing.T) {
+			actual := CamelToSnakeCase(scenery.input)
+			assert.Equal(t, scenery.expected, actual, "The returned value not is expected")
+		})
+	}
+}
+
+func TestGenerateId(t *testing.T) {
+	scenarios := []struct {
+		description string
+		input       string
+		expected    interface{}
+	}{
+		{"Scenery one", GenerateId(), nil},
+		{"Scenery two", GenerateId(), nil},
+		{"Scenery three", "00000000-0000-0000-0000-000000000000", nil},
+	}
+	for _, scenery := range scenarios {
+		t.Run(scenery.description, func(t *testing.T) {
+			_, err := uuid.Parse(scenery.input)
+			assert.Equal(t, scenery.expected, err, "Should be return empty")
+		})
+	}
+
+	_, SceneryTree := uuid.Parse("00000000-0000-0000-0000-00000000000S")
+	assert.Equal(t, "invalid UUID format", SceneryTree.Error(), "Errou")
+
+	_, SceneryFor := uuid.Parse("00000000-0000-0000-0000-000000000000S")
+	assert.Equal(t, "invalid UUID length: 37", SceneryFor.Error(), "Errou")
+}
+
+func TestGetId(t *testing.T) {
+	scenarios := []struct {
+		description string
+		input       string
+		expected    interface{}
+	}{
+		{"Scenery one", "casdoor", "admin/casdoor"},
+		{"Scenery two", "casbin", "admin/casbin"},
+		{"Scenery three", "lorem ipsum", "admin/lorem ipsum"},
+	}
+	for _, scenery := range scenarios {
+		t.Run(scenery.description, func(t *testing.T) {
+			actual := GetId(scenery.input)
+			assert.Equal(t, scenery.expected, actual, "This not is a valid MD5")
+		})
+	}
+}
+
+func TestGetMd5Hash(t *testing.T) {
+	scenarios := []struct {
+		description string
+		input       string
+		expected    interface{}
+	}{
+		{"Scenery one", "casdoor", "0b874f488b4705693a60256b8f3a32da"},
+		{"Scenery two", "casbin", "59c5a967f086f65366a80dbdd1205a6c"},
+		{"Scenery three", "lorem ipsum", "80a751fde577028640c419000e33eba6"},
+	}
+	for _, scenery := range scenarios {
+		t.Run(scenery.description, func(t *testing.T) {
+			actual := GetMd5Hash(scenery.input)
+			assert.Equal(t, scenery.expected, actual, "This not is a valid MD5")
+		})
+	}
+}
+
+func TestIsStrsEmpty(t *testing.T) {
+	scenarios := []struct {
+		description string
+		input       []string
+		expected    interface{}
+	}{
+		{"Should be return true if one is empty", []string{"", "lorem", "ipsum"}, true},
+		{"Should be return true if is empty", []string{""}, true},
+		{"Should be return false all is a valid string", []string{"lorem", "ipsum"}, false},
+		{"Should be return false is function called with empty parameters", []string{}, false},
+	}
+	for _, scenery := range scenarios {
+		t.Run(scenery.description, func(t *testing.T) {
+			actual := IsStrsEmpty(scenery.input...)
+			assert.Equal(t, scenery.expected, actual, "The returned value not is expected")
+		})
+	}
+}
+
+func TestGetMaxLenStr(t *testing.T) {
+	scenarios := []struct {
+		description string
+		input       []string
+		expected    interface{}
+	}{
+		{"Should be return casdoor", []string{"", "casdoor", "casbin"}, "casdoor"},
+		{"Should be return casdoor_jdk", []string{"", "casdoor", "casbin", "casdoor_jdk"}, "casdoor_jdk"},
+		{"Should be return empty string", []string{""}, ""},
+	}
+	for _, scenery := range scenarios {
+		t.Run(scenery.description, func(t *testing.T) {
+			actual := GetMaxLenStr(scenery.input...)
+			assert.Equal(t, scenery.expected, actual, "The returned value not is expected")
+		})
+	}
+}
+
+func TestGetMinLenStr(t *testing.T) {
+	scenarios := []struct {
+		description string
+		input       []string
+		expected    interface{}
+	}{
+		{"Should be return casbin", []string{"casdoor", "casbin"}, "casbin"},
+		{"Should be return casbin", []string{"casdoor", "casbin", "casdoor_jdk"}, "casbin"},
+		{"Should be return empty string", []string{"a", "", "casbin"}, ""},
+		{"Should be return a", []string{"a", "casdoor", "casbin"}, "a"},
+		{"Should be return a", []string{"casdoor", "a", "casbin"}, "a"},
+		{"Should be return a", []string{"casbin", "casdoor", "a"}, "a"},
+	}
+	for _, scenery := range scenarios {
+		t.Run(scenery.description, func(t *testing.T) {
+			actual := GetMinLenStr(scenery.input...)
+			assert.Equal(t, scenery.expected, actual, "The returned value not is expected")
+		})
+	}
+}
+
+func TestSnakeString(t *testing.T) {
+	scenarios := []struct {
+		description string
+		input       string
+		expected    interface{}
+	}{
+		{"Should be return casdor_is_the_best", "CasdoorIsTheBest", "casdoor_is_the_best"},
+		{"Should be return lorem_ipsum", "Lorem Ipsum", "lorem_ipsum"},
+		{"Should be return lorem_ipsum", "lorem Ipsum", "lorem_ipsum"},
+		{"Should be return loremipsum", "lorem ipsum", "loremipsum"},
+	}
+	for _, scenery := range scenarios {
+		t.Run(scenery.description, func(t *testing.T) {
+			actual := SnakeString(scenery.input)
+			assert.Equal(t, scenery.expected, actual, "The returned value not is expected")
+		})
+	}
+}
--- a/web/src/LdapSyncPage.js
+++ b/web/src/LdapSyncPage.js
@@ -26,7 +26,7 @@ class LdapSyncPage extends React.Component {
      ldap: null,
      users: [],
      existUuids: [],
-      selectedUsers: []
+      selectedUsers: [],
    };
  }

@@ -212,7 +212,7 @@ class LdapSyncPage extends React.Component {
    return (
      <div>
        <Table rowSelection={rowSelection} columns={columns} dataSource={users} rowKey="uuid" bordered
-               pagination={{pageSize: 100}}
+               pagination={{defaultPageSize: 10, showQuickJumper: true, showSizeChanger: true}}
               title={() => (
                 <div>
                   <span>{this.state.ldap?.serverName}</span>
--- a/web/src/ProviderEditPage.js
+++ b/web/src/ProviderEditPage.js
@@ -293,6 +293,20 @@ class ProviderEditPage extends React.Component {
            </React.Fragment>
          )
        }
+        {
+          this.state.provider.type !== "Adfs" ? null : (
+            <Row style={{marginTop: '20px'}} >
+            <Col style={{marginTop: '5px'}} span={2}>
+              {Setting.getLabel(i18next.t("provider:Domain"), i18next.t("provider:Domain - Tooltip"))} :
+            </Col>
+            <Col span={22} >
+              <Input value={this.state.provider.domain} onChange={e => {
+                this.updateProviderField('domain', e.target.value);
+              }} />
+            </Col>
+          </Row>
+          )
+        }
        {this.state.provider.category === "Storage" ? (
          <div>
            <Row style={{marginTop: '20px'}} >
--- a/web/src/ResourceListPage.js
+++ b/web/src/ResourceListPage.js
@@ -74,7 +74,7 @@ class ResourceListPage extends BaseListPage {

  renderUpload() {
    return (
-      <Upload maxCount={1} accept="image/*,video/*,audio/*,.pdf" showUploadList={false}
+      <Upload maxCount={1} accept="image/*,video/*,audio/*,.pdf,.doc,.docx" showUploadList={false}
              beforeUpload={file => {return false}} onChange={info => {this.handleUpload(info)}}>
        <Button icon={<UploadOutlined />} loading={this.state.uploading} type="primary" size="small">
          {i18next.t("resource:Upload a file...")}
--- a/web/src/Setting.js
+++ b/web/src/Setting.js
@@ -398,11 +398,13 @@ export function getProviderTypeOptions(category) {
        {id: 'WeCom', name: 'WeCom'},
        {id: 'Lark', name: 'Lark'},
        {id: 'GitLab', name: 'GitLab'},
+        {id: 'Adfs', name: 'Adfs'},
        {id: 'Baidu', name: 'Baidu'},
        {id: 'Infoflow', name: 'Infoflow'},
        {id: 'Apple', name: 'Apple'},
        {id: 'AzureAD', name: 'AzureAD'},
        {id: 'Slack', name: 'Slack'},
+        {id: 'Steam', name: 'Steam'},
      ]
    );
  } else if (category === "Email") {
--- a/web/src/SignupTable.js
+++ b/web/src/SignupTable.js
@@ -170,7 +170,7 @@ class SignupTable extends React.Component {
          } if (record.name === "Display name") {
            options = [
              {id: 'None', name: 'None'},
-              {id: 'Personal', name: 'Personal'},
+              {id: 'Real name', name: 'Real name'},
            ];
          }

--- a/web/src/auth/AdfsLoginButton.js
+++ b/web/src/auth/AdfsLoginButton.js
@@ -0,0 +1,32 @@
+// Copyright 2022 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import {createButton} from "react-social-login-buttons";
+import {StaticBaseUrl} from "../Setting";
+
+function Icon({ width = 24, height = 24, color }) {
+    return <img src={`${StaticBaseUrl}/buttons/adfs.svg`} alt="Sign in with ADFS" style={{width: 24, height: 24}} />;
+}
+
+const config = {
+    text: "Sign in with ADFS",
+    icon: Icon,
+    iconFormat: name => `fa fa-${name}`,
+    style: {background: "#ffffff", color: "#000000"},
+    activeStyle: {background: "#ededee"},
+};
+
+const AdfsLoginButton = createButton(config);
+
+export default AdfsLoginButton;
--- a/web/src/auth/AuthCallback.js
+++ b/web/src/auth/AuthCallback.js
@@ -69,6 +69,7 @@ class AuthCallback extends React.Component {

  UNSAFE_componentWillMount() {
    const params = new URLSearchParams(this.props.location.search);
+    let isSteam = params.get("openid.mode")
    let code = params.get("code");
    // WeCom returns "auth_code=xxx" instead of "code=xxx"
    if (code === null) {
@@ -78,6 +79,10 @@ class AuthCallback extends React.Component {
    if (code === null) {
      code = params.get("authCode")
    }
+    //Steam don't use code, so we should use all params as code.
+    if (isSteam !== null && code === null) {
+      code = this.props.location.search
+    }

    const innerParams = this.getInnerParams();
    const applicationName = innerParams.get("application");
--- a/web/src/auth/LoginPage.js
+++ b/web/src/auth/LoginPage.js
@@ -34,11 +34,13 @@ import LinkedInLoginButton from "./LinkedInLoginButton";
 import WeComLoginButton from "./WeComLoginButton";
 import LarkLoginButton from "./LarkLoginButton";
 import GitLabLoginButton from "./GitLabLoginButton";
+import AdfsLoginButton from "./AdfsLoginButton";
 import BaiduLoginButton from "./BaiduLoginButton";
 import InfoflowLoginButton from "./InfoflowLoginButton";
 import AppleLoginButton from "./AppleLoginButton"
 import AzureADLoginButton from "./AzureADLoginButton";
 import SlackLoginButton from "./SlackLoginButton";
+import SteamLoginButton from "./SteamLoginButton";
 import CustomGithubCorner from "../CustomGithubCorner";
 import {CountDownInput} from "../common/CountDownInput";

@@ -187,6 +189,8 @@ class LoginPage extends React.Component {
      return <LarkLoginButton text={text} align={"center"} />
    } else if (type === "GitLab") {
      return <GitLabLoginButton text={text} align={"center"} />
+    } else if (type === "Adfs") {
+      return <AdfsLoginButton text={text} align={"center"} />
    } else if (type === "Baidu") {
      return <BaiduLoginButton text={text} align={"center"} />
    } else if (type === "Infoflow") {
@@ -197,6 +201,8 @@ class LoginPage extends React.Component {
      return <AzureADLoginButton text={text} align={"center"} />
    } else if (type === "Slack") {
      return <SlackLoginButton text={text} align={"center"} />
+    } else if (type === "Steam") {
+      return <SteamLoginButton text={text} align={"center"} />
    }

    return text;
--- a/web/src/auth/Provider.js
+++ b/web/src/auth/Provider.js
@@ -70,6 +70,10 @@ const authInfo = {
    scope: "read_user+profile",
    endpoint: "https://gitlab.com/oauth/authorize",
  },
+  Adfs: {
+    scope: "openid",
+    endpoint: "http://example.com",
+  },
  Baidu: {
    scope: "basic",
    endpoint: "http://openapi.baidu.com/oauth/2.0/authorize",
@@ -89,6 +93,9 @@ const authInfo = {
    scope: "users:read",
    endpoint: "https://slack.com/oauth/authorize",
  },
+  Steam: {
+    endpoint: "https://steamcommunity.com/openid/login",
+  },
 };

 const otherProviderInfo = {
@@ -264,6 +271,8 @@ export function getAuthUrl(application, provider, method) {
    return `${endpoint}?app_id=${provider.clientId}&redirect_uri=${redirectUri}&state=${state}`;
  } else if (provider.type === "GitLab") {
    return `${endpoint}?client_id=${provider.clientId}&redirect_uri=${redirectUri}&state=${state}&response_type=code&scope=${scope}`;
+  } else if (provider.type === "Adfs") {
+    return `${provider.domain}/adfs/oauth2/authorize?client_id=${provider.clientId}&redirect_uri=${redirectUri}&state=${state}&response_type=code&nonce=casdoor&scope=openid`;
  } else if (provider.type === "Baidu") {
    return `${endpoint}?client_id=${provider.clientId}&redirect_uri=${redirectUri}&state=${state}&response_type=code&scope=${scope}&display=popup`;
  } else if (provider.type === "Infoflow"){
@@ -274,5 +283,7 @@ export function getAuthUrl(application, provider, method) {
    return `${endpoint}?client_id=${provider.clientId}&redirect_uri=${redirectUri}&state=${state}&response_type=code&scope=${scope}&resource=https://graph.windows.net/`;
  } else if (provider.type === "Slack") {
    return `${endpoint}?client_id=${provider.clientId}&redirect_uri=${redirectUri}&state=${state}&response_type=code&scope=${scope}`;
+  } else if (provider.type === "Steam") {
+    return `${endpoint}?openid.claimed_id=http://specs.openid.net/auth/2.0/identifier_select&openid.identity=http://specs.openid.net/auth/2.0/identifier_select&openid.mode=checkid_setup&openid.ns=http://specs.openid.net/auth/2.0&openid.realm=${window.location.origin}&openid.return_to=${redirectUri}?state=${state}`;
  } 
 }
--- a/web/src/auth/SignupPage.js
+++ b/web/src/auth/SignupPage.js
@@ -196,11 +196,11 @@ class SignupPage extends React.Component {
        <Form.Item
          name="name"
          key="name"
-          label={signupItem.rule === "Personal" ? i18next.t("general:Personal name") : i18next.t("general:Display name")}
+          label={signupItem.rule === "Real name" ? i18next.t("general:Real name") : i18next.t("general:Display name")}
          rules={[
            {
              required: required,
-              message: signupItem.rule === "Personal" ? i18next.t("signup:Please input your personal name!") : i18next.t("signup:Please input your display name!"),
+              message: signupItem.rule === "Real name" ? i18next.t("signup:Please input your real name!") : i18next.t("signup:Please input your display name!"),
              whitespace: true,
            },
          ]}
--- a/web/src/auth/SteamLoginButton.js
+++ b/web/src/auth/SteamLoginButton.js
@@ -0,0 +1,32 @@
+// Copyright 2022 The casbin Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import {createButton} from "react-social-login-buttons";
+import {StaticBaseUrl} from "../Setting";
+
+function Icon({ width = 24, height = 24, color }) {
+    return <img src={`${StaticBaseUrl}/buttons/steam.svg`} alt="Sign in with Steam" style={{width: 24, height: 24}} />;
+}
+
+const config = {
+    text: "Sign in with Steam",
+    icon: Icon,
+    iconFormat: name => `fa fa-${name}`,
+    style: {background: "#ffffff", color: "#000000"},
+    activeStyle: {background: "#ededee"},
+};
+
+const SteamLoginButton = createButton(config);
+
+export default SteamLoginButton;
--- a/web/src/locales/de/data.json
+++ b/web/src/locales/de/data.json
@@ -137,7 +137,7 @@
    "Password type - Tooltip": "The form in which the password is stored in the database",
    "Payments": "Payments",
    "Permissions": "Berechtigungen",
-    "Personal name": "Persönlicher Name",
+    "Real name": "Persönlicher Name",
    "Phone": "Telefon",
    "Phone - Tooltip": "Phone",
    "Phone prefix": "Telefonpräfix",
@@ -381,7 +381,7 @@
    "Please input your address!": "Bitte geben Sie Ihre Adresse ein!",
    "Please input your affiliation!": "Bitte geben Sie Ihre Zugehörigkeit ein!",
    "Please input your display name!": "Bitte geben Sie Ihren Anzeigenamen ein!",
-    "Please input your personal name!": "Bitte geben Sie Ihren persönlichen Namen ein!",
+    "Please input your real name!": "Bitte geben Sie Ihren persönlichen Namen ein!",
    "Please input your phone number!": "Bitte geben Sie Ihre Telefonnummer ein!",
    "Please select your country/region!": "Bitte wählen Sie Ihr Land/Ihre Region!",
    "Terms of Use": "Nutzungsbedingungen",
--- a/web/src/locales/en/data.json
+++ b/web/src/locales/en/data.json
@@ -137,7 +137,7 @@
    "Password type - Tooltip": "Password type - Tooltip",
    "Payments": "Payments",
    "Permissions": "Permissions",
-    "Personal name": "Personal name",
+    "Real name": "Real name",
    "Phone": "Phone",
    "Phone - Tooltip": "Phone - Tooltip",
    "Phone prefix": "Phone prefix",
@@ -381,7 +381,7 @@
    "Please input your address!": "Please input your address!",
    "Please input your affiliation!": "Please input your affiliation!",
    "Please input your display name!": "Please input your display name!",
-    "Please input your personal name!": "Please input your personal name!",
+    "Please input your real name!": "Please input your real name!",
    "Please input your phone number!": "Please input your phone number!",
    "Please select your country/region!": "Please select your country/region!",
    "Terms of Use": "Terms of Use",
--- a/web/src/locales/fr/data.json
+++ b/web/src/locales/fr/data.json
@@ -137,7 +137,7 @@
    "Password type - Tooltip": "The form in which the password is stored in the database",
    "Payments": "Payments",
    "Permissions": "Permissions",
-    "Personal name": "Nom personnel",
+    "Real name": "Nom personnel",
    "Phone": "Téléphone",
    "Phone - Tooltip": "Phone",
    "Phone prefix": "Préfixe du téléphone",
@@ -381,7 +381,7 @@
    "Please input your address!": "Veuillez saisir votre adresse !",
    "Please input your affiliation!": "Veuillez entrer votre affiliation !",
    "Please input your display name!": "Veuillez entrer votre nom d'affichage !",
-    "Please input your personal name!": "Veuillez entrer votre nom personnel !",
+    "Please input your real name!": "Veuillez entrer votre nom personnel !",
    "Please input your phone number!": "Veuillez entrer votre numéro de téléphone!",
    "Please select your country/region!": "Veuillez sélectionner votre pays/région!",
    "Terms of Use": "Conditions d'utilisation",
--- a/web/src/locales/ja/data.json
+++ b/web/src/locales/ja/data.json
@@ -137,7 +137,7 @@
    "Password type - Tooltip": "The form in which the password is stored in the database",
    "Payments": "Payments",
    "Permissions": "アクセス許可",
-    "Personal name": "個人名",
+    "Real name": "個人名",
    "Phone": "電話番号",
    "Phone - Tooltip": "Phone",
    "Phone prefix": "電話プレフィクス",
@@ -381,7 +381,7 @@
    "Please input your address!": "住所を入力してください！",
    "Please input your affiliation!": "所属を入力してください！",
    "Please input your display name!": "表示名を入力してください。",
-    "Please input your personal name!": "個人名を入力してください！",
+    "Please input your real name!": "個人名を入力してください！",
    "Please input your phone number!": "電話番号を入力してください！",
    "Please select your country/region!": "あなたの国/地域を選択してください！",
    "Terms of Use": "利用規約",
--- a/web/src/locales/ko/data.json
+++ b/web/src/locales/ko/data.json
@@ -137,7 +137,7 @@
    "Password type - Tooltip": "The form in which the password is stored in the database",
    "Payments": "Payments",
    "Permissions": "Permissions",
-    "Personal name": "Personal name",
+    "Real name": "Real name",
    "Phone": "Phone",
    "Phone - Tooltip": "Phone",
    "Phone prefix": "Phone prefix",
@@ -381,7 +381,7 @@
    "Please input your address!": "Please input your address!",
    "Please input your affiliation!": "Please input your affiliation!",
    "Please input your display name!": "Please input your display name!",
-    "Please input your personal name!": "Please input your personal name!",
+    "Please input your real name!": "Please input your real name!",
    "Please input your phone number!": "Please input your phone number!",
    "Please select your country/region!": "Please select your country/region!",
    "Terms of Use": "Terms of Use",
--- a/web/src/locales/ru/data.json
+++ b/web/src/locales/ru/data.json
@@ -137,7 +137,7 @@
    "Password type - Tooltip": "The form in which the password is stored in the database",
    "Payments": "Payments",
    "Permissions": "Права доступа",
-    "Personal name": "Личное имя",
+    "Real name": "Личное имя",
    "Phone": "Телефон",
    "Phone - Tooltip": "Phone",
    "Phone prefix": "Префикс телефона",
@@ -381,7 +381,7 @@
    "Please input your address!": "Пожалуйста, введите ваш адрес!",
    "Please input your affiliation!": "Пожалуйста, введите вашу партнерство!",
    "Please input your display name!": "Пожалуйста, введите ваше отображаемое имя!",
-    "Please input your personal name!": "Пожалуйста, введите ваше личное имя!",
+    "Please input your real name!": "Пожалуйста, введите ваше личное имя!",
    "Please input your phone number!": "Пожалуйста, введите ваш номер телефона!",
    "Please select your country/region!": "Пожалуйста, выберите вашу страну/регион!",
    "Terms of Use": "Условия использования",
--- a/web/src/locales/zh/data.json
+++ b/web/src/locales/zh/data.json
@@ -137,7 +137,7 @@
    "Password type - Tooltip": "密码在数据库中存储的形式",
    "Payments": "付款",
    "Permissions": "权限",
-    "Personal name": "姓名",
+    "Real name": "姓名",
    "Phone": "手机号",
    "Phone - Tooltip": "手机号",
    "Phone prefix": "手机号前缀",
@@ -381,7 +381,7 @@
    "Please input your address!": "请输入您的地址！",
    "Please input your affiliation!": "请输入您所在的工作单位！",
    "Please input your display name!": "请输入您的显示名称！",
-    "Please input your personal name!": "请输入您的姓名！",
+    "Please input your real name!": "请输入您的姓名！",
    "Please input your phone number!": "请输入您的手机号码！",
    "Please select your country/region!": "请选择您的国家/地区",
    "Terms of Use": "《用户协议》",
Author	SHA1	Message	Date
Jerry	e738c42bd8	fix: facebook login exceptions (#508 ) * Fix the exception caused by "Username" being empty when logging in with facebook * fix: facebook login missing "Username" exception	2022-02-23 23:58:17 +08:00
Steve0x2a	cbc8c58e85	fix: oidc jwks endpoint only return default cert (#506 ) Signed-off-by: Steve0x2a <stevesough@gmail.com>	2022-02-21 23:17:16 +08:00
Gucheng Wang	07c90e048f	Update personal name.	2022-02-21 16:01:39 +08:00
Steve0x2a	a33076ada4	feat: add AD-FS support (#505 ) Signed-off-by: Steve0x2a <stevesough@gmail.com>	2022-02-20 15:01:48 +08:00
Ghost Lee	9cabc4035f	fix: docker-compose.yml has duplicated label (#502 ) the casdoor service config in docker-compose.yml has duplicated restart label	2022-02-20 14:15:57 +08:00
Steve0x2a	274096fe9d	fix: empty iss return (#503 ) Signed-off-by: Steve0x2a <stevesough@gmail.com>	2022-02-18 12:36:11 +08:00
Steve0x2a	661abd6b6e	feat: add steam support (#497 ) * feat: add steam support Signed-off-by: 0x2a <stevesough@gmail.com> * fix: wrong name Signed-off-by: Steve0x2a <stevesough@gmail.com>	2022-02-16 19:57:46 +08:00
Yixiang Zhao	4122c94205	feat: add pagination for LdapSyncPage and fix the bug Ldap auto-sync cannot disable (#496 ) * feat: add pagination for LdapSyncPage Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com> * fix: Ldap auto sync cannot disable Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com>	2022-02-15 23:03:53 +08:00
Rafael Firmino	68ef5f8311	test: add tests in strings manipulation (#477 ) * test: add tests in strings manipulation Add tests improving functions like BoolToString, CamelToSnakeCase, GetMinLenStr and SnakeString * Add copyrig * test: fix tests description * test: add tests for function manupulate string	2022-02-15 21:56:59 +08:00
大雄	e35b058ab4	feat: add helm manifest for k8s and makefile (#444 ) Signed-off-by: henrywangx <henrywangx@gmail.com> Co-authored-by: xiong wang <xiong.wang@inceptio.ai>	2022-02-15 21:47:13 +08:00
Gucheng Wang	7d1f368bc2	Support docx file upload.	2022-02-15 21:21:07 +08:00
Gucheng Wang	0bd86baf4d	Fix crash in incremental ID.	2022-02-14 22:58:26 +08:00