feat: add Douyin OAuth provider (#753 )

feat: support "+" in syncer column name (#752 )
* feat: support + in syncer column name Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com> * feat: trim Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com>
2025-07-15 02:43:49 +08:00 · 2022-05-15 20:59:21 +08:00 · 2022-05-13 20:24:46 +08:00 · 2022-05-12 10:07:52 +08:00 · 2022-05-11 20:23:36 +08:00 · 2022-05-10 17:37:12 +08:00
303 changed files with 22127 additions and 3512 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -3,9 +3,33 @@ name: Build
 on: [push, pull_request]

 jobs:
+
+  go-tests:
+    name: Running Go tests
+    runs-on: ubuntu-latest
+    services:
+      mysql:
+          image: mysql:5.7
+          env:
+            MYSQL_DATABASE: casdoor
+            MYSQL_ROOT_PASSWORD: 123456
+          ports:
+              - 3306:3306
+          options: --health-cmd="mysqladmin ping" --health-interval=10s --health-timeout=5s --health-retries=3
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-go@v2
+        with:
+          go-version: '^1.16.5'
+      - name: Tests
+        run: |
+          go test -v $(go list ./...) -tags skipCi
+        working-directory: ./
+
  frontend:
    name: Front-end
    runs-on: ubuntu-latest
+    needs: [ go-tests ]
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-node@v2
@ -14,10 +38,10 @@ jobs:
      - run: yarn install && CI=false yarn run build
        working-directory: ./web

-
  backend:
    name: Back-end
    runs-on: ubuntu-latest
+    needs: [ go-tests ]
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-go@v2
@ -46,7 +70,7 @@ jobs:

      - name: Fetch Previous version
        id: get-previous-tag
-        uses: actions-ecosystem/action-get-latest-tag@v1
+        uses: actions-ecosystem/action-get-latest-tag@v1.6.0

      - name: Release
        run: yarn global add semantic-release@17.4.4 && semantic-release
@ -55,7 +79,7 @@ jobs:

      - name: Fetch Current version
        id: get-current-tag
-        uses: actions-ecosystem/action-get-latest-tag@v1
+        uses: actions-ecosystem/action-get-latest-tag@v1.6.0

      - name: Decide Should_Push Or Not
        id: should_push
@ -77,7 +101,7 @@ jobs:
              echo ::set-output name=push::'false'
              
          fi
-        
+
      - name: Log in to Docker Hub
        uses: docker/login-action@v1
        if: github.repository == 'casdoor/casdoor' && github.event_name == 'push' &&steps.should_push.outputs.push=='true'
@ -85,14 +109,14 @@ jobs:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_PASSWORD }}

-          
+
      - name: Push to Docker Hub
        uses: docker/build-push-action@v2
        if: github.repository == 'casdoor/casdoor' && github.event_name == 'push' && steps.should_push.outputs.push=='true'
        with:
          push: true
          tags: casbin/casdoor:${{steps.get-current-tag.outputs.tag }},casbin/casdoor:latest
-          
+
      - name: Push All In One Version to Docker Hub
        uses: docker/build-push-action@v2
        if: github.repository == 'casdoor/casdoor' && github.event_name == 'push' && steps.should_push.outputs.push=='true'
--- a/.github/workflows/sync.yml
+++ b/.github/workflows/sync.yml
@ -7,14 +7,14 @@ on:
 jobs:
  synchronize-with-crowdin:
    runs-on: ubuntu-latest
-    if: github.repository == 'casbin/casdoor' && github.event_name == 'push'
+    if: github.repository == 'casdoor/casdoor' && github.event_name == 'push'
    steps:

    - name: Checkout
      uses: actions/checkout@v2

    - name: crowdin action
-      uses: crowdin/github-action@1.2.0
+      uses: crowdin/github-action@1.4.8
      with:
        upload_translations: true

@ -32,4 +32,4 @@ jobs:
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        CROWDIN_PROJECT_ID: '463556'
-        CROWDIN_PERSONAL_TOKEN: ${{ secrets.CROWDIN_PERSONAL_TOKEN }}
+        CROWDIN_PERSONAL_TOKEN: ${{ secrets.CROWDIN_PERSONAL_TOKEN }}
--- a/.gitignore
+++ b/.gitignore
@ -13,7 +13,8 @@
 *.out

 # Dependency directories (remove the comment below to include it)
-# vendor/
+vendor/
+bin/

 .idea/
 *.iml
--- a/.golangci.yml
+++ b/.golangci.yml
@ -0,0 +1,42 @@
+linters:
+  disable-all: true
+  enable:
+    - deadcode
+    - dupl
+    - errcheck
+    - goconst
+    - gocyclo
+    - gofmt
+    - goimports
+    - gosec
+    - gosimple
+    - govet
+    - ineffassign
+    - lll
+    - misspell
+    - nakedret
+    - prealloc
+    - staticcheck
+    - structcheck
+    - typecheck
+    - unconvert
+    - unparam
+    - unused
+    - varcheck
+    - revive
+    - exportloopref
+run:
+  deadline: 5m
+  skip-dirs:
+    - api
+  # skip-files:
+  #   - ".*_test\\.go$"
+  modules-download-mode: vendor
+# all available settings of specific linters
+linters-settings:
+  lll:
+    # max line length, lines longer will be reported. Default is 120.
+    # '\t' is counted as 1 character by default, and can be changed with the tab-width option
+    line-length: 150
+    # tab width in spaces. Default to 1.
+    tab-width: 1
--- a/15
+++ b/15
@ -1,18 +1,19 @@
 FROM golang:1.17.5 AS BACK
 WORKDIR /go/src/casdoor
 COPY . .
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GOPROXY=https://goproxy.cn,direct go build -ldflags="-w -s" -o server . \
-    && apt update && apt install wait-for-it && chmod +x /usr/bin/wait-for-it
+RUN ./build.sh && apt update && apt install wait-for-it && chmod +x /usr/bin/wait-for-it

 FROM node:16.13.0 AS FRONT
 WORKDIR /web
 COPY ./web .
-RUN yarn config set registry https://registry.npm.taobao.org
+RUN yarn config set registry https://registry.npmmirror.com
 RUN yarn install && yarn run build


 FROM debian:latest AS ALLINONE
-RUN apt update && apt install -y mariadb-server mariadb-client&&mkdir -p web/build && chmod 777 /tmp
+RUN apt update
+RUN apt install -y ca-certificates && update-ca-certificates
+RUN apt install -y mariadb-server mariadb-client && mkdir -p web/build && chmod 777 /tmp
 LABEL MAINTAINER="https://casdoor.org/"
 COPY --from=BACK /go/src/casdoor/ ./
 COPY --from=BACK /usr/bin/wait-for-it ./
@ -20,17 +21,17 @@ COPY --from=FRONT /web/build /web/build
 CMD chmod 777 /tmp && service mariadb start&&\
 if [ "${MYSQL_ROOT_PASSWORD}" = "" ] ;then MYSQL_ROOT_PASSWORD=123456 ; fi&&\
 mysqladmin -u root password ${MYSQL_ROOT_PASSWORD} &&\
-./wait-for-it localhost:3306 -- ./server
+./wait-for-it localhost:3306 -- ./server --createDatabase=true


 FROM alpine:latest
 RUN sed -i 's/https/http/' /etc/apk/repositories
 RUN apk add curl
+RUN apk add ca-certificates && update-ca-certificates
 LABEL MAINTAINER="https://casdoor.org/"

 COPY --from=BACK /go/src/casdoor/ ./
 COPY --from=BACK /usr/bin/wait-for-it ./
 RUN mkdir -p web/build && apk add --no-cache bash coreutils
 COPY --from=FRONT /web/build /web/build
-CMD ./wait-for-it db:3306 -- ./server
-
+CMD  ./server
--- a/113
+++ b/113
@ -0,0 +1,113 @@
+
+# Image URL to use all building/pushing image targets
+REGISTRY ?= casbin
+IMG ?= casdoor
+IMG_TAG ?=$(shell git --no-pager log -1 --format="%ad" --date=format:"%Y%m%d")-$(shell git describe --tags --always --dirty --abbrev=6)
+NAMESPACE ?= casdoor
+APP ?= casdoor
+HOST ?= test.com
+
+
+# Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
+ifeq (,$(shell go env GOBIN))
+GOBIN=$(shell go env GOPATH)/bin
+else
+GOBIN=$(shell go env GOBIN)
+endif
+
+# Setting SHELL to bash allows bash commands to be executed by recipes.
+# This is a requirement for 'setup-envtest.sh' in the test target.
+# Options are set to exit when a recipe line exits non-zero or a piped command fails.
+SHELL = /usr/bin/env bash -o pipefail
+.SHELLFLAGS = -ec
+
+.PHONY: all
+all: docker-build docker-push deploy
+
+##@ General
+
+# The help target prints out all targets with their descriptions organized
+# beneath their categories. The categories are represented by '##@' and the
+# target descriptions by '##'. The awk commands is responsible for reading the
+# entire set of makefiles included in this invocation, looking for lines of the
+# file as xyz: ## something, and then pretty-format the target and help. Then,
+# if there's a line with ##@ something, that gets pretty-printed as a category.
+# More info on the usage of ANSI control characters for terminal formatting:
+# https://en.wikipedia.org/wiki/ANSI_escape_code#SGR_parameters
+# More info on the awk command:
+# http://linuxcommand.org/lc3_adv_awk.php
+
+.PHONY: help
+help: ## Display this help.
+	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
+
+##@ Development
+
+.PHONY: fmt
+fmt: ## Run go fmt against code.
+	go fmt ./...
+
+.PHONY: vet
+vet: ## Run go vet against code.
+	go vet ./...
+
+.PHONY: ut
+ut: ## UT test
+	go test -v -cover -coverprofile=coverage.out ./...
+	go tool cover -func=coverage.out
+
+##@ Build
+
+.PHONY: backend
+backend: fmt vet ## Build backend binary.
+	go build -o bin/manager main.go
+
+.PHONY: backend-vendor
+backend-vendor: vendor fmt vet ## Build backend binary with vendor.
+	go build -mod=vendor -o bin/manager main.go
+
+.PHONY: frontend
+frontend: ## Build backend binary.
+	cd web/ && yarn && yarn run build && cd -
+
+.PHONY: vendor
+vendor: ## Update vendor.
+	go mod vendor
+
+.PHONY: run
+run: fmt vet ## Run backend in local 
+	go run ./main.go
+
+.PHONY: docker-build
+docker-build: ## Build docker image with the manager.
+	docker build -t ${REGISTRY}/${IMG}:${IMG_TAG} .
+
+.PHONY: docker-push
+docker-push: ## Push docker image with the manager.
+	docker push ${REGISTRY}/${IMG}:${IMG_TAG}
+
+lint-install: ## Install golangci-lint
+	@# The following installs a specific version of golangci-lint, which is appropriate for a CI server to avoid different results from build to build
+	go get github.com/golangci/golangci-lint/cmd/golangci-lint@v1.40.1
+
+lint: ## Run golangci-lint
+	@echo "---lint---"
+	golangci-lint run --modules-download-mode=vendor ./...
+
+##@ Deployment
+
+.PHONY: deploy
+deploy:  ## Deploy controller to the K8s cluster specified in ~/.kube/config.
+	helm upgrade --install ${APP} manifests/casdoor --create-namespace --set ingress.enabled=true \
+	--set "ingress.hosts[0].host=${HOST},ingress.hosts[0].paths[0].path=/,ingress.hosts[0].paths[0].pathType=ImplementationSpecific" \
+	--set image.tag=${IMG_TAG} --set image.repository=${REGISTRY} --set image.name=${IMG} --version ${IMG_TAG} -n ${NAMESPACE}
+
+.PHONY: dry-run
+dry-run: ## Dry run for helm install
+	helm upgrade --install ${APP} manifests/casdoor --set ingress.enabled=true \
+	--set "ingress.hosts[0].host=${HOST},ingress.hosts[0].paths[0].path=/,ingress.hosts[0].paths[0].pathType=ImplementationSpecific" \
+	--set image.tag=${IMG_TAG} --set image.repository=${REGISTRY} --set image.name=${IMG} --version ${IMG_TAG} -n ${NAMESPACE} --dry-run
+
+.PHONY: undeploy
+undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion.
+	helm delete ${APP} -n ${NAMESPACE}
--- a/README.md
+++ b/README.md
@ -7,10 +7,10 @@
  <a href="https://hub.docker.com/r/casbin/casdoor">
    <img alt="docker pull casbin/casdoor" src="https://img.shields.io/docker/pulls/casbin/casdoor.svg">
  </a>
-  <a href="https://github.com/casbin/casdoor/actions/workflows/build.yml">
+  <a href="https://github.com/casdoor/casdoor/actions/workflows/build.yml">
    <img alt="GitHub Workflow Status (branch)" src="https://github.com/casbin/jcasbin/workflows/build/badge.svg?style=flat-square">
  </a>
-  <a href="https://github.com/casbin/casdoor/releases/latest">
+  <a href="https://github.com/casdoor/casdoor/releases/latest">
    <img alt="GitHub Release" src="https://img.shields.io/github/v/release/casbin/casdoor.svg">
  </a>
  <a href="https://hub.docker.com/repository/docker/casbin/casdoor">
@ -19,43 +19,48 @@
 </p>

 <p align="center">
-  <a href="https://goreportcard.com/report/github.com/casbin/casdoor">
-    <img alt="Go Report Card" src="https://goreportcard.com/badge/github.com/casbin/casdoor?style=flat-square">
+  <a href="https://goreportcard.com/report/github.com/casdoor/casdoor">
+    <img alt="Go Report Card" src="https://goreportcard.com/badge/github.com/casdoor/casdoor?style=flat-square">
  </a>
-  <a href="https://github.com/casbin/casdoor/blob/master/LICENSE">
+  <a href="https://github.com/casdoor/casdoor/blob/master/LICENSE">
    <img src="https://img.shields.io/github/license/casbin/casdoor?style=flat-square" alt="license">
  </a>
-  <a href="https://github.com/casbin/casdoor/issues">
+  <a href="https://github.com/casdoor/casdoor/issues">
    <img alt="GitHub issues" src="https://img.shields.io/github/issues/casbin/casdoor?style=flat-square">
  </a>
  <a href="#">
    <img alt="GitHub stars" src="https://img.shields.io/github/stars/casbin/casdoor?style=flat-square">
  </a>
-  <a href="https://github.com/casbin/casdoor/network">
+  <a href="https://github.com/casdoor/casdoor/network">
    <img alt="GitHub forks" src="https://img.shields.io/github/forks/casbin/casdoor?style=flat-square">
  </a>
+  <a href="https://crowdin.com/project/casdoor-site">
+    <img alt="Crowdin" src="https://badges.crowdin.net/casdoor-site/localized.svg">
+  </a>
+  <a href="https://gitter.im/casbin/casdoor">
+    <img alt="Gitter" src="https://badges.gitter.im/casbin/casdoor.svg">
+  </a>
 </p>

 ## Online demo

-Deployed site: https://door.casbin.com/
+Deployed site: https://door.casdoor.com/

 ## Quick Start
-
-Run your own casdoor program in a few minutes:smiley:
+Run your own casdoor program in a few minutes.

 ### Download

 There are two methods, get code via go subcommand `get`:

 ```shell
-go get github.com/casbin/casdoor
+go get github.com/casdoor/casdoor
 ```

  or `git`:

 ```bash
-git clone https://github.com/casbin/casdoor
+git clone https://github.com/casdoor/casdoor
 ```

 Finally, change directory:
@ -77,6 +82,14 @@ Edit `conf/app.conf`, modify `dataSourceName` to correct database info, which fo
 username:password@tcp(database_ip:database_port)/
 ```

+Then create an empty schema (database) named `casdoor` in your relational database. After the program runs for the first time, it will automatically create tables in this schema.
+
+You can also edit `main.go`, modify `false` to `true`. It will automatically create the schema (database) named `casdoor` in this database.
+
+```bash
+createDatabase := flag.Bool("createDatabase", false, "true if you need casdoor to create database")
+```
+
 #### Run

 Casdoor provides two run modes, the difference is binary size and user prompt.
@ -117,9 +130,26 @@ go build main.go && sudo ./main

 ### Docker

+Casdoor provide 2 kinds of image: 
+- casbin/casdoor-all-in-one, in which casdoor binary, a mysql database and all necessary configurations are packed up. This image is for new user to have a trial on casdoor quickly. **With this image you can start a casdoor immediately with one single command (or two) without any complex configuration**. **Note: we DO NOT recommend you to use this image in productive environment**
+
+- casbin/casdoor: normal & graceful casdoor image with only casdoor and environment installed. 
+
 This method requires [docker](https://docs.docker.com/get-docker/) and [docker-compose](https://docs.docker.com/compose/install/) to be installed first.

-#### Simple configuration
+### Start casdoor with casbin/casdoor-all-in-one
+if the image is not pulled, pull it from dockerhub
+```shell
+docker pull casbin/casdoor-all-in-one
+```
+Start it with
+```shell
+docker run -p 8000:8000 casbin/casdoor-all-in-one
+```
+Now you can visit http://localhost:8000 and have a try. Default account and password is 'admin' and '123'. Go for it!
+
+### Start casdoor with casbin/casdoor
+#### modify the configurations
 For the convenience of your first attempt, docker-compose.yml contains commands to start a database via docker.

 Thus edit `conf/app.conf` to point out the location of database(db:3306), modify `dataSourceName` to the fixed content:
@ -136,16 +166,21 @@ dataSourceName = root:123456@tcp(db:3306)/
 docker-compose up
 ```

-That's it! Try to visit http://localhost:8000/. :small_airplane:
-
-### Docker Hub
-
-This method requires [docker](https://docs.docker.com/get-docker/) and [docker-compose](https://docs.docker.com/compose/install/) to be installed first.
+### K8S
+You could use helm to deploy casdoor in k8s. At first, you should modify the [configmap](./manifests/casdoor/templates/configmap.yaml) for your application.
+And then run bellow command to deploy it.

 ```bash
-docker pull casbin/casdoor
+IMG_TAG=latest make deploy 
 ```

+And undeploy it with:
+```bash
+make undeploy
+```
+
+That's it! Try to visit http://localhost:8000/. :small_airplane:
+
 ## Detailed documentation

 We also provide a complete [document](https://casdoor.org/) as a reference.
@ -168,5 +203,5 @@ If you are contributing to casdoor, please note that we use [Crowdin](https://cr

 ## License

- [Apache-2.0](https://github.com/casbin/casdoor/blob/master/LICENSE)
+ [Apache-2.0](https://github.com/casdoor/casdoor/blob/master/LICENSE)

--- a/authz/authz.go
+++ b/authz/authz.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -15,11 +15,10 @@
 package authz

 import (
-	"github.com/astaxie/beego"
 	"github.com/casbin/casbin/v2"
 	"github.com/casbin/casbin/v2/model"
-	"github.com/casbin/casdoor/conf"
 	xormadapter "github.com/casbin/xorm-adapter/v2"
+	"github.com/casdoor/casdoor/conf"
 	stringadapter "github.com/qiangmzsx/string-adapter/v2"
 )

@ -28,7 +27,8 @@ var Enforcer *casbin.Enforcer
 func InitAuthz() {
 	var err error

-	a, err := xormadapter.NewAdapter(beego.AppConfig.String("driverName"), conf.GetBeegoConfDataSourceName()+beego.AppConfig.String("dbName"), true)
+	tableNamePrefix := conf.GetConfigString("tableNamePrefix")
+	a, err := xormadapter.NewAdapterWithTableName(conf.GetConfigString("driverName"), conf.GetBeegoConfDataSourceName()+conf.GetConfigString("dbName"), "casbin_rule", tableNamePrefix, true)
 	if err != nil {
 		panic(err)
 	}
@ -53,7 +53,7 @@ m = (r.subOwner == p.subOwner || p.subOwner == "*") && \
    (r.urlPath == p.urlPath || p.urlPath == "*") && \
    (r.objOwner == p.objOwner || p.objOwner == "*") && \
    (r.objName == p.objName || p.objName == "*") || \
-    (r.urlPath == "/api/update-user" && r.subOwner == r.objOwner && r.subName == r.objName)
+    (r.subOwner == r.objOwner && r.subName == r.objName)
 `

 	m, err := model.NewModelFromString(modelText)
@ -79,15 +79,19 @@ p, *, *, POST, /api/login, *, *
 p, *, *, GET, /api/get-app-login, *, *
 p, *, *, POST, /api/logout, *, *
 p, *, *, GET, /api/get-account, *, *
-p, *, *, POST, /api/login/oauth/access_token, *, *
+p, *, *, GET, /api/userinfo, *, *
+p, *, *, *, /api/login/oauth, *, *
 p, *, *, GET, /api/get-application, *, *
-p, *, *, GET, /api/get-users, *, *
+p, *, *, GET, /api/get-applications, *, *
 p, *, *, GET, /api/get-user, *, *
-p, *, *, GET, /api/get-organizations, *, *
 p, *, *, GET, /api/get-user-application, *, *
-p, *, *, GET, /api/get-default-providers, *, *
 p, *, *, GET, /api/get-resources, *, *
-p, *, *, POST, /api/upload-avatar, *, *
+p, *, *, GET, /api/get-product, *, *
+p, *, *, POST, /api/buy-product, *, *
+p, *, *, GET, /api/get-payment, *, *
+p, *, *, POST, /api/update-payment, *, *
+p, *, *, POST, /api/invoice-payment, *, *
+p, *, *, GET, /api/get-providers, *, *
 p, *, *, POST, /api/unlink, *, *
 p, *, *, POST, /api/set-password, *, *
 p, *, *, POST, /api/send-verification-code, *, *
@ -95,9 +99,11 @@ p, *, *, GET, /api/get-human-check, *, *
 p, *, *, POST, /api/reset-email-or-phone, *, *
 p, *, *, POST, /api/upload-resource, *, *
 p, *, *, GET, /.well-known/openid-configuration, *, *
-p, *, *, *, /api/certs, *, *
+p, *, *, *, /.well-known/jwks, *, *
 p, *, *, GET, /api/get-saml-login, *, *
 p, *, *, POST, /api/acs, *, *
+p, *, *, GET, /api/saml/metadata, *, *
+p, *, *, *, /cas, *, *
 `

 		sa := stringadapter.NewAdapter(ruleText)
--- a/build.sh
+++ b/build.sh
@ -0,0 +1,11 @@
+#!/bin/bash
+#try to connect to google to determine whether user need to use proxy
+curl www.google.com -o /dev/null --connect-timeout 5 2 > /dev/null
+if [ $? == 0 ]
+then
+    echo "Successfully connected to Google, no need to use Go proxy"
+    CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags="-w -s" -o server .
+else
+    echo "Google is blocked, Go proxy is enabled: GOPROXY=https://goproxy.cn,direct"
+    CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GOPROXY=https://goproxy.cn,direct go build -ldflags="-w -s" -o server .
+fi
--- a/conf/app.conf
+++ b/conf/app.conf
@ -6,12 +6,14 @@ copyrequestbody = true
 driverName = mysql
 dataSourceName = root:123456@tcp(localhost:3306)/
 dbName = casdoor
+tableNamePrefix =
+showSql = false
 redisEndpoint =
 defaultStorageProvider = 
 isCloudIntranet = false
 authState = "casdoor"
-httpProxy = "127.0.0.1:10808"
+sock5Proxy = "127.0.0.1:10808"
 verificationCodeTimeout = 10
 initScore = 2000
 logPostOnly = true
-origin = "https://door.casbin.com"
+origin =
--- a/conf/conf.go
+++ b/conf/conf.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -15,14 +15,49 @@
 package conf

 import (
+	"fmt"
 	"os"
+	"strconv"
 	"strings"

 	"github.com/astaxie/beego"
 )

+func GetConfigString(key string) string {
+	if value, ok := os.LookupEnv(key); ok {
+		return value
+	}
+	return beego.AppConfig.String(key)
+}
+
+func GetConfigBool(key string) (bool, error) {
+	value := GetConfigString(key)
+	if value == "true" {
+		return true, nil
+	} else if value == "false" {
+		return false, nil
+	}
+	return false, fmt.Errorf("value %s cannot be converted into bool", value)
+}
+
+func GetConfigInt64(key string) (int64, error) {
+	value := GetConfigString(key)
+	num, err := strconv.ParseInt(value, 10, 64)
+	return num, err
+}
+
+func init() {
+	//this array contains the beego configuration items that may be modified via env
+	var presetConfigItems = []string{"httpport", "appname"}
+	for _, key := range presetConfigItems {
+		if value, ok := os.LookupEnv(key); ok {
+			beego.AppConfig.Set(key, value)
+		}
+	}
+}
+
 func GetBeegoConfDataSourceName() string {
-	dataSourceName := beego.AppConfig.String("dataSourceName")
+	dataSourceName := GetConfigString("dataSourceName")

 	runningInDocker := os.Getenv("RUNNING_IN_DOCKER")
 	if runningInDocker == "true" {
--- a/conf/conf_test.go
+++ b/conf/conf_test.go
@ -0,0 +1,98 @@
+// Copyright 2022 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+package conf
+
+import (
+	"os"
+	"testing"
+
+	"github.com/astaxie/beego"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetConfString(t *testing.T) {
+	scenarios := []struct {
+		description string
+		input       string
+		expected    interface{}
+	}{
+		{"Should be return casbin", "appname", "casbin"},
+		{"Should be return 8000", "httpport", "8000"},
+		{"Should be return  value", "key", "value"},
+	}
+
+	//do some set up job
+
+	os.Setenv("appname", "casbin")
+	os.Setenv("key", "value")
+
+	err := beego.LoadAppConfig("ini", "app.conf")
+	assert.Nil(t, err)
+
+	for _, scenery := range scenarios {
+		t.Run(scenery.description, func(t *testing.T) {
+			actual := GetConfigString(scenery.input)
+			assert.Equal(t, scenery.expected, actual)
+		})
+	}
+}
+
+func TestGetConfInt(t *testing.T) {
+	scenarios := []struct {
+		description string
+		input       string
+		expected    interface{}
+	}{
+		{"Should be return 8000", "httpport", 8001},
+		{"Should be return 8000", "verificationCodeTimeout", 10},
+	}
+
+	//do some set up job
+	os.Setenv("httpport", "8001")
+
+	err := beego.LoadAppConfig("ini", "app.conf")
+	assert.Nil(t, err)
+
+	for _, scenery := range scenarios {
+		t.Run(scenery.description, func(t *testing.T) {
+			actual, err := GetConfigInt64(scenery.input)
+			assert.Nil(t, err)
+			assert.Equal(t, scenery.expected, int(actual))
+		})
+	}
+}
+
+func TestGetConfBool(t *testing.T) {
+	scenarios := []struct {
+		description string
+		input       string
+		expected    interface{}
+	}{
+		{"Should be return false", "SessionOn", false},
+		{"Should be return false", "copyrequestbody", true},
+	}
+
+	//do some set up job
+	os.Setenv("SessionOn", "false")
+
+	err := beego.LoadAppConfig("ini", "app.conf")
+	assert.Nil(t, err)
+	for _, scenery := range scenarios {
+		t.Run(scenery.description, func(t *testing.T) {
+			actual, err := GetConfigBool(scenery.input)
+			assert.Nil(t, err)
+			assert.Equal(t, scenery.expected, actual)
+		})
+	}
+}
--- a/controllers/account.go
+++ b/controllers/account.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -18,14 +18,19 @@ import (
 	"encoding/json"
 	"fmt"
 	"strconv"
+	"strings"

-	"github.com/casbin/casdoor/object"
-	"github.com/casbin/casdoor/util"
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
 )

 const (
-	ResponseTypeLogin = "login"
-	ResponseTypeCode  = "code"
+	ResponseTypeLogin   = "login"
+	ResponseTypeCode    = "code"
+	ResponseTypeToken   = "token"
+	ResponseTypeIdToken = "id_token"
+	ResponseTypeSaml    = "saml"
+	ResponseTypeCas     = "cas"
 )

 type RequestForm struct {
@ -35,9 +40,12 @@ type RequestForm struct {
 	Username     string `json:"username"`
 	Password     string `json:"password"`
 	Name         string `json:"name"`
+	FirstName    string `json:"firstName"`
+	LastName     string `json:"lastName"`
 	Email        string `json:"email"`
 	Phone        string `json:"phone"`
 	Affiliation  string `json:"affiliation"`
+	IdCard       string `json:"idCard"`
 	Region       string `json:"region"`

 	Application string `json:"application"`
@ -54,6 +62,7 @@ type RequestForm struct {
 	AutoSignin bool `json:"autoSignin"`

 	RelayState   string `json:"relayState"`
+	SamlRequest  string `json:"samlRequest"`
 	SamlResponse string `json:"samlResponse"`
 }

@ -61,6 +70,7 @@ type Response struct {
 	Status string      `json:"status"`
 	Msg    string      `json:"msg"`
 	Sub    string      `json:"sub"`
+	Name   string      `json:"name"`
 	Data   interface{} `json:"data"`
 	Data2  interface{} `json:"data2"`
 }
@ -100,13 +110,13 @@ func (c *ApiController) Signup() {
 	}

 	organization := object.GetOrganization(fmt.Sprintf("%s/%s", "admin", form.Organization))
-	msg := object.CheckUserSignup(application, organization, form.Username, form.Password, form.Name, form.Email, form.Phone, form.Affiliation)
+	msg := object.CheckUserSignup(application, organization, form.Username, form.Password, form.Name, form.FirstName, form.LastName, form.Email, form.Phone, form.Affiliation)
 	if msg != "" {
 		c.ResponseError(msg)
 		return
 	}

-	if application.IsSignupItemVisible("Email") && form.Email != "" {
+	if application.IsSignupItemVisible("Email") && application.GetSignupItemRule("Email") != "No verification" && form.Email != "" {
 		checkResult := object.CheckVerificationCode(form.Email, form.EmailCode)
 		if len(checkResult) != 0 {
 			c.ResponseError(fmt.Sprintf("Email: %s", checkResult))
@ -124,12 +134,15 @@ func (c *ApiController) Signup() {
 		}
 	}

-	userId := fmt.Sprintf("%s/%s", form.Organization, form.Username)
-
 	id := util.GenerateId()
 	if application.GetSignupItemRule("ID") == "Incremental" {
 		lastUser := object.GetLastUser(form.Organization)
-		lastIdInt := util.ParseInt(lastUser.Id)
+
+		lastIdInt := -1
+		if lastUser != nil {
+			lastIdInt = util.ParseInt(lastUser.Id)
+		}
+
 		id = strconv.Itoa(lastIdInt + 1)
 	}

@ -151,6 +164,7 @@ func (c *ApiController) Signup() {
 		Phone:             form.Phone,
 		Address:           []string{},
 		Affiliation:       form.Affiliation,
+		IdCard:            form.IdCard,
 		Region:            form.Region,
 		Score:             getInitScore(),
 		IsAdmin:           false,
@ -159,6 +173,22 @@ func (c *ApiController) Signup() {
 		IsDeleted:         false,
 		SignupApplication: application.Name,
 		Properties:        map[string]string{},
+		Karma:             0,
+	}
+
+	if len(organization.Tags) > 0 {
+		tokens := strings.Split(organization.Tags[0], "|")
+		if len(tokens) > 0 {
+			user.Tag = tokens[0]
+		}
+	}
+
+	if application.GetSignupItemRule("Display name") == "First, last" {
+		if form.FirstName != "" || form.LastName != "" {
+			user.DisplayName = fmt.Sprintf("%s %s", form.FirstName, form.LastName)
+			user.FirstName = form.FirstName
+			user.LastName = form.LastName
+		}
 	}

 	affected := object.AddUser(user)
@ -177,6 +207,12 @@ func (c *ApiController) Signup() {
 	object.DisableVerificationCode(form.Email)
 	object.DisableVerificationCode(checkPhone)

+	record := object.NewRecord(c.Ctx)
+	record.Organization = application.Organization
+	record.User = user.Name
+	util.SafeGoroutine(func() { object.AddRecord(record) })
+
+	userId := fmt.Sprintf("%s/%s", user.Owner, user.Name)
 	util.LogInfo(c.Ctx, "API: [%s] is signed up as new user", userId)

 	c.ResponseOk(userId)
@ -192,10 +228,15 @@ func (c *ApiController) Logout() {
 	user := c.GetSessionUsername()
 	util.LogInfo(c.Ctx, "API: [%s] logged out", user)

+	application := c.GetSessionApplication()
 	c.SetSessionUsername("")
 	c.SetSessionData(nil)

-	c.ResponseOk(user)
+	if application == nil || application.Name == "app-built-in" || application.HomepageUrl == "" {
+		c.ResponseOk(user)
+		return
+	}
+	c.ResponseOk(user, application.HomepageUrl)
 }

 // GetAccount
@ -220,6 +261,7 @@ func (c *ApiController) GetAccount() {
 	resp := Response{
 		Status: "ok",
 		Sub:    user.Id,
+		Name:   user.Name,
 		Data:   user,
 		Data2:  organization,
 	}
@ -227,6 +269,28 @@ func (c *ApiController) GetAccount() {
 	c.ServeJSON()
 }

+// UserInfo
+// @Title UserInfo
+// @Tag Account API
+// @Description return user information according to OIDC standards
+// @Success 200 {object} object.Userinfo The Response object
+// @router /userinfo [get]
+func (c *ApiController) GetUserinfo() {
+	userId, ok := c.RequireSignedIn()
+	if !ok {
+		return
+	}
+	scope, aud := c.GetSessionOidc()
+	host := c.Ctx.Request.Host
+	resp, err := object.GetUserInfo(userId, scope, aud, host)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+	c.Data["json"] = resp
+	c.ServeJSON()
+}
+
 // GetHumanCheck ...
 // @Tag Login API
 // @Title GetHumancheck
--- a/controllers/application.go
+++ b/controllers/application.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -16,10 +16,11 @@ package controllers

 import (
 	"encoding/json"
+	"fmt"

 	"github.com/astaxie/beego/utils/pagination"
-	"github.com/casbin/casdoor/object"
-	"github.com/casbin/casdoor/util"
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
 )

 // GetApplications
@ -30,16 +31,30 @@ import (
 // @Success 200 {array} object.Application The Response object
 // @router /get-applications [get]
 func (c *ApiController) GetApplications() {
+	userId := c.GetSessionUsername()
 	owner := c.Input().Get("owner")
 	limit := c.Input().Get("pageSize")
 	page := c.Input().Get("p")
+	field := c.Input().Get("field")
+	value := c.Input().Get("value")
+	sortField := c.Input().Get("sortField")
+	sortOrder := c.Input().Get("sortOrder")
+	organization := c.Input().Get("organization")
+
 	if limit == "" || page == "" {
-		c.Data["json"] = object.GetApplications(owner)
+		var applications []*object.Application
+		if organization == "" {
+			applications = object.GetApplications(owner)
+		} else {
+			applications = object.GetApplicationsByOrganizationName(owner, organization)
+		}
+
+		c.Data["json"] = object.GetMaskedApplications(applications, userId)
 		c.ServeJSON()
 	} else {
 		limit := util.ParseInt(limit)
-		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetApplicationCount(owner)))
-		applications := object.GetPaginationApplications(owner, paginator.Offset(), limit)
+		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetApplicationCount(owner, field, value)))
+		applications := object.GetMaskedApplications(object.GetPaginationApplications(owner, paginator.Offset(), limit, field, value, sortField, sortOrder), userId)
 		c.ResponseOk(applications, paginator.Nums())
 	}
 }
@ -52,9 +67,10 @@ func (c *ApiController) GetApplications() {
 // @Success 200 {object} object.Application The Response object
 // @router /get-application [get]
 func (c *ApiController) GetApplication() {
+	userId := c.GetSessionUsername()
 	id := c.Input().Get("id")

-	c.Data["json"] = object.GetApplication(id)
+	c.Data["json"] = object.GetMaskedApplication(object.GetApplication(id), userId)
 	c.ServeJSON()
 }

@ -66,14 +82,15 @@ func (c *ApiController) GetApplication() {
 // @Success 200 {object} object.Application The Response object
 // @router /get-user-application [get]
 func (c *ApiController) GetUserApplication() {
+	userId := c.GetSessionUsername()
 	id := c.Input().Get("id")
 	user := object.GetUser(id)
 	if user == nil {
-		c.ResponseError("No such user.")
+		c.ResponseError(fmt.Sprintf("The user: %s doesn't exist", id))
 		return
 	}

-	c.Data["json"] = object.GetApplicationByUser(user)
+	c.Data["json"] = object.GetMaskedApplication(object.GetApplicationByUser(user), userId)
 	c.ServeJSON()
 }

--- a/controllers/auth.go
+++ b/controllers/auth.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -23,11 +23,11 @@ import (
 	"strings"
 	"time"

-	"github.com/astaxie/beego"
-	"github.com/casbin/casdoor/idp"
-	"github.com/casbin/casdoor/object"
-	"github.com/casbin/casdoor/proxy"
-	"github.com/casbin/casdoor/util"
+	"github.com/casdoor/casdoor/conf"
+	"github.com/casdoor/casdoor/idp"
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/proxy"
+	"github.com/casdoor/casdoor/util"
 )

 func codeToResponse(code *object.Code) *Response {
@ -38,6 +38,14 @@ func codeToResponse(code *object.Code) *Response {
 	return &Response{Status: "ok", Msg: "", Data: code.Code}
 }

+func tokenToResponse(token *object.Token) *Response {
+	if token.AccessToken == "" {
+		return &Response{Status: "error", Msg: "fail to get accessToken", Data: token.AccessToken}
+	}
+	return &Response{Status: "ok", Msg: "", Data: token.AccessToken}
+
+}
+
 // HandleLoggedIn ...
 func (c *ApiController) HandleLoggedIn(application *object.Application, user *object.User, form *RequestForm) (resp *Response) {
 	userId := user.GetId()
@ -52,15 +60,55 @@ func (c *ApiController) HandleLoggedIn(application *object.Application, user *ob
 		scope := c.Input().Get("scope")
 		state := c.Input().Get("state")
 		nonce := c.Input().Get("nonce")
-		code := object.GetOAuthCode(userId, clientId, responseType, redirectUri, scope, state, nonce)
+		challengeMethod := c.Input().Get("code_challenge_method")
+		codeChallenge := c.Input().Get("code_challenge")
+
+		if challengeMethod != "S256" && challengeMethod != "null" && challengeMethod != "" {
+			c.ResponseError("Challenge method should be S256")
+			return
+		}
+		code := object.GetOAuthCode(userId, clientId, responseType, redirectUri, scope, state, nonce, codeChallenge, c.Ctx.Request.Host)
 		resp = codeToResponse(code)

-		if application.HasPromptPage() {
+		if application.EnableSigninSession || application.HasPromptPage() {
 			// The prompt page needs the user to be signed in
 			c.SetSessionUsername(userId)
 		}
+	} else if form.Type == ResponseTypeToken || form.Type == ResponseTypeIdToken { //implicit flow
+		if !object.IsGrantTypeValid(form.Type, application.GrantTypes) {
+			resp = &Response{Status: "error", Msg: fmt.Sprintf("error: grant_type: %s is not supported in this application", form.Type), Data: ""}
+		} else {
+			scope := c.Input().Get("scope")
+			token, _ := object.GetTokenByUser(application, user, scope, c.Ctx.Request.Host)
+			resp = tokenToResponse(token)
+		}
+
+	} else if form.Type == ResponseTypeSaml { // saml flow
+		res, redirectUrl, err := object.GetSamlResponse(application, user, form.SamlRequest, c.Ctx.Request.Host)
+		if err != nil {
+			c.ResponseError(err.Error(), nil)
+			return
+		}
+		resp = &Response{Status: "ok", Msg: "", Data: res, Data2: redirectUrl}
+	} else if form.Type == ResponseTypeCas {
+		//not oauth but CAS SSO protocol
+		service := c.Input().Get("service")
+		resp = wrapErrorResponse(nil)
+		if service != "" {
+			st, err := object.GenerateCasToken(userId, service)
+			if err != nil {
+				resp = wrapErrorResponse(err)
+			} else {
+				resp.Data = st
+			}
+		}
+		if application.EnableSigninSession || application.HasPromptPage() {
+			// The prompt page needs the user to be signed in
+			c.SetSessionUsername(userId)
+		}
+
 	} else {
-		resp = &Response{Status: "error", Msg: fmt.Sprintf("Unknown response type: %s", form.Type)}
+		resp = wrapErrorResponse(fmt.Errorf("Unknown response type: %s", form.Type))
 	}

 	// if user did not check auto signin
@ -85,7 +133,7 @@ func (c *ApiController) HandleLoggedIn(application *object.Application, user *ob
 // @Param   scope    query    string  true        "scope"
 // @Param   state    query    string  true        "state"
 // @Success 200 {object} controllers.api_controller.Response The Response object
-// @router /update-application [get]
+// @router /get-app-login [get]
 func (c *ApiController) GetApplicationLogin() {
 	clientId := c.Input().Get("clientId")
 	responseType := c.Input().Get("responseType")
@ -94,6 +142,7 @@ func (c *ApiController) GetApplicationLogin() {
 	state := c.Input().Get("state")

 	msg, application := object.CheckOAuthLogin(clientId, responseType, redirectUri, scope, state)
+	application = object.GetMaskedApplication(application, "")
 	if msg != "" {
 		c.ResponseError(msg, application)
 	} else {
@ -102,7 +151,7 @@ func (c *ApiController) GetApplicationLogin() {
 }

 func setHttpClient(idProvider idp.IdProvider, providerType string) {
-	if providerType == "GitHub" || providerType == "Google" || providerType == "Facebook" || providerType == "LinkedIn" {
+	if providerType == "GitHub" || providerType == "Google" || providerType == "Facebook" || providerType == "LinkedIn" || providerType == "Steam" {
 		idProvider.SetHttpClient(proxy.ProxyHttpClient)
 	} else {
 		idProvider.SetHttpClient(proxy.DefaultHttpClient)
@ -142,9 +191,16 @@ func (c *ApiController) Login() {
 			var verificationCodeType string
 			var checkResult string

+			if form.Name != "" {
+				user = object.GetUserByFields(form.Organization, form.Name)
+			}
+
 			// check result through Email or Phone
 			if strings.Contains(form.Username, "@") {
 				verificationCodeType = "email"
+				if user != nil && util.GetMaskedEmail(user.Email) == form.Username {
+					form.Username = user.Email
+				}
 				checkResult = object.CheckVerificationCode(form.Username, form.Code)
 			} else {
 				verificationCodeType = "phone"
@ -153,6 +209,9 @@ func (c *ApiController) Login() {
 					c.ResponseError(responseText)
 					return
 				}
+				if user != nil && util.GetMaskedPhone(user.Phone) == form.Username {
+					form.Username = user.Phone
+				}
 				checkPhone := fmt.Sprintf("+%s%s", form.PhonePrefix, form.Username)
 				checkResult = object.CheckVerificationCode(checkPhone, form.Code)
 			}
@ -167,7 +226,7 @@ func (c *ApiController) Login() {

 			user = object.GetUserByFields(form.Organization, form.Username)
 			if user == nil {
-				c.ResponseError("No such user.")
+				c.ResponseError(fmt.Sprintf("The user: %s/%s doesn't exist", form.Organization, form.Username))
 				return
 			}
 		} else {
@ -179,15 +238,25 @@ func (c *ApiController) Login() {
 			resp = &Response{Status: "error", Msg: msg}
 		} else {
 			application := object.GetApplication(fmt.Sprintf("admin/%s", form.Application))
+			if application == nil {
+				c.ResponseError(fmt.Sprintf("The application: %s does not exist", form.Application))
+				return
+			}
+
 			resp = c.HandleLoggedIn(application, user, &form)

 			record := object.NewRecord(c.Ctx)
 			record.Organization = application.Organization
 			record.User = user.Name
-			go object.AddRecord(record)
+			util.SafeGoroutine(func() {object.AddRecord(record)})
 		}
 	} else if form.Provider != "" {
 		application := object.GetApplication(fmt.Sprintf("admin/%s", form.Application))
+		if application == nil {
+			c.ResponseError(fmt.Sprintf("The application: %s does not exist", form.Application))
+			return
+		}
+
 		organization := object.GetOrganization(fmt.Sprintf("%s/%s", "admin", application.Organization))
 		provider := object.GetProvider(fmt.Sprintf("admin/%s", form.Provider))
 		providerItem := application.GetProviderItem(provider.Name)
@ -214,7 +283,7 @@ func (c *ApiController) Login() {
 				clientSecret = provider.ClientSecret2
 			}

-			idProvider := idp.GetIdProvider(provider.Type, clientId, clientSecret, form.RedirectUri)
+			idProvider := idp.GetIdProvider(provider.Type, provider.SubType, clientId, clientSecret, provider.AppId, form.RedirectUri, provider.Domain, provider.CustomAuthUrl, provider.CustomTokenUrl, provider.CustomUserInfoUrl)
 			if idProvider == nil {
 				c.ResponseError(fmt.Sprintf("The provider type: %s is not supported", provider.Type))
 				return
@ -222,8 +291,8 @@ func (c *ApiController) Login() {

 			setHttpClient(idProvider, provider.Type)

-			if form.State != beego.AppConfig.String("authState") && form.State != application.Name {
-				c.ResponseError(fmt.Sprintf("state expected: \"%s\", but got: \"%s\"", beego.AppConfig.String("authState"), form.State))
+			if form.State != conf.GetConfigString("authState") && form.State != application.Name {
+				c.ResponseError(fmt.Sprintf("state expected: \"%s\", but got: \"%s\"", conf.GetConfigString("authState"), form.State))
 				return
 			}

@ -272,7 +341,7 @@ func (c *ApiController) Login() {
 				record := object.NewRecord(c.Ctx)
 				record.Organization = application.Organization
 				record.User = user.Name
-				go object.AddRecord(record)
+				util.SafeGoroutine(func() {object.AddRecord(record)})
 			} else if provider.Category == "OAuth" {
 				// Sign up via OAuth
 				if !application.EnableSignUp {
@ -321,7 +390,7 @@ func (c *ApiController) Login() {
 				record := object.NewRecord(c.Ctx)
 				record.Organization = application.Organization
 				record.User = user.Name
-				go object.AddRecord(record)
+				util.SafeGoroutine(func() {object.AddRecord(record)})
 			} else if provider.Category == "SAML" {
 				resp = &Response{Status: "error", Msg: "The account does not exist"}
 			}
@ -358,6 +427,11 @@ func (c *ApiController) Login() {
 		if c.GetSessionUsername() != "" {
 			// user already signed in to Casdoor, so let the user click the avatar button to do the quick sign-in
 			application := object.GetApplication(fmt.Sprintf("admin/%s", form.Application))
+			if application == nil {
+				c.ResponseError(fmt.Sprintf("The application: %s does not exist", form.Application))
+				return
+			}
+
 			user := c.getCurrentUser()
 			resp = c.HandleLoggedIn(application, user, &form)
 		} else {
--- a/controllers/base.go
+++ b/controllers/base.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -15,10 +15,12 @@
 package controllers

 import (
+	"strings"
 	"time"

 	"github.com/astaxie/beego"
-	"github.com/casbin/casdoor/util"
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
 )

 // controller for handlers under /api uri
@ -35,6 +37,21 @@ type SessionData struct {
 	ExpireTime int64
 }

+func (c *ApiController) IsGlobalAdmin() bool {
+	username := c.GetSessionUsername()
+	if strings.HasPrefix(username, "app/") {
+		// e.g., "app/app-casnode"
+		return true
+	}
+
+	user := object.GetUser(username)
+	if user == nil {
+		return false
+	}
+
+	return user.Owner == "built-in" || user.IsGlobalAdmin
+}
+
 // GetSessionUsername ...
 func (c *ApiController) GetSessionUsername() string {
 	// check if user session expired
@ -55,6 +72,37 @@ func (c *ApiController) GetSessionUsername() string {
 	return user.(string)
 }

+func (c *ApiController) GetSessionApplication() *object.Application {
+	clientId := c.GetSession("aud")
+	if clientId == nil {
+		return nil
+	}
+	application := object.GetApplicationByClientId(clientId.(string))
+	return application
+}
+
+func (c *ApiController) GetSessionOidc() (string, string) {
+	sessionData := c.GetSessionData()
+	if sessionData != nil &&
+		sessionData.ExpireTime != 0 &&
+		sessionData.ExpireTime < time.Now().Unix() {
+		c.SetSessionUsername("")
+		c.SetSessionData(nil)
+		return "", ""
+	}
+	scopeValue := c.GetSession("scope")
+	audValue := c.GetSession("aud")
+	var scope, aud string
+	var ok bool
+	if scope, ok = scopeValue.(string); !ok {
+		scope = ""
+	}
+	if aud, ok = audValue.(string); !ok {
+		aud = ""
+	}
+	return scope, aud
+}
+
 // SetSessionUsername ...
 func (c *ApiController) SetSessionUsername(user string) {
 	c.SetSession("username", user)
@ -93,3 +141,11 @@ func wrapActionResponse(affected bool) *Response {
 		return &Response{Status: "ok", Msg: "", Data: "Unaffected"}
 	}
 }
+
+func wrapErrorResponse(err error) *Response {
+	if err == nil {
+		return &Response{Status: "ok", Msg: ""}
+	} else {
+		return &Response{Status: "error", Msg: err.Error()}
+	}
+}
--- a/controllers/cas.go
+++ b/controllers/cas.go
@ -0,0 +1,271 @@
+// Copyright 2022 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+import (
+	"encoding/xml"
+	"fmt"
+	"net/http"
+	"net/url"
+	"strings"
+
+	"github.com/casdoor/casdoor/object"
+)
+
+const (
+	InvalidRequest           string = "INVALID_REQUEST"
+	InvalidTicketSpec        string = "INVALID_TICKET_SPEC"
+	UnauthorizedServiceProxy string = "UNAUTHORIZED_SERVICE_PROXY"
+	InvalidProxyCallback     string = "INVALID_PROXY_CALLBACK"
+	InvalidTicket            string = "INVALID_TICKET"
+	InvalidService           string = "INVALID_SERVICE"
+	InteralError             string = "INTERNAL_ERROR"
+	UnauthorizedService      string = "UNAUTHORIZED_SERVICE"
+)
+
+func (c *RootController) CasValidate() {
+	ticket := c.Input().Get("ticket")
+	service := c.Input().Get("service")
+	c.Ctx.Output.Header("Content-Type", "text/html; charset=utf-8")
+	if service == "" || ticket == "" {
+		c.Ctx.Output.Body([]byte("no\n"))
+		return
+	}
+	if ok, response, issuedService, _ := object.GetCasTokenByTicket(ticket); ok {
+		//check whether service is the one for which we previously issued token
+		if issuedService == service {
+			c.Ctx.Output.Body([]byte(fmt.Sprintf("yes\n%s\n", response.User)))
+			return
+		}
+
+	}
+	//token not found
+	c.Ctx.Output.Body([]byte("no\n"))
+}
+
+func (c *RootController) CasServiceValidate() {
+	ticket := c.Input().Get("ticket")
+	format := c.Input().Get("format")
+	if !strings.HasPrefix(ticket, "ST") {
+		c.sendCasAuthenticationResponseErr(InvalidTicket, fmt.Sprintf("Ticket %s not recognized", ticket), format)
+	}
+	c.CasP3ServiceAndProxyValidate()
+}
+
+func (c *RootController) CasProxyValidate() {
+	ticket := c.Input().Get("ticket")
+	format := c.Input().Get("format")
+	if !strings.HasPrefix(ticket, "PT") {
+		c.sendCasAuthenticationResponseErr(InvalidTicket, fmt.Sprintf("Ticket %s not recognized", ticket), format)
+	}
+	c.CasP3ServiceAndProxyValidate()
+}
+
+func (c *RootController) CasP3ServiceAndProxyValidate() {
+	ticket := c.Input().Get("ticket")
+	format := c.Input().Get("format")
+	service := c.Input().Get("service")
+	pgtUrl := c.Input().Get("pgtUrl")
+
+	serviceResponse := object.CasServiceResponse{
+		Xmlns: "http://www.yale.edu/tp/cas",
+	}
+
+	//check whether all required parameters are met
+	if service == "" || ticket == "" {
+		c.sendCasAuthenticationResponseErr(InvalidRequest, "service and ticket must exist", format)
+		return
+	}
+	ok, response, issuedService, userId := object.GetCasTokenByTicket(ticket)
+	//find the token
+	if ok {
+		//check whether service is the one for which we previously issued token
+		if strings.HasPrefix(service, issuedService) {
+			serviceResponse.Success = response
+		} else {
+			//service not match
+			c.sendCasAuthenticationResponseErr(InvalidService, fmt.Sprintf("service %s and %s does not match", service, issuedService), format)
+			return
+		}
+	} else {
+		//token not found
+		c.sendCasAuthenticationResponseErr(InvalidTicket, fmt.Sprintf("Ticket %s not recognized", ticket), format)
+		return
+	}
+
+	if pgtUrl != "" && serviceResponse.Failure == nil {
+		//that means we are in proxy web flow
+		pgt := object.StoreCasTokenForPgt(serviceResponse.Success, service, userId)
+		pgtiou := serviceResponse.Success.ProxyGrantingTicket
+		//todo: check whether it is https
+		pgtUrlObj, err := url.Parse(pgtUrl)
+		if pgtUrlObj.Scheme != "https" {
+			c.sendCasAuthenticationResponseErr(InvalidProxyCallback, "callback is not https", format)
+			return
+		}
+		//make a request to pgturl passing pgt and pgtiou
+		if err != nil {
+			c.sendCasAuthenticationResponseErr(InteralError, err.Error(), format)
+			return
+		}
+		param := pgtUrlObj.Query()
+		param.Add("pgtId", pgt)
+		param.Add("pgtIou", pgtiou)
+		pgtUrlObj.RawQuery = param.Encode()
+
+		request, err := http.NewRequest("GET", pgtUrlObj.String(), nil)
+		if err != nil {
+			c.sendCasAuthenticationResponseErr(InteralError, err.Error(), format)
+			return
+		}
+
+		resp, err := http.DefaultClient.Do(request)
+		if err != nil || !(resp.StatusCode >= 200 && resp.StatusCode < 400) {
+			//failed to send request
+			c.sendCasAuthenticationResponseErr(InvalidProxyCallback, err.Error(), format)
+			return
+		}
+	}
+	// everything is ok, send the response
+	if format == "json" {
+		c.Data["json"] = serviceResponse
+		c.ServeJSON()
+	} else {
+		c.Data["xml"] = serviceResponse
+		c.ServeXML()
+	}
+}
+
+func (c *RootController) CasProxy() {
+	pgt := c.Input().Get("pgt")
+	targetService := c.Input().Get("targetService")
+	format := c.Input().Get("format")
+	if pgt == "" || targetService == "" {
+		c.sendCasProxyResponseErr(InvalidRequest, "pgt and targetService must exist", format)
+		return
+	}
+
+	ok, authenticationSuccess, issuedService, userId := object.GetCasTokenByPgt(pgt)
+	if !ok {
+		c.sendCasProxyResponseErr(UnauthorizedService, "service not authorized", format)
+		return
+	}
+
+	newAuthenticationSuccess := authenticationSuccess.DeepCopy()
+	if newAuthenticationSuccess.Proxies == nil {
+		newAuthenticationSuccess.Proxies = &object.CasProxies{}
+	}
+	newAuthenticationSuccess.Proxies.Proxies = append(newAuthenticationSuccess.Proxies.Proxies, issuedService)
+	proxyTicket := object.StoreCasTokenForProxyTicket(&newAuthenticationSuccess, targetService, userId)
+
+	serviceResponse := object.CasServiceResponse{
+		Xmlns: "http://www.yale.edu/tp/cas",
+		ProxySuccess: &object.CasProxySuccess{
+			ProxyTicket: proxyTicket,
+		},
+	}
+
+	if format == "json" {
+		c.Data["json"] = serviceResponse
+		c.ServeJSON()
+	} else {
+		c.Data["xml"] = serviceResponse
+		c.ServeXML()
+	}
+
+}
+
+func (c *RootController) SamlValidate() {
+	c.Ctx.Output.Header("Content-Type", "text/xml; charset=utf-8")
+	target := c.Input().Get("TARGET")
+	body := c.Ctx.Input.RequestBody
+	envelopRequest := struct {
+		XMLName xml.Name `xml:"Envelope"`
+		Body    struct {
+			XMLName xml.Name `xml:"Body"`
+			Content string   `xml:",innerxml"`
+		}
+	}{}
+
+	err := xml.Unmarshal(body, &envelopRequest)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	response, service, err := object.GetValidationBySaml(envelopRequest.Body.Content, c.Ctx.Request.Host)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	if !strings.HasPrefix(target, service) {
+		c.ResponseError(fmt.Sprintf("service %s and %s do not match", target, service))
+		return
+	}
+
+	envelopReponse := struct {
+		XMLName xml.Name `xml:"SOAP-ENV:Envelope"`
+		Xmlns   string   `xml:"xmlns:SOAP-ENV"`
+		Body    struct {
+			XMLName xml.Name `xml:"SOAP-ENV:Body"`
+			Content string   `xml:",innerxml"`
+		}
+	}{}
+	envelopReponse.Xmlns = "http://schemas.xmlsoap.org/soap/envelope/"
+	envelopReponse.Body.Content = response
+
+	data, err := xml.Marshal(envelopReponse)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+	c.Ctx.Output.Body([]byte(data))
+}
+
+func (c *RootController) sendCasProxyResponseErr(code, msg, format string) {
+	serviceResponse := object.CasServiceResponse{
+		Xmlns: "http://www.yale.edu/tp/cas",
+		ProxyFailure: &object.CasProxyFailure{
+			Code:    code,
+			Message: msg,
+		},
+	}
+	if format == "json" {
+		c.Data["json"] = serviceResponse
+		c.ServeJSON()
+	} else {
+		c.Data["xml"] = serviceResponse
+		c.ServeXML()
+	}
+}
+
+func (c *RootController) sendCasAuthenticationResponseErr(code, msg, format string) {
+	serviceResponse := object.CasServiceResponse{
+		Xmlns: "http://www.yale.edu/tp/cas",
+		Failure: &object.CasAuthenticationFailure{
+			Code:    code,
+			Message: msg,
+		},
+	}
+
+	if format == "json" {
+		c.Data["json"] = serviceResponse
+		c.ServeJSON()
+	} else {
+		c.Data["xml"] = serviceResponse
+		c.ServeXML()
+	}
+}
--- a/controllers/cert.go
+++ b/controllers/cert.go
@ -0,0 +1,116 @@
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+import (
+	"encoding/json"
+
+	"github.com/astaxie/beego/utils/pagination"
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
+)
+
+// GetCerts
+// @Title GetCerts
+// @Tag Cert API
+// @Description get certs
+// @Param   owner     query    string  true        "The owner of certs"
+// @Success 200 {array} object.Cert The Response object
+// @router /get-certs [get]
+func (c *ApiController) GetCerts() {
+	owner := c.Input().Get("owner")
+	limit := c.Input().Get("pageSize")
+	page := c.Input().Get("p")
+	field := c.Input().Get("field")
+	value := c.Input().Get("value")
+	sortField := c.Input().Get("sortField")
+	sortOrder := c.Input().Get("sortOrder")
+	if limit == "" || page == "" {
+		c.Data["json"] = object.GetMaskedCerts(object.GetCerts(owner))
+		c.ServeJSON()
+	} else {
+		limit := util.ParseInt(limit)
+		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetCertCount(owner, field, value)))
+		certs := object.GetMaskedCerts(object.GetPaginationCerts(owner, paginator.Offset(), limit, field, value, sortField, sortOrder))
+		c.ResponseOk(certs, paginator.Nums())
+	}
+}
+
+// @Title GetCert
+// @Tag Cert API
+// @Description get cert
+// @Param   id    query    string  true        "The id of the cert"
+// @Success 200 {object} object.Cert The Response object
+// @router /get-cert [get]
+func (c *ApiController) GetCert() {
+	id := c.Input().Get("id")
+
+	c.Data["json"] = object.GetMaskedCert(object.GetCert(id))
+	c.ServeJSON()
+}
+
+// @Title UpdateCert
+// @Tag Cert API
+// @Description update cert
+// @Param   id    query    string  true        "The id of the cert"
+// @Param   body    body   object.Cert  true        "The details of the cert"
+// @Success 200 {object} controllers.Response The Response object
+// @router /update-cert [post]
+func (c *ApiController) UpdateCert() {
+	id := c.Input().Get("id")
+
+	var cert object.Cert
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &cert)
+	if err != nil {
+		panic(err)
+	}
+
+	c.Data["json"] = wrapActionResponse(object.UpdateCert(id, &cert))
+	c.ServeJSON()
+}
+
+// @Title AddCert
+// @Tag Cert API
+// @Description add cert
+// @Param   body    body   object.Cert  true        "The details of the cert"
+// @Success 200 {object} controllers.Response The Response object
+// @router /add-cert [post]
+func (c *ApiController) AddCert() {
+	var cert object.Cert
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &cert)
+	if err != nil {
+		panic(err)
+	}
+
+	c.Data["json"] = wrapActionResponse(object.AddCert(&cert))
+	c.ServeJSON()
+}
+
+// @Title DeleteCert
+// @Tag Cert API
+// @Description delete cert
+// @Param   body    body   object.Cert  true        "The details of the cert"
+// @Success 200 {object} controllers.Response The Response object
+// @router /delete-cert [post]
+func (c *ApiController) DeleteCert() {
+	var cert object.Cert
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &cert)
+	if err != nil {
+		panic(err)
+	}
+
+	c.Data["json"] = wrapActionResponse(object.DeleteCert(&cert))
+	c.ServeJSON()
+}
--- a/controllers/ldap.go
+++ b/controllers/ldap.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -17,8 +17,8 @@ package controllers
 import (
 	"encoding/json"

-	"github.com/casbin/casdoor/object"
-	"github.com/casbin/casdoor/util"
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
 )

 type LdapServer struct {
@ -170,6 +170,7 @@ func (c *ApiController) UpdateLdap() {
 		return
 	}

+	prevLdap := object.GetLdap(ldap.Id)
 	affected := object.UpdateLdap(&ldap)
 	resp := wrapActionResponse(affected)
 	if affected {
@ -177,6 +178,8 @@ func (c *ApiController) UpdateLdap() {
 	}
 	if ldap.AutoSync != 0 {
 		object.GetLdapAutoSynchronizer().StartAutoSync(ldap.Id)
+	} else if ldap.AutoSync == 0 && prevLdap.AutoSync != 0 {
+		object.GetLdapAutoSynchronizer().StopAutoSync(ldap.Id)
 	}

 	c.Data["json"] = resp
@ -212,7 +215,7 @@ func (c *ApiController) SyncLdapUsers() {

 	object.UpdateLdapSyncTime(ldapId)

-	exist, failed := object.SyncLdapUsers(owner, users)
+	exist, failed := object.SyncLdapUsers(owner, users, ldapId)
 	c.Data["json"] = &Response{Status: "ok", Data: &LdapSyncResp{
 		Exist:  *exist,
 		Failed: *failed,
--- a/controllers/link.go
+++ b/controllers/link.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -17,7 +17,7 @@ package controllers
 import (
 	"encoding/json"

-	"github.com/casbin/casdoor/object"
+	"github.com/casdoor/casdoor/object"
 )

 type LinkForm struct {
--- a/controllers/oidc_discovery.go
+++ b/controllers/oidc_discovery.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -14,21 +14,22 @@

 package controllers

-import "github.com/casbin/casdoor/object"
+import "github.com/casdoor/casdoor/object"

 // @Title GetOidcDiscovery
 // @Tag OIDC API
 // @router /.well-known/openid-configuration [get]
 func (c *RootController) GetOidcDiscovery() {
-	c.Data["json"] = object.GetOidcDiscovery()
+	host := c.Ctx.Request.Host
+	c.Data["json"] = object.GetOidcDiscovery(host)
 	c.ServeJSON()
 }

-// @Title GetOidcCert
+// @Title GetJwks
 // @Tag OIDC API
-// @router /api/certs [get]
-func (c *RootController) GetOidcCert() {
-	jwks, err := object.GetJSONWebKeySet()
+// @router /.well-known/jwks [get]
+func (c *RootController) GetJwks() {
+	jwks, err := object.GetJsonWebKeySet()
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
--- a/controllers/organization.go
+++ b/controllers/organization.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -18,8 +18,8 @@ import (
 	"encoding/json"

 	"github.com/astaxie/beego/utils/pagination"
-	"github.com/casbin/casdoor/object"
-	"github.com/casbin/casdoor/util"
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
 )

 // GetOrganizations ...
@ -33,13 +33,17 @@ func (c *ApiController) GetOrganizations() {
 	owner := c.Input().Get("owner")
 	limit := c.Input().Get("pageSize")
 	page := c.Input().Get("p")
+	field := c.Input().Get("field")
+	value := c.Input().Get("value")
+	sortField := c.Input().Get("sortField")
+	sortOrder := c.Input().Get("sortOrder")
 	if limit == "" || page == "" {
 		c.Data["json"] = object.GetMaskedOrganizations(object.GetOrganizations(owner))
 		c.ServeJSON()
 	} else {
 		limit := util.ParseInt(limit)
-		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetOrganizationCount(owner)))
-		organizations := object.GetMaskedOrganizations(object.GetPaginationOrganizations(owner, paginator.Offset(), limit))
+		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetOrganizationCount(owner, field, value)))
+		organizations := object.GetMaskedOrganizations(object.GetPaginationOrganizations(owner, paginator.Offset(), limit, field, value, sortField, sortOrder))
 		c.ResponseOk(organizations, paginator.Nums())
 	}
 }
--- a/controllers/payment.go
+++ b/controllers/payment.go
@ -0,0 +1,177 @@
+// Copyright 2022 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+import (
+	"encoding/json"
+	"fmt"
+
+	"github.com/astaxie/beego/utils/pagination"
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
+)
+
+// GetPayments
+// @Title GetPayments
+// @Tag Payment API
+// @Description get payments
+// @Param   owner     query    string  true        "The owner of payments"
+// @Success 200 {array} object.Payment The Response object
+// @router /get-payments [get]
+func (c *ApiController) GetPayments() {
+	owner := c.Input().Get("owner")
+	limit := c.Input().Get("pageSize")
+	page := c.Input().Get("p")
+	field := c.Input().Get("field")
+	value := c.Input().Get("value")
+	sortField := c.Input().Get("sortField")
+	sortOrder := c.Input().Get("sortOrder")
+	if limit == "" || page == "" {
+		c.Data["json"] = object.GetPayments(owner)
+		c.ServeJSON()
+	} else {
+		limit := util.ParseInt(limit)
+		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetPaymentCount(owner, field, value)))
+		payments := object.GetPaginationPayments(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		c.ResponseOk(payments, paginator.Nums())
+	}
+}
+
+// GetUserPayments
+// @Title GetUserPayments
+// @Tag Payment API
+// @Description get payments for a user
+// @Param   owner     query    string  true        "The owner of payments"
+// @Param   organization    query   string  true   "The organization of the user"
+// @Param   user    query   string  true           "The username of the user"
+// @Success 200 {array} object.Payment The Response object
+// @router /get-user-payments [get]
+func (c *ApiController) GetUserPayments() {
+	owner := c.Input().Get("owner")
+	organization := c.Input().Get("organization")
+	user := c.Input().Get("user")
+
+	payments := object.GetUserPayments(owner, organization, user)
+	c.ResponseOk(payments)
+}
+
+// @Title GetPayment
+// @Tag Payment API
+// @Description get payment
+// @Param   id    query    string  true        "The id of the payment"
+// @Success 200 {object} object.Payment The Response object
+// @router /get-payment [get]
+func (c *ApiController) GetPayment() {
+	id := c.Input().Get("id")
+
+	c.Data["json"] = object.GetPayment(id)
+	c.ServeJSON()
+}
+
+// @Title UpdatePayment
+// @Tag Payment API
+// @Description update payment
+// @Param   id    query    string  true        "The id of the payment"
+// @Param   body    body   object.Payment  true        "The details of the payment"
+// @Success 200 {object} controllers.Response The Response object
+// @router /update-payment [post]
+func (c *ApiController) UpdatePayment() {
+	id := c.Input().Get("id")
+
+	var payment object.Payment
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &payment)
+	if err != nil {
+		panic(err)
+	}
+
+	c.Data["json"] = wrapActionResponse(object.UpdatePayment(id, &payment))
+	c.ServeJSON()
+}
+
+// @Title AddPayment
+// @Tag Payment API
+// @Description add payment
+// @Param   body    body   object.Payment  true        "The details of the payment"
+// @Success 200 {object} controllers.Response The Response object
+// @router /add-payment [post]
+func (c *ApiController) AddPayment() {
+	var payment object.Payment
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &payment)
+	if err != nil {
+		panic(err)
+	}
+
+	c.Data["json"] = wrapActionResponse(object.AddPayment(&payment))
+	c.ServeJSON()
+}
+
+// @Title DeletePayment
+// @Tag Payment API
+// @Description delete payment
+// @Param   body    body   object.Payment  true        "The details of the payment"
+// @Success 200 {object} controllers.Response The Response object
+// @router /delete-payment [post]
+func (c *ApiController) DeletePayment() {
+	var payment object.Payment
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &payment)
+	if err != nil {
+		panic(err)
+	}
+
+	c.Data["json"] = wrapActionResponse(object.DeletePayment(&payment))
+	c.ServeJSON()
+}
+
+// @Title NotifyPayment
+// @Tag Payment API
+// @Description notify payment
+// @Param   body    body   object.Payment  true        "The details of the payment"
+// @Success 200 {object} controllers.Response The Response object
+// @router /notify-payment [post]
+func (c *ApiController) NotifyPayment() {
+	owner := c.Ctx.Input.Param(":owner")
+	providerName := c.Ctx.Input.Param(":provider")
+	productName := c.Ctx.Input.Param(":product")
+	paymentName := c.Ctx.Input.Param(":payment")
+
+	body := c.Ctx.Input.RequestBody
+
+	ok := object.NotifyPayment(c.Ctx.Request, body, owner, providerName, productName, paymentName)
+	if ok {
+		_, err := c.Ctx.ResponseWriter.Write([]byte("success"))
+		if err != nil {
+			panic(err)
+		}
+	} else {
+		panic(fmt.Errorf("NotifyPayment() failed: %v", ok))
+	}
+}
+
+// @Title InvoicePayment
+// @Tag Payment API
+// @Description invoice payment
+// @Param   id    query    string  true        "The id of the payment"
+// @Success 200 {object} controllers.Response The Response object
+// @router /invoice-payment [post]
+func (c *ApiController) InvoicePayment() {
+	id := c.Input().Get("id")
+
+	payment := object.GetPayment(id)
+	invoiceUrl, err := object.InvoicePayment(payment)
+	if err != nil {
+		c.ResponseError(err.Error())
+	}
+	c.ResponseOk(invoiceUrl)
+}
--- a/controllers/permission.go
+++ b/controllers/permission.go
@ -0,0 +1,116 @@
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+import (
+	"encoding/json"
+
+	"github.com/astaxie/beego/utils/pagination"
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
+)
+
+// GetPermissions
+// @Title GetPermissions
+// @Tag Permission API
+// @Description get permissions
+// @Param   owner     query    string  true        "The owner of permissions"
+// @Success 200 {array} object.Permission The Response object
+// @router /get-permissions [get]
+func (c *ApiController) GetPermissions() {
+	owner := c.Input().Get("owner")
+	limit := c.Input().Get("pageSize")
+	page := c.Input().Get("p")
+	field := c.Input().Get("field")
+	value := c.Input().Get("value")
+	sortField := c.Input().Get("sortField")
+	sortOrder := c.Input().Get("sortOrder")
+	if limit == "" || page == "" {
+		c.Data["json"] = object.GetPermissions(owner)
+		c.ServeJSON()
+	} else {
+		limit := util.ParseInt(limit)
+		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetPermissionCount(owner, field, value)))
+		permissions := object.GetPaginationPermissions(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		c.ResponseOk(permissions, paginator.Nums())
+	}
+}
+
+// @Title GetPermission
+// @Tag Permission API
+// @Description get permission
+// @Param   id    query    string  true        "The id of the permission"
+// @Success 200 {object} object.Permission The Response object
+// @router /get-permission [get]
+func (c *ApiController) GetPermission() {
+	id := c.Input().Get("id")
+
+	c.Data["json"] = object.GetPermission(id)
+	c.ServeJSON()
+}
+
+// @Title UpdatePermission
+// @Tag Permission API
+// @Description update permission
+// @Param   id    query    string  true        "The id of the permission"
+// @Param   body    body   object.Permission  true        "The details of the permission"
+// @Success 200 {object} controllers.Response The Response object
+// @router /update-permission [post]
+func (c *ApiController) UpdatePermission() {
+	id := c.Input().Get("id")
+
+	var permission object.Permission
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &permission)
+	if err != nil {
+		panic(err)
+	}
+
+	c.Data["json"] = wrapActionResponse(object.UpdatePermission(id, &permission))
+	c.ServeJSON()
+}
+
+// @Title AddPermission
+// @Tag Permission API
+// @Description add permission
+// @Param   body    body   object.Permission  true        "The details of the permission"
+// @Success 200 {object} controllers.Response The Response object
+// @router /add-permission [post]
+func (c *ApiController) AddPermission() {
+	var permission object.Permission
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &permission)
+	if err != nil {
+		panic(err)
+	}
+
+	c.Data["json"] = wrapActionResponse(object.AddPermission(&permission))
+	c.ServeJSON()
+}
+
+// @Title DeletePermission
+// @Tag Permission API
+// @Description delete permission
+// @Param   body    body   object.Permission  true        "The details of the permission"
+// @Success 200 {object} controllers.Response The Response object
+// @router /delete-permission [post]
+func (c *ApiController) DeletePermission() {
+	var permission object.Permission
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &permission)
+	if err != nil {
+		panic(err)
+	}
+
+	c.Data["json"] = wrapActionResponse(object.DeletePermission(&permission))
+	c.ServeJSON()
+}
--- a/controllers/product.go
+++ b/controllers/product.go
@ -0,0 +1,150 @@
+// Copyright 2022 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+import (
+	"encoding/json"
+	"fmt"
+
+	"github.com/astaxie/beego/utils/pagination"
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
+)
+
+// GetProducts
+// @Title GetProducts
+// @Tag Product API
+// @Description get products
+// @Param   owner     query    string  true        "The owner of products"
+// @Success 200 {array} object.Product The Response object
+// @router /get-products [get]
+func (c *ApiController) GetProducts() {
+	owner := c.Input().Get("owner")
+	limit := c.Input().Get("pageSize")
+	page := c.Input().Get("p")
+	field := c.Input().Get("field")
+	value := c.Input().Get("value")
+	sortField := c.Input().Get("sortField")
+	sortOrder := c.Input().Get("sortOrder")
+	if limit == "" || page == "" {
+		c.Data["json"] = object.GetProducts(owner)
+		c.ServeJSON()
+	} else {
+		limit := util.ParseInt(limit)
+		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetProductCount(owner, field, value)))
+		products := object.GetPaginationProducts(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		c.ResponseOk(products, paginator.Nums())
+	}
+}
+
+// @Title GetProduct
+// @Tag Product API
+// @Description get product
+// @Param   id    query    string  true        "The id of the product"
+// @Success 200 {object} object.Product The Response object
+// @router /get-product [get]
+func (c *ApiController) GetProduct() {
+	id := c.Input().Get("id")
+
+	c.Data["json"] = object.GetProduct(id)
+	c.ServeJSON()
+}
+
+// @Title UpdateProduct
+// @Tag Product API
+// @Description update product
+// @Param   id    query    string  true        "The id of the product"
+// @Param   body    body   object.Product  true        "The details of the product"
+// @Success 200 {object} controllers.Response The Response object
+// @router /update-product [post]
+func (c *ApiController) UpdateProduct() {
+	id := c.Input().Get("id")
+
+	var product object.Product
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &product)
+	if err != nil {
+		panic(err)
+	}
+
+	c.Data["json"] = wrapActionResponse(object.UpdateProduct(id, &product))
+	c.ServeJSON()
+}
+
+// @Title AddProduct
+// @Tag Product API
+// @Description add product
+// @Param   body    body   object.Product  true        "The details of the product"
+// @Success 200 {object} controllers.Response The Response object
+// @router /add-product [post]
+func (c *ApiController) AddProduct() {
+	var product object.Product
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &product)
+	if err != nil {
+		panic(err)
+	}
+
+	c.Data["json"] = wrapActionResponse(object.AddProduct(&product))
+	c.ServeJSON()
+}
+
+// @Title DeleteProduct
+// @Tag Product API
+// @Description delete product
+// @Param   body    body   object.Product  true        "The details of the product"
+// @Success 200 {object} controllers.Response The Response object
+// @router /delete-product [post]
+func (c *ApiController) DeleteProduct() {
+	var product object.Product
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &product)
+	if err != nil {
+		panic(err)
+	}
+
+	c.Data["json"] = wrapActionResponse(object.DeleteProduct(&product))
+	c.ServeJSON()
+}
+
+// @Title BuyProduct
+// @Tag Product API
+// @Description buy product
+// @Param   id    query    string  true            "The id of the product"
+// @Param   providerName    query    string  true  "The name of the provider"
+// @Success 200 {object} controllers.Response The Response object
+// @router /buy-product [post]
+func (c *ApiController) BuyProduct() {
+	id := c.Input().Get("id")
+	providerName := c.Input().Get("providerName")
+	host := c.Ctx.Request.Host
+
+	userId := c.GetSessionUsername()
+	if userId == "" {
+		c.ResponseError("Please login first")
+		return
+	}
+
+	user := object.GetUser(userId)
+	if user == nil {
+		c.ResponseError(fmt.Sprintf("The user: %s doesn't exist", userId))
+		return
+	}
+
+	payUrl, err := object.BuyProduct(id, providerName, user, host)
+	if err != nil {
+		c.ResponseError(err.Error())
+		return
+	}
+
+	c.ResponseOk(payUrl)
+}
--- a/controllers/provider.go
+++ b/controllers/provider.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -16,10 +16,9 @@ package controllers

 import (
 	"encoding/json"
-
 	"github.com/astaxie/beego/utils/pagination"
-	"github.com/casbin/casdoor/object"
-	"github.com/casbin/casdoor/util"
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
 )

 // GetProviders
@ -33,13 +32,17 @@ func (c *ApiController) GetProviders() {
 	owner := c.Input().Get("owner")
 	limit := c.Input().Get("pageSize")
 	page := c.Input().Get("p")
+	field := c.Input().Get("field")
+	value := c.Input().Get("value")
+	sortField := c.Input().Get("sortField")
+	sortOrder := c.Input().Get("sortOrder")
 	if limit == "" || page == "" {
 		c.Data["json"] = object.GetMaskedProviders(object.GetProviders(owner))
 		c.ServeJSON()
 	} else {
 		limit := util.ParseInt(limit)
-		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetProviderCount(owner)))
-		providers := object.GetMaskedProviders(object.GetPaginationProviders(owner, paginator.Offset(), limit))
+		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetProviderCount(owner, field, value)))
+		providers := object.GetMaskedProviders(object.GetPaginationProviders(owner, paginator.Offset(), limit, field, value, sortField, sortOrder))
 		c.ResponseOk(providers, paginator.Nums())
 	}
 }
--- a/controllers/record.go
+++ b/controllers/record.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -16,8 +16,8 @@ package controllers

 import (
 	"github.com/astaxie/beego/utils/pagination"
-	"github.com/casbin/casdoor/object"
-	"github.com/casbin/casdoor/util"
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
 )

 // GetRecords
@ -31,13 +31,17 @@ import (
 func (c *ApiController) GetRecords() {
 	limit := c.Input().Get("pageSize")
 	page := c.Input().Get("p")
+	field := c.Input().Get("field")
+	value := c.Input().Get("value")
+	sortField := c.Input().Get("sortField")
+	sortOrder := c.Input().Get("sortOrder")
 	if limit == "" || page == "" {
 		c.Data["json"] = object.GetRecords()
 		c.ServeJSON()
 	} else {
 		limit := util.ParseInt(limit)
-		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetRecordCount()))
-		records := object.GetPaginationRecords(paginator.Offset(), limit)
+		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetRecordCount(field, value)))
+		records := object.GetPaginationRecords(paginator.Offset(), limit, field, value, sortField, sortOrder)
 		c.ResponseOk(records, paginator.Nums())
 	}
 }
--- a/controllers/resource.go
+++ b/controllers/resource.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -23,8 +23,8 @@ import (
 	"path/filepath"

 	"github.com/astaxie/beego/utils/pagination"
-	"github.com/casbin/casdoor/object"
-	"github.com/casbin/casdoor/util"
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
 )

 // @router /get-resources [get]
@ -35,13 +35,17 @@ func (c *ApiController) GetResources() {
 	user := c.Input().Get("user")
 	limit := c.Input().Get("pageSize")
 	page := c.Input().Get("p")
+	field := c.Input().Get("field")
+	value := c.Input().Get("value")
+	sortField := c.Input().Get("sortField")
+	sortOrder := c.Input().Get("sortOrder")
 	if limit == "" || page == "" {
 		c.Data["json"] = object.GetResources(owner, user)
 		c.ServeJSON()
 	} else {
 		limit := util.ParseInt(limit)
-		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetResourceCount(owner, user)))
-		resources := object.GetPaginationResources(owner, user, paginator.Offset(), limit)
+		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetResourceCount(owner, user, field, value)))
+		resources := object.GetPaginationResources(owner, user, paginator.Offset(), limit, field, value, sortField, sortOrder)
 		c.ResponseOk(resources, paginator.Nums())
 	}
 }
@ -198,7 +202,7 @@ func (c *ApiController) UploadResource() {
 		}

 		user.Avatar = fileUrl
-		object.UpdateUser(user.GetId(), user, []string{"avatar"})
+		object.UpdateUser(user.GetId(), user, []string{"avatar"}, false)
 	case "termsOfUse":
 		applicationId := fmt.Sprintf("admin/%s", parent)
 		app := object.GetApplication(applicationId)
--- a/controllers/role.go
+++ b/controllers/role.go
@ -0,0 +1,116 @@
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+import (
+	"encoding/json"
+
+	"github.com/astaxie/beego/utils/pagination"
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
+)
+
+// GetRoles
+// @Title GetRoles
+// @Tag Role API
+// @Description get roles
+// @Param   owner     query    string  true        "The owner of roles"
+// @Success 200 {array} object.Role The Response object
+// @router /get-roles [get]
+func (c *ApiController) GetRoles() {
+	owner := c.Input().Get("owner")
+	limit := c.Input().Get("pageSize")
+	page := c.Input().Get("p")
+	field := c.Input().Get("field")
+	value := c.Input().Get("value")
+	sortField := c.Input().Get("sortField")
+	sortOrder := c.Input().Get("sortOrder")
+	if limit == "" || page == "" {
+		c.Data["json"] = object.GetRoles(owner)
+		c.ServeJSON()
+	} else {
+		limit := util.ParseInt(limit)
+		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetRoleCount(owner, field, value)))
+		roles := object.GetPaginationRoles(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		c.ResponseOk(roles, paginator.Nums())
+	}
+}
+
+// @Title GetRole
+// @Tag Role API
+// @Description get role
+// @Param   id    query    string  true        "The id of the role"
+// @Success 200 {object} object.Role The Response object
+// @router /get-role [get]
+func (c *ApiController) GetRole() {
+	id := c.Input().Get("id")
+
+	c.Data["json"] = object.GetRole(id)
+	c.ServeJSON()
+}
+
+// @Title UpdateRole
+// @Tag Role API
+// @Description update role
+// @Param   id    query    string  true        "The id of the role"
+// @Param   body    body   object.Role  true        "The details of the role"
+// @Success 200 {object} controllers.Response The Response object
+// @router /update-role [post]
+func (c *ApiController) UpdateRole() {
+	id := c.Input().Get("id")
+
+	var role object.Role
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &role)
+	if err != nil {
+		panic(err)
+	}
+
+	c.Data["json"] = wrapActionResponse(object.UpdateRole(id, &role))
+	c.ServeJSON()
+}
+
+// @Title AddRole
+// @Tag Role API
+// @Description add role
+// @Param   body    body   object.Role  true        "The details of the role"
+// @Success 200 {object} controllers.Response The Response object
+// @router /add-role [post]
+func (c *ApiController) AddRole() {
+	var role object.Role
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &role)
+	if err != nil {
+		panic(err)
+	}
+
+	c.Data["json"] = wrapActionResponse(object.AddRole(&role))
+	c.ServeJSON()
+}
+
+// @Title DeleteRole
+// @Tag Role API
+// @Description delete role
+// @Param   body    body   object.Role  true        "The details of the role"
+// @Success 200 {object} controllers.Response The Response object
+// @router /delete-role [post]
+func (c *ApiController) DeleteRole() {
+	var role object.Role
+	err := json.Unmarshal(c.Ctx.Input.RequestBody, &role)
+	if err != nil {
+		panic(err)
+	}
+
+	c.Data["json"] = wrapActionResponse(object.DeleteRole(&role))
+	c.ServeJSON()
+}
--- a/controllers/saml.go
+++ b/controllers/saml.go
@ -0,0 +1,33 @@
+// Copyright 2022 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+import (
+	"fmt"
+
+	"github.com/casdoor/casdoor/object"
+)
+
+func (c *ApiController) GetSamlMeta() {
+	host := c.Ctx.Request.Host
+	paramApp := c.Input().Get("application")
+	application := object.GetApplication(paramApp)
+	if application == nil {
+		c.ResponseError(fmt.Sprintf("err: application %s not found", paramApp))
+	}
+	metadata, _ := object.GetSamlMeta(application, host)
+	c.Data["xml"] = metadata
+	c.ServeXML()
+}
--- a/controllers/service.go
+++ b/controllers/service.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -21,8 +21,8 @@ import (
 	"encoding/json"
 	"fmt"

-	"github.com/casbin/casdoor/object"
-	"github.com/casbin/casdoor/util"
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
 )

 // SendEmail
--- a/controllers/syncer.go
+++ b/controllers/syncer.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -16,10 +16,9 @@ package controllers

 import (
 	"encoding/json"
-
 	"github.com/astaxie/beego/utils/pagination"
-	"github.com/casbin/casdoor/object"
-	"github.com/casbin/casdoor/util"
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
 )

 // GetSyncers
@ -33,13 +32,17 @@ func (c *ApiController) GetSyncers() {
 	owner := c.Input().Get("owner")
 	limit := c.Input().Get("pageSize")
 	page := c.Input().Get("p")
+	field := c.Input().Get("field")
+	value := c.Input().Get("value")
+	sortField := c.Input().Get("sortField")
+	sortOrder := c.Input().Get("sortOrder")
 	if limit == "" || page == "" {
 		c.Data["json"] = object.GetSyncers(owner)
 		c.ServeJSON()
 	} else {
 		limit := util.ParseInt(limit)
-		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetSyncerCount(owner)))
-		syncers := object.GetPaginationSyncers(owner, paginator.Offset(), limit)
+		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetSyncerCount(owner, field, value)))
+		syncers := object.GetPaginationSyncers(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
 		c.ResponseOk(syncers, paginator.Nums())
 	}
 }
@ -110,3 +113,18 @@ func (c *ApiController) DeleteSyncer() {
 	c.Data["json"] = wrapActionResponse(object.DeleteSyncer(&syncer))
 	c.ServeJSON()
 }
+
+// @Title RunSyncer
+// @Tag Syncer API
+// @Description run syncer
+// @Param   body    body   object.Syncer  true        "The details of the syncer"
+// @Success 200 {object} controllers.Response The Response object
+// @router /run-syncer [get]
+func (c *ApiController) RunSyncer() {
+	id := c.Input().Get("id")
+	syncer := object.GetSyncer(id)
+
+	object.RunSyncer(syncer)
+
+	c.ResponseOk()
+}
--- a/controllers/token.go
+++ b/controllers/token.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -16,10 +16,11 @@ package controllers

 import (
 	"encoding/json"
+	"net/http"

 	"github.com/astaxie/beego/utils/pagination"
-	"github.com/casbin/casdoor/object"
-	"github.com/casbin/casdoor/util"
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
 )

 // GetTokens
@ -35,13 +36,17 @@ func (c *ApiController) GetTokens() {
 	owner := c.Input().Get("owner")
 	limit := c.Input().Get("pageSize")
 	page := c.Input().Get("p")
+	field := c.Input().Get("field")
+	value := c.Input().Get("value")
+	sortField := c.Input().Get("sortField")
+	sortOrder := c.Input().Get("sortOrder")
 	if limit == "" || page == "" {
 		c.Data["json"] = object.GetTokens(owner)
 		c.ServeJSON()
 	} else {
 		limit := util.ParseInt(limit)
-		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetTokenCount(owner)))
-		tokens := object.GetPaginationTokens(owner, paginator.Offset(), limit)
+		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetTokenCount(owner, field, value)))
+		tokens := object.GetPaginationTokens(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
 		c.ResponseOk(tokens, paginator.Nums())
 	}
 }
@ -138,7 +143,16 @@ func (c *ApiController) GetOAuthCode() {
 	state := c.Input().Get("state")
 	nonce := c.Input().Get("nonce")

-	c.Data["json"] = object.GetOAuthCode(userId, clientId, responseType, redirectUri, scope, state, nonce)
+	challengeMethod := c.Input().Get("code_challenge_method")
+	codeChallenge := c.Input().Get("code_challenge")
+
+	if challengeMethod != "S256" && challengeMethod != "null" && challengeMethod != "" {
+		c.ResponseError("Challenge method should be S256")
+		return
+	}
+	host := c.Ctx.Request.Host
+
+	c.Data["json"] = object.GetOAuthCode(userId, clientId, responseType, redirectUri, scope, state, nonce, codeChallenge, host)
 	c.ServeJSON()
 }

@ -157,23 +171,47 @@ func (c *ApiController) GetOAuthToken() {
 	clientId := c.Input().Get("client_id")
 	clientSecret := c.Input().Get("client_secret")
 	code := c.Input().Get("code")
+	verifier := c.Input().Get("code_verifier")
+	scope := c.Input().Get("scope")
+	username := c.Input().Get("username")
+	password := c.Input().Get("password")
+	tag := c.Input().Get("tag")
+	avatar := c.Input().Get("avatar")

 	if clientId == "" && clientSecret == "" {
 		clientId, clientSecret, _ = c.Ctx.Request.BasicAuth()
 	}
+	if clientId == "" {
+		// If clientID is empty, try to read data from RequestBody
+		var tokenRequest TokenRequest
+		if err := json.Unmarshal(c.Ctx.Input.RequestBody, &tokenRequest); err == nil {
+			clientId = tokenRequest.ClientId
+			clientSecret = tokenRequest.ClientSecret
+			grantType = tokenRequest.GrantType
+			code = tokenRequest.Code
+			verifier = tokenRequest.Verifier
+			scope = tokenRequest.Scope
+			username = tokenRequest.Username
+			password = tokenRequest.Password
+			tag = tokenRequest.Tag
+			avatar = tokenRequest.Avatar
+		}
+	}
+	host := c.Ctx.Request.Host

-	c.Data["json"] = object.GetOAuthToken(grantType, clientId, clientSecret, code)
+	c.Data["json"] = object.GetOAuthToken(grantType, clientId, clientSecret, code, verifier, scope, username, password, host, tag, avatar)
 	c.ServeJSON()
 }

 // RefreshToken
 // @Title RefreshToken
+// @Tag Token API
 // @Description refresh OAuth access token
 // @Param   grant_type     query    string  true        "OAuth grant type"
 // @Param	refresh_token	query	string	true		"OAuth refresh token"
 // @Param   scope     query    string  true        "OAuth scope"
 // @Param   client_id     query    string  true        "OAuth client id"
-// @Param   client_secret     query    string  true        "OAuth client secret"
+// @Param   client_secret     query    string  false        "OAuth client secret"
 // @Success 200 {object} object.TokenWrapper The Response object
 // @router /login/oauth/refresh_token [post]
 func (c *ApiController) RefreshToken() {
@ -182,7 +220,102 @@ func (c *ApiController) RefreshToken() {
 	scope := c.Input().Get("scope")
 	clientId := c.Input().Get("client_id")
 	clientSecret := c.Input().Get("client_secret")
+	host := c.Ctx.Request.Host

-	c.Data["json"] = object.RefreshToken(grantType, refreshToken, scope, clientId, clientSecret)
+	if clientId == "" {
+		// If clientID is empty, try to read data from RequestBody
+		var tokenRequest TokenRequest
+		if err := json.Unmarshal(c.Ctx.Input.RequestBody, &tokenRequest); err == nil {
+			clientId = tokenRequest.ClientId
+			clientSecret = tokenRequest.ClientSecret
+			grantType = tokenRequest.GrantType
+			scope = tokenRequest.Scope
+			refreshToken = tokenRequest.RefreshToken
+		}
+	}
+
+	c.Data["json"] = object.RefreshToken(grantType, refreshToken, scope, clientId, clientSecret, host)
+	c.ServeJSON()
+}
+
+// TokenLogout
+// @Title TokenLogout
+// @Tag Token API
+// @Description delete token by AccessToken
+// @Param   id_token_hint     query    string  true        "id_token_hint"
+// @Param   post_logout_redirect_uri    query    string  false      "post_logout_redirect_uri"
+// @Param   state     query    string  true        "state"
+// @Success 200 {object} controllers.Response The Response object
+// @router /login/oauth/logout [get]
+func (c *ApiController) TokenLogout() {
+	token := c.Input().Get("id_token_hint")
+	flag, application := object.DeleteTokenByAceessToken(token)
+	redirectUri := c.Input().Get("post_logout_redirect_uri")
+	state := c.Input().Get("state")
+	if application != nil && object.CheckRedirectUriValid(application, redirectUri) {
+		c.Ctx.Redirect(http.StatusFound, redirectUri+"?state="+state)
+		return
+	}
+	c.Data["json"] = wrapActionResponse(flag)
+	c.ServeJSON()
+}
+
+// IntrospectToken
+// @Title IntrospectToken
+// @Description The introspection endpoint is an OAuth 2.0 endpoint that takes a
+//  parameter representing an OAuth 2.0 token and returns a JSON document
+//  representing the meta information surrounding the
+//  token, including whether this token is currently active.
+//  This endpoint only support Basic Authorization.
+// @Param token formData string true "access_token's value or refresh_token's value"
+// @Param token_type_hint formData string true "the token type access_token or refresh_token"
+// @Success 200 {object} object.IntrospectionResponse The Response object
+// @router /login/oauth/introspect [post]
+func (c *ApiController) IntrospectToken() {
+	tokenValue := c.Input().Get("token")
+	clientId, clientSecret, ok := c.Ctx.Request.BasicAuth()
+	if !ok {
+		clientId = c.Input().Get("client_id")
+		clientSecret = c.Input().Get("client_secret")
+		if clientId == "" || clientSecret == "" {
+			c.ResponseError("empty clientId or clientSecret")
+			return
+		}
+	}
+	application := object.GetApplicationByClientId(clientId)
+	if application == nil || application.ClientSecret != clientSecret {
+		c.ResponseError("invalid application or wrong clientSecret")
+		return
+	}
+	token := object.GetTokenByTokenAndApplication(tokenValue, application.Name)
+	if token == nil {
+		c.Data["json"] = &object.IntrospectionResponse{Active: false}
+		c.ServeJSON()
+		return
+	}
+	jwtToken, err := object.ParseJwtTokenByApplication(tokenValue, application)
+	if err != nil || jwtToken.Valid() != nil {
+		// and token revoked case. but we not implement
+		// TODO: 2022-03-03 add token revoked check, when we implemented the Token Revocation(rfc7009) Specs.
+		// refs: https://tools.ietf.org/html/rfc7009
+		c.Data["json"] = &object.IntrospectionResponse{Active: false}
+		c.ServeJSON()
+		return
+	}
+
+	c.Data["json"] = &object.IntrospectionResponse{
+		Active:    true,
+		Scope:     jwtToken.Scope,
+		ClientId:  clientId,
+		Username:  token.User,
+		TokenType: token.TokenType,
+		Exp:       jwtToken.ExpiresAt.Unix(),
+		Iat:       jwtToken.IssuedAt.Unix(),
+		Nbf:       jwtToken.NotBefore.Unix(),
+		Sub:       jwtToken.Subject,
+		Aud:       jwtToken.Audience,
+		Iss:       jwtToken.Issuer,
+		Jti:       jwtToken.Id,
+	}
 	c.ServeJSON()
 }
--- a/controllers/types.go
+++ b/controllers/types.go
@ -0,0 +1,29 @@
+// Copyright 2022 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+type TokenRequest struct {
+	GrantType    string `json:"grant_type"`
+	Code         string `json:"code"`
+	ClientId     string `json:"client_id"`
+	ClientSecret string `json:"client_secret"`
+	Verifier     string `json:"code_verifier"`
+	Scope        string `json:"scope"`
+	Username     string `json:"username"`
+	Password     string `json:"password"`
+	Tag          string `json:"tag"`
+	Avatar       string `json:"avatar"`
+	RefreshToken string `json:"refresh_token"`
+}
--- a/controllers/user.go
+++ b/controllers/user.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -20,8 +20,8 @@ import (
 	"strings"

 	"github.com/astaxie/beego/utils/pagination"
-	"github.com/casbin/casdoor/object"
-	"github.com/casbin/casdoor/util"
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
 )

 // GetGlobalUsers
@ -33,13 +33,18 @@ import (
 func (c *ApiController) GetGlobalUsers() {
 	limit := c.Input().Get("pageSize")
 	page := c.Input().Get("p")
+	field := c.Input().Get("field")
+	value := c.Input().Get("value")
+	sortField := c.Input().Get("sortField")
+	sortOrder := c.Input().Get("sortOrder")
 	if limit == "" || page == "" {
 		c.Data["json"] = object.GetMaskedUsers(object.GetGlobalUsers())
 		c.ServeJSON()
 	} else {
 		limit := util.ParseInt(limit)
-		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetGlobalUserCount()))
-		users := object.GetPaginationGlobalUsers(paginator.Offset(), limit)
+		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetGlobalUserCount(field, value)))
+		users := object.GetPaginationGlobalUsers(paginator.Offset(), limit, field, value, sortField, sortOrder)
+		users = object.GetMaskedUsers(users)
 		c.ResponseOk(users, paginator.Nums())
 	}
 }
@ -55,13 +60,18 @@ func (c *ApiController) GetUsers() {
 	owner := c.Input().Get("owner")
 	limit := c.Input().Get("pageSize")
 	page := c.Input().Get("p")
+	field := c.Input().Get("field")
+	value := c.Input().Get("value")
+	sortField := c.Input().Get("sortField")
+	sortOrder := c.Input().Get("sortOrder")
 	if limit == "" || page == "" {
 		c.Data["json"] = object.GetMaskedUsers(object.GetUsers(owner))
 		c.ServeJSON()
 	} else {
 		limit := util.ParseInt(limit)
-		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetUserCount(owner)))
-		users := object.GetPaginationUsers(owner, paginator.Offset(), limit)
+		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetUserCount(owner, field, value)))
+		users := object.GetPaginationUsers(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
+		users = object.GetMaskedUsers(users)
 		c.ResponseOk(users, paginator.Nums())
 	}
 }
@ -77,6 +87,17 @@ func (c *ApiController) GetUser() {
 	id := c.Input().Get("id")
 	owner := c.Input().Get("owner")
 	email := c.Input().Get("email")
+	userOwner, _ := util.GetOwnerAndNameFromId(id)
+	organization := object.GetOrganization(fmt.Sprintf("%s/%s", "admin", userOwner))
+
+	if !organization.IsProfilePublic {
+		requestUserId := c.GetSessionUsername()
+		hasPermission, err := object.CheckUserPermission(requestUserId, id, false)
+		if !hasPermission {
+			c.ResponseError(err.Error())
+			return
+		}
+	}

 	var user *object.User
 	if email == "" {
@ -101,6 +122,10 @@ func (c *ApiController) UpdateUser() {
 	id := c.Input().Get("id")
 	columnsStr := c.Input().Get("columns")

+	if id == "" {
+		id = c.GetSessionUsername()
+	}
+
 	var user object.User
 	err := json.Unmarshal(c.Ctx.Input.RequestBody, &user)
 	if err != nil {
@ -117,7 +142,8 @@ func (c *ApiController) UpdateUser() {
 		columns = strings.Split(columnsStr, ",")
 	}

-	affected := object.UpdateUser(id, &user, columns)
+	isGlobalAdmin := c.IsGlobalAdmin()
+	affected := object.UpdateUser(id, &user, columns, isGlobalAdmin)
 	if affected {
 		object.UpdateUserToOriginalDatabase(&user)
 	}
@ -179,19 +205,23 @@ func (c *ApiController) GetEmailAndPhone() {

 	user := object.GetUserByFields(form.Organization, form.Username)
 	if user == nil {
-		c.ResponseError("No such user.")
+		c.ResponseError(fmt.Sprintf("The user: %s/%s doesn't exist", form.Organization, form.Username))
 		return
 	}

-	respUser := object.User{Email: user.Email, Phone: user.Phone, Name: user.Name}
+	respUser := object.User{Name: user.Name}
 	var contentType string
 	switch form.Username {
 	case user.Email:
 		contentType = "email"
+		respUser.Email = user.Email
 	case user.Phone:
 		contentType = "phone"
+		respUser.Phone = user.Phone
 	case user.Name:
 		contentType = "username"
+		respUser.Email = util.GetMaskedEmail(user.Email)
+		respUser.Phone = util.GetMaskedPhone(user.Phone)
 	}

 	c.ResponseOk(respUser, contentType)
@ -214,38 +244,16 @@ func (c *ApiController) SetPassword() {
 	newPassword := c.Ctx.Request.Form.Get("newPassword")

 	requestUserId := c.GetSessionUsername()
-	if requestUserId == "" {
-		c.ResponseError("Please login first.")
-		return
-	}
-	requestUser := object.GetUser(requestUserId)
-	if requestUser == nil {
-		c.ResponseError("Session outdated. Please login again.")
-		return
-	}
-
 	userId := fmt.Sprintf("%s/%s", userOwner, userName)
-	targetUser := object.GetUser(userId)
-	if targetUser == nil {
-		c.ResponseError(fmt.Sprintf("The user: %s doesn't exist", userId))
-		return
-	}
-
-	hasPermission := false
-
-	if requestUser.IsGlobalAdmin {
-		hasPermission = true
-	} else if requestUserId == userId {
-		hasPermission = true
-	} else if targetUser.Owner == requestUser.Owner && requestUser.IsAdmin {
-		hasPermission = true
-	}

+	hasPermission, err := object.CheckUserPermission(requestUserId, userId, true)
 	if !hasPermission {
-		c.ResponseError("You don't have the permission to do this.")
+		c.ResponseError(err.Error())
 		return
 	}

+	targetUser := object.GetUser(userId)
+
 	if oldPassword != "" {
 		msg := object.CheckPassword(targetUser, oldPassword)
 		if msg != "" {
@ -264,8 +272,6 @@ func (c *ApiController) SetPassword() {
 		return
 	}

-	c.SetSessionUsername("")
-
 	targetUser.Password = newPassword
 	object.SetUserField(targetUser, "password", targetUser.Password)
 	c.Data["json"] = Response{Status: "ok"}
@ -322,7 +328,7 @@ func (c *ApiController) GetUserCount() {

 	count := 0
 	if isOnline == "" {
-		count = object.GetUserCount(owner)
+		count = object.GetUserCount(owner, "", "")
 	} else {
 		count = object.GetOnlineUserCount(owner, util.ParseInt(isOnline))
 	}
--- a/controllers/user_upload.go
+++ b/controllers/user_upload.go
@ -0,0 +1,60 @@
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package controllers
+
+import (
+	"fmt"
+	"io"
+	"mime/multipart"
+	"os"
+
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
+)
+
+func saveFile(path string, file *multipart.File) {
+	f, err := os.Create(path)
+	if err != nil {
+		panic(err)
+	}
+	defer f.Close()
+
+	_, err = io.Copy(f, *file)
+	if err != nil {
+		panic(err)
+	}
+}
+
+func (c *ApiController) UploadUsers() {
+	userId := c.GetSessionUsername()
+	owner, user := util.GetOwnerAndNameFromId(userId)
+
+	file, header, err := c.Ctx.Request.FormFile("file")
+	if err != nil {
+		panic(err)
+	}
+	fileId := fmt.Sprintf("%s_%s_%s", owner, user, util.RemoveExt(header.Filename))
+
+	path := util.GetUploadXlsxPath(fileId)
+	util.EnsureFileFolderExists(path)
+	saveFile(path, &file)
+
+	affected := object.UploadUsers(owner, fileId)
+	if affected {
+		c.ResponseOk()
+	} else {
+		c.ResponseError("Failed to import users")
+	}
+}
--- a/controllers/util.go
+++ b/controllers/util.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -18,9 +18,9 @@ import (
 	"fmt"
 	"strconv"

-	"github.com/astaxie/beego"
-	"github.com/casbin/casdoor/object"
-	"github.com/casbin/casdoor/util"
+	"github.com/casdoor/casdoor/conf"
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
 )

 // ResponseOk ...
@ -62,7 +62,7 @@ func (c *ApiController) RequireSignedIn() (string, bool) {
 }

 func getInitScore() int {
-	score, err := strconv.Atoi(beego.AppConfig.String("initScore"))
+	score, err := strconv.Atoi(conf.GetConfigString("initScore"))
 	if err != nil {
 		panic(err)
 	}
--- a/controllers/verification.go
+++ b/controllers/verification.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -19,8 +19,8 @@ import (
 	"fmt"
 	"strings"

-	"github.com/casbin/casdoor/object"
-	"github.com/casbin/casdoor/util"
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
 )

 func (c *ApiController) getCurrentUser() *object.User {
@ -68,15 +68,22 @@ func (c *ApiController) SendVerificationCode() {
 	organization := object.GetOrganization(orgId)
 	application := object.GetApplicationByOrganizationName(organization.Name)

-	if checkUser == "true" && user == nil &&
-		object.GetUserByFields(organization.Name, dest) == nil {
-		c.ResponseError("No such user.")
+	if checkUser == "true" && user == nil && object.GetUserByFields(organization.Name, dest) == nil {
+		c.ResponseError("Please login first")
 		return
 	}

-	sendResp := errors.New("Invalid dest type.")
+	sendResp := errors.New("Invalid dest type")
+
+	if user == nil && checkUser != "" && checkUser != "true" {
+		_, name := util.GetOwnerAndNameFromId(orgId)
+		user = object.GetUser(fmt.Sprintf("%s/%s", name, checkUser))
+	}
 	switch destType {
 	case "email":
+		if user != nil && util.GetMaskedEmail(user.Email) == dest {
+			dest = user.Email
+		}
 		if !util.IsEmailValid(dest) {
 			c.ResponseError("Invalid Email address")
 			return
@ -85,6 +92,9 @@ func (c *ApiController) SendVerificationCode() {
 		provider := application.GetEmailProvider()
 		sendResp = object.SendVerificationCodeToEmail(organization, user, provider, remoteAddr, dest)
 	case "phone":
+		if user != nil && util.GetMaskedPhone(user.Phone) == dest {
+			dest = user.Phone
+		}
 		if !util.IsPhoneCnValid(dest) {
 			c.ResponseError("Invalid phone number")
 			return
@ -121,7 +131,7 @@ func (c *ApiController) ResetEmailOrPhone() {

 	user := object.GetUser(userId)
 	if user == nil {
-		c.ResponseError("No such user.")
+		c.ResponseError(fmt.Sprintf("The user: %s doesn't exist", userId))
 		return
 	}

--- a/controllers/webhook.go
+++ b/controllers/webhook.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -18,8 +18,8 @@ import (
 	"encoding/json"

 	"github.com/astaxie/beego/utils/pagination"
-	"github.com/casbin/casdoor/object"
-	"github.com/casbin/casdoor/util"
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/util"
 )

 // GetWebhooks
@ -33,13 +33,17 @@ func (c *ApiController) GetWebhooks() {
 	owner := c.Input().Get("owner")
 	limit := c.Input().Get("pageSize")
 	page := c.Input().Get("p")
+	field := c.Input().Get("field")
+	value := c.Input().Get("value")
+	sortField := c.Input().Get("sortField")
+	sortOrder := c.Input().Get("sortOrder")
 	if limit == "" || page == "" {
 		c.Data["json"] = object.GetWebhooks(owner)
 		c.ServeJSON()
 	} else {
 		limit := util.ParseInt(limit)
-		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetWebhookCount(owner)))
-		webhooks := object.GetPaginationWebhooks(owner, paginator.Offset(), limit)
+		paginator := pagination.SetPaginator(c.Ctx, limit, int64(object.GetWebhookCount(owner, field, value)))
+		webhooks := object.GetPaginationWebhooks(owner, paginator.Offset(), limit, field, value, sortField, sortOrder)
 		c.ResponseOk(webhooks, paginator.Nums())
 	}
 }
--- a/cred/argon2id.go
+++ b/cred/argon2id.go
@ -0,0 +1,38 @@
+// Copyright 2022 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cred
+
+import "github.com/alexedwards/argon2id"
+
+type Argon2idCredManager struct{}
+
+func NewArgon2idCredManager() *Argon2idCredManager {
+	cm := &Argon2idCredManager{}
+	return cm
+}
+
+func (cm *Argon2idCredManager) GetHashedPassword(password string, userSalt string, organizationSalt string) string {
+
+	hash, err := argon2id.CreateHash(password, argon2id.DefaultParams)
+	if err != nil {
+		return ""
+	}
+	return hash
+}
+
+func (cm *Argon2idCredManager) IsPasswordCorrect(plainPwd string, hashedPwd string, userSalt string, organizationSalt string) bool {
+	match, _ := argon2id.ComparePasswordAndHash(plainPwd, hashedPwd)
+	return match
+}
--- a/cred/manager.go
+++ b/cred/manager.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -28,6 +28,10 @@ func GetCredManager(passwordType string) CredManager {
 		return NewMd5UserSaltCredManager()
 	} else if passwordType == "bcrypt" {
 		return NewBcryptCredManager()
+	} else if passwordType == "pbkdf2-salt" {
+		return NewPbkdf2SaltCredManager()
+	} else if passwordType == "argon2id" {
+		return NewArgon2idCredManager()
 	}
 	return nil
 }
--- a/cred/md5-user-salt.go
+++ b/cred/md5-user-salt.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -32,8 +32,8 @@ func getMd5HexDigest(s string) string {
 	return res
 }

-func NewMd5UserSaltCredManager() *Sha256SaltCredManager {
-	cm := &Sha256SaltCredManager{}
+func NewMd5UserSaltCredManager() *Md5UserSaltCredManager {
+	cm := &Md5UserSaltCredManager{}
 	return cm
 }

--- a/cred/pbkdf2-salt.go
+++ b/cred/pbkdf2-salt.go
@ -0,0 +1,39 @@
+// Copyright 2022 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cred
+
+import (
+	"crypto/sha256"
+	"encoding/base64"
+	"golang.org/x/crypto/pbkdf2"
+)
+
+type Pbkdf2SaltCredManager struct{}
+
+func NewPbkdf2SaltCredManager() *Pbkdf2SaltCredManager {
+	cm := &Pbkdf2SaltCredManager{}
+	return cm
+}
+
+func (cm *Pbkdf2SaltCredManager) GetHashedPassword(password string, userSalt string, organizationSalt string) string {
+	// https://www.keycloak.org/docs/latest/server_admin/index.html#password-database-compromised
+	decodedSalt, _ := base64.StdEncoding.DecodeString(userSalt)
+	res := pbkdf2.Key([]byte(password), decodedSalt, 27500, 64, sha256.New)
+	return base64.StdEncoding.EncodeToString(res)
+}
+
+func (cm *Pbkdf2SaltCredManager) IsPasswordCorrect(plainPwd string, hashedPwd string, userSalt string, organizationSalt string) bool {
+	return hashedPwd == cm.GetHashedPassword(plainPwd, userSalt, organizationSalt)
+}
--- a/cred/plain.go
+++ b/cred/plain.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
--- a/cred/sha256-salt.go
+++ b/cred/sha256-salt.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
--- a/cred/sha256-salt_test.go
+++ b/cred/sha256-salt_test.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -1,20 +1,25 @@
 version: '3.1'
 services:
  casdoor:
+    restart: always
    build:
      context: ./
      dockerfile: Dockerfile
+    entrypoint: /bin/sh -c './server --createDatabase=true'
    ports:
      - "8000:8000"
    depends_on:
      - db
    environment:
      RUNNING_IN_DOCKER: "true"
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
    volumes:
      - ./conf:/conf/
  db:
    restart: always
    image: mysql:8.0.25
+    platform: linux/amd64
    ports:
      - "3306:3306"
    environment:
--- a/go.mod
+++ b/go.mod
@ -1,39 +1,45 @@
-module github.com/casbin/casdoor
+module github.com/casdoor/casdoor

 go 1.16

 require (
-	github.com/aliyun/aliyun-oss-go-sdk v2.1.6+incompatible // indirect
+	github.com/RobotsAndPencils/go-saml v0.0.0-20170520135329-fb13cb52a46b
+	github.com/alexedwards/argon2id v0.0.0-20211130144151-3585854a6387
 	github.com/astaxie/beego v1.12.3
-	github.com/aws/aws-sdk-go v1.37.30
-	github.com/baiyubin/aliyun-sts-go-sdk v0.0.0-20180326062324-cfa1a18b161f // indirect
+	github.com/aws/aws-sdk-go v1.44.4
+	github.com/beevik/etree v1.1.0
 	github.com/casbin/casbin/v2 v2.30.1
-	github.com/casbin/xorm-adapter/v2 v2.3.1
-	github.com/casdoor/go-sms-sender v0.0.5
+	github.com/casbin/xorm-adapter/v2 v2.5.1
+	github.com/casdoor/go-sms-sender v0.2.0
+	github.com/casdoor/goth v1.69.0-FIX1
+	github.com/casdoor/oss v1.2.0
 	github.com/dchest/captcha v0.0.0-20200903113550-03f5f0333e1f
 	github.com/go-gomail/gomail v0.0.0-20160411212932-81ebce5c23df
 	github.com/go-ldap/ldap/v3 v3.3.0
+	github.com/go-pay/gopay v1.5.72
 	github.com/go-sql-driver/mysql v1.5.0
-	github.com/golang-jwt/jwt/v4 v4.1.0
+	github.com/golang-jwt/jwt/v4 v4.2.0
 	github.com/google/uuid v1.2.0
-	github.com/jinzhu/configor v1.2.1 // indirect
-	github.com/markbates/goth v1.68.1-0.20211006204042-9dc8905b41c8
-	github.com/mileusna/crontab v1.0.1
+	github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0 // indirect
+	github.com/lestrrat-go/jwx v0.9.0
+	github.com/nu7hatch/gouuid v0.0.0-20131221200532-179d4d0c4d8d // indirect
 	github.com/qiangmzsx/string-adapter/v2 v2.1.0
-	github.com/qor/oss v0.0.0-20191031055114-aef9ba66bf76
+	github.com/robfig/cron/v3 v3.0.1
 	github.com/russellhaering/gosaml2 v0.6.0
 	github.com/russellhaering/goxmldsig v1.1.1
-	github.com/satori/go.uuid v1.2.0 // indirect
+	github.com/satori/go.uuid v1.2.0
 	github.com/smartystreets/goconvey v1.6.4 // indirect
+	github.com/stretchr/testify v1.7.0
+	github.com/tealeg/xlsx v1.0.5
 	github.com/thanhpk/randstr v1.0.4
-	golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3
-	golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2
+	golang.org/x/crypto v0.0.0-20220208233918-bba287dce954
+	golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd
 	golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914
-	golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba // indirect
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
 	gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df // indirect
 	gopkg.in/ini.v1 v1.62.0 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0
+	gopkg.in/yaml.v2 v2.3.0 // indirect
 	xorm.io/core v0.7.2
-	xorm.io/xorm v1.0.3
+	xorm.io/xorm v1.0.4
 )
--- a/go.sum
+++ b/go.sum
@ -35,6 +35,21 @@ cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 gitea.com/xorm/sqlfiddle v0.0.0-20180821085327-62ce714f951a h1:lSA0F4e9A2NcQSqGqTOXqu2aRi/XEQxDCBwM8yJtE6s=
 gitea.com/xorm/sqlfiddle v0.0.0-20180821085327-62ce714f951a/go.mod h1:EXuID2Zs0pAQhH8yz+DNjUbjppKQzKFAn28TMYPB6IU=
+github.com/Azure/azure-pipeline-go v0.2.3 h1:7U9HBg1JFK3jHl5qmo4CTZKFTVgMwdFHMVtCdfBE21U=
+github.com/Azure/azure-pipeline-go v0.2.3/go.mod h1:x841ezTBIMG6O3lAcl8ATHnsOPVl2bqk7S3ta6S6u4k=
+github.com/Azure/azure-storage-blob-go v0.15.0 h1:rXtgp8tN1p29GvpGgfJetavIG0V7OgcSXPpwp3tx6qk=
+github.com/Azure/azure-storage-blob-go v0.15.0/go.mod h1:vbjsVbX0dlxnRc4FFMPsS9BsJWPcne7GB7onqlPvz58=
+github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs=
+github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24=
+github.com/Azure/go-autorest/autorest/adal v0.9.13 h1:Mp5hbtOePIzM8pJVRa3YLrWWmZtoxRXqUEzCfJt3+/Q=
+github.com/Azure/go-autorest/autorest/adal v0.9.13/go.mod h1:W/MM4U6nLxnIskrw4UwWzlHfGjwUS50aOsc/I3yuU8M=
+github.com/Azure/go-autorest/autorest/date v0.3.0 h1:7gUk1U5M/CQbp9WoqinNzJar+8KY+LPI6wiWrP/myHw=
+github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74=
+github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k=
+github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+ZtXWSmf4Tg=
+github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8=
+github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo=
+github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU=
 github.com/Azure/go-ntlmssp v0.0.0-20200615164410-66371956d46c h1:/IBSNwUN8+eKzUzbJPqhK839ygXJ82sde8x3ogr6R28=
 github.com/Azure/go-ntlmssp v0.0.0-20200615164410-66371956d46c/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
 github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
@ -44,22 +59,26 @@ github.com/Knetic/govaluate v3.0.0+incompatible/go.mod h1:r7JcOSlj0wfOMncg0iLm8L
 github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible h1:1G1pk05UrOh0NlF1oeaaix1x8XzrfjIDK47TY0Zehcw=
 github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go.mod h1:r7JcOSlj0wfOMncg0iLm8Leh48TZaKVeNIfJntJ2wa0=
 github.com/PuerkitoBio/goquery v1.5.1/go.mod h1:GsLWisAFVj4WgDibEWF4pvYnkVQBpKBKeU+7zCJoLcc=
+github.com/RobotsAndPencils/go-saml v0.0.0-20170520135329-fb13cb52a46b h1:EgJ6N2S0h1WfFIjU5/VVHWbMSVYXAluop97Qxpr/lfQ=
+github.com/RobotsAndPencils/go-saml v0.0.0-20170520135329-fb13cb52a46b/go.mod h1:3SAoF0F5EbcOuBD5WT9nYkbIJieBS84cUQXADbXeBsU=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
+github.com/alexedwards/argon2id v0.0.0-20211130144151-3585854a6387 h1:loy0fjI90vF44BPW4ZYOkE3tDkGTy7yHURusOJimt+I=
+github.com/alexedwards/argon2id v0.0.0-20211130144151-3585854a6387/go.mod h1:GuR5j/NW7AU7tDAQUDGCtpiPxWIOy/c3kiRDnlwiCHc=
 github.com/alicebob/gopher-json v0.0.0-20180125190556-5a6b3ba71ee6/go.mod h1:SGnFV6hVsYE877CKEZ6tDNTjaSXYUk6QqoIK6PrAtcc=
 github.com/alicebob/miniredis v2.5.0+incompatible/go.mod h1:8HZjEj4yU0dwhYHky+DxYx+6BMjkBbe5ONFIF1MXffk=
 github.com/aliyun/alibaba-cloud-sdk-go v1.61.1075 h1:Z0SzZttfYI/raZ5O9WF3cezZJTSW4Yz4Kow9uWdyRwg=
 github.com/aliyun/alibaba-cloud-sdk-go v1.61.1075/go.mod h1:pUKYbK5JQ+1Dfxk80P0qxGqe5dkxDoabbZS7zOcouyA=
-github.com/aliyun/aliyun-oss-go-sdk v2.1.6+incompatible h1:Ft+KeWIJxFP76LqgJbvtOA1qBIoC8vGkTV3QeCOeJC4=
-github.com/aliyun/aliyun-oss-go-sdk v2.1.6+incompatible/go.mod h1:T/Aws4fEfogEE9v+HPhhw+CntffsBHJ8nXQCwKr0/g8=
+github.com/aliyun/aliyun-oss-go-sdk v2.2.2+incompatible h1:9gWa46nstkJ9miBReJcN8Gq34cBFbzSpQZVVT9N09TM=
+github.com/aliyun/aliyun-oss-go-sdk v2.2.2+incompatible/go.mod h1:T/Aws4fEfogEE9v+HPhhw+CntffsBHJ8nXQCwKr0/g8=
 github.com/andybalholm/cascadia v1.1.0/go.mod h1:GsXiBklL0woXo1j/WYWtSYYC4ouU9PqHO0sqidkEA4Y=
 github.com/astaxie/beego v1.12.3 h1:SAQkdD2ePye+v8Gn1r4X6IKZM1wd28EyUOVQ3PDSOOQ=
 github.com/astaxie/beego v1.12.3/go.mod h1:p3qIm0Ryx7zeBHLljmd7omloyca1s4yu1a8kM1FkpIA=
 github.com/avast/retry-go v3.0.0+incompatible/go.mod h1:XtSnn+n/sHqQIpZ10K1qAevBhOOCWBLXXy3hyiqqBrY=
-github.com/aws/aws-sdk-go v1.37.30 h1:fZeVg3QuTkWE/dEvPQbK6AL32+3G9ofJfGFSPS1XLH0=
-github.com/aws/aws-sdk-go v1.37.30/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro=
+github.com/aws/aws-sdk-go v1.44.4 h1:ePN0CVJMdiz2vYUcJH96eyxRrtKGSDMgyhP6rah2OgE=
+github.com/aws/aws-sdk-go v1.44.4/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
 github.com/baiyubin/aliyun-sts-go-sdk v0.0.0-20180326062324-cfa1a18b161f h1:ZNv7On9kyUzm7fvRZumSyy/IUiSC7AzL0I1jKKtwooA=
 github.com/baiyubin/aliyun-sts-go-sdk v0.0.0-20180326062324-cfa1a18b161f/go.mod h1:AuiFmCCPBSrqvVMvuqFuk0qogytodnVFVSN5CeJB8Gc=
 github.com/beego/goyaml2 v0.0.0-20130207012346-5545475820dd/go.mod h1:1b+Y/CofkYwXMUU0OhQqGvsY2Bvgr4j6jfT699wyZKQ=
@ -74,13 +93,17 @@ github.com/bradfitz/gomemcache v0.0.0-20180710155616-bc664df96737/go.mod h1:PmM6
 github.com/casbin/casbin v1.7.0 h1:PuzlE8w0JBg/DhIqnkF1Dewf3z+qmUZMVN07PonvVUQ=
 github.com/casbin/casbin v1.7.0/go.mod h1:c67qKN6Oum3UF5Q1+BByfFxkwKvhwW57ITjqwtzR1KE=
 github.com/casbin/casbin/v2 v2.1.0/go.mod h1:YcPU1XXisHhLzuxH9coDNf2FbKpjGlbCg3n9yuLkIJQ=
-github.com/casbin/casbin/v2 v2.25.5/go.mod h1:wUgota0cQbTXE6Vd+KWpg41726jFRi7upxio0sR+Xd0=
+github.com/casbin/casbin/v2 v2.28.3/go.mod h1:vByNa/Fchek0KZUgG5wEsl7iFsiviAYKRtgrQfcJqHg=
 github.com/casbin/casbin/v2 v2.30.1 h1:P5HWadDL7olwUXNdcuKUBk+x75Y2eitFxYTcLNKeKF0=
 github.com/casbin/casbin/v2 v2.30.1/go.mod h1:vByNa/Fchek0KZUgG5wEsl7iFsiviAYKRtgrQfcJqHg=
-github.com/casbin/xorm-adapter/v2 v2.3.1 h1:RVGsM6KYFP9s4OQJXrP/gv56Wmt5P40mzvcyXgv5xeg=
-github.com/casbin/xorm-adapter/v2 v2.3.1/go.mod h1:GZ+nlIdasVFunQ71SlvkL/HcQQBvFncphDf+2Yl167c=
-github.com/casdoor/go-sms-sender v0.0.5 h1:9qhlMM+UoSOvvY7puUULqSHBBA7fbe02Px/tzchQboo=
-github.com/casdoor/go-sms-sender v0.0.5/go.mod h1:TMM/BsZQAa+7JVDXl2KqgxnzZgCjmHEX5MBN662mM5M=
+github.com/casbin/xorm-adapter/v2 v2.5.1 h1:BkpIxRHKa0s3bSMx173PpuU7oTs+Zw7XmD0BIta0HGM=
+github.com/casbin/xorm-adapter/v2 v2.5.1/go.mod h1:AeH4dBKHC9/zYxzdPVHhPDzF8LYLqjDdb767CWJoV54=
+github.com/casdoor/go-sms-sender v0.2.0 h1:52bin4EBOPzOee64s9UK7jxd22FODvT9/+Y/Z+PSHpg=
+github.com/casdoor/go-sms-sender v0.2.0/go.mod h1:fsZsNnALvFIo+HFcE1U/oCQv4ZT42FdglXKMsEm3WSk=
+github.com/casdoor/goth v1.69.0-FIX1 h1:24Y3tfaJxWGJbxickGe3F9y2c8X1PgsQynhxGXV1f9Q=
+github.com/casdoor/goth v1.69.0-FIX1/go.mod h1:Om55nRo8CkeDkPSNBbzXW4G5uI28ZUkSk5S69dPek3s=
+github.com/casdoor/oss v1.2.0 h1:ozLAE+nnNdFQBWbzH8U9spzaO8h8NrB57lBcdyMUUQ8=
+github.com/casdoor/oss v1.2.0/go.mod h1:qii35VBuxnR/uEuYSKpS0aJ8htQFOcCVsZ4FHgHLuss=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash/v2 v2.1.1 h1:6MnRN8NT7+YBpUIWxHtefFZOKTAPgGjpQSxqLNn0+qY=
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
@ -109,6 +132,8 @@ github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymF
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
+github.com/form3tech-oss/jwt-go v3.2.2+incompatible h1:TcekIExNqud5crz4xD2pavyTgWiPvpYe4Xau31I0PRk=
+github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/glendc/gopher-json v0.0.0-20170414221815-dc4743023d0c/go.mod h1:Gja1A+xZ9BoviGJNA2E9vFkPjjsl+CoJxSXiQM1UXtw=
 github.com/go-asn1-ber/asn1-ber v1.5.1 h1:pDbRAunXzIUXfx4CB2QJFv5IuPiuoW+sWvr/Us009o8=
@ -124,6 +149,14 @@ github.com/go-ldap/ldap/v3 v3.3.0 h1:lwx+SJpgOHd8tG6SumBQZXCmNX51zM8B1cfxJ5gv4tQ
 github.com/go-ldap/ldap/v3 v3.3.0/go.mod h1:iYS1MdmrmceOJ1QOTnRXrIs7i3kloqtmGQjRvjKpyMg=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
+github.com/go-pay/gopay v1.5.72 h1:3zm64xMBhJBa8rXbm//q5UiGgOa4WO5XYEnU394N2Zw=
+github.com/go-pay/gopay v1.5.72/go.mod h1:0qOGIJuFW7PKDOjmecwKyW0mgsVImgwB9yPJj0ilpn8=
+github.com/go-playground/assert/v2 v2.0.1/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
+github.com/go-playground/locales v0.13.0/go.mod h1:taPMhCMXrRLJO55olJkUXHZBHCxTMfnGwq/HNwmWNS8=
+github.com/go-playground/locales v0.14.0/go.mod h1:sawfccIbzZTqEDETgFXqTho0QybSa7l++s0DH+LDiLs=
+github.com/go-playground/universal-translator v0.17.0/go.mod h1:UkSxE5sNxxRwHyU+Scu5vgOQjsIJAF8j9muTVoKLVtA=
+github.com/go-playground/universal-translator v0.18.0/go.mod h1:UvRDBj+xPUEGrFYl+lu/H90nyDXpg0fqeB/AQUGNTVA=
+github.com/go-playground/validator/v10 v10.8.0/go.mod h1:9JhgTzTaE31GZDpH/HSvHiRJrJ3iKAgqqH0Bl/Ocjdk=
 github.com/go-redis/redis v6.14.2+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8wamY7mA7PouImQ2Jvg6kA=
 github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
 github.com/go-sql-driver/mysql v1.5.0 h1:ozyZYNQW3x3HtqT1jira07DN2PArx2v7/mN66gGcHOs=
@ -131,10 +164,8 @@ github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LB
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/goji/httpauth v0.0.0-20160601135302-2da839ab0f4d/go.mod h1:nnjvkQ9ptGaCkuDUx6wNykzzlUixGxvkme+H/lnzb+A=
-github.com/golang-jwt/jwt v3.2.1+incompatible h1:73Z+4BJcrTC+KczS6WvTPvRGOp1WmfEP4Q1lOd9Z/+c=
-github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
-github.com/golang-jwt/jwt/v4 v4.1.0 h1:XUgk2Ex5veyVFVeLm0xhusUTQybEbexJXrvPNOKkSY0=
-github.com/golang-jwt/jwt/v4 v4.1.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
+github.com/golang-jwt/jwt/v4 v4.2.0 h1:besgBTC8w8HjP6NzQdxwKH9Z5oQMZ24ThTrHp3cZ8eU=
+github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
 github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@ -233,6 +264,8 @@ github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/X
 github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo=
 github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
+github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0 h1:iQTw/8FWTuc7uiaSepXwyf3o52HaUYcV+Tu66S3F5GA=
+github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0/go.mod h1:1NbS8ALrpOvjt0rHPNLyCIeMtbizbir8U//inJ+zuB8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
@ -246,6 +279,7 @@ github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/ledisdb/ledisdb v0.0.0-20200510135210-d35789ec47e6/go.mod h1:n931TsDuKuq+uX4v1fulaMbA/7ZLLhjc85h7chZGBCQ=
+github.com/leodido/go-urn v1.2.1/go.mod h1:zt4jvISO2HfUBqxjfIshjdMTYS56ZS/qv49ictyFfxY=
 github.com/lestrrat-go/jwx v0.9.0 h1:Fnd0EWzTm0kFrBPzE/PEPp9nzllES5buMkksPMjEKpM=
 github.com/lestrrat-go/jwx v0.9.0/go.mod h1:iEoxlYfZjvoGpuWwxUz+eR5e6KTJGsaRcy/YNA/UnBk=
 github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
@ -254,18 +288,16 @@ github.com/lib/pq v1.8.0 h1:9xohqzkUwzR4Ga4ivdTcawVS89YSDVxXMa3xJX3cGzg=
 github.com/lib/pq v1.8.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/markbates/going v1.0.0 h1:DQw0ZP7NbNlFGcKbcE/IVSOAFzScxRtLpd0rLMzLhq0=
 github.com/markbates/going v1.0.0/go.mod h1:I6mnB4BPnEeqo85ynXIx1ZFLLbtiLHNXVgWeFO9OGOA=
-github.com/markbates/goth v1.68.1-0.20211006204042-9dc8905b41c8 h1:JibQrkJapVsb0pweJ5T14jZuuYZZTjll0PZBw4XfSCI=
-github.com/markbates/goth v1.68.1-0.20211006204042-9dc8905b41c8/go.mod h1:V2VcDMzDiMHW+YmqYl7i0cMiAUeCkAe4QE6jRKBhXZw=
 github.com/mattermost/xml-roundtrip-validator v0.0.0-20201208211235-fe770d50d911 h1:erppMjjp69Rertg1zlgRbLJH1u+eCmRPxKjMZ5I8/Ro=
 github.com/mattermost/xml-roundtrip-validator v0.0.0-20201208211235-fe770d50d911/go.mod h1:qccnGMcpgwcNaBnxqpJpWWUiPNr5H3O8eDgGV9gT5To=
+github.com/mattn/go-ieproxy v0.0.1 h1:qiyop7gCflfhwCzGyeT0gro3sF9AIg9HU98JORTkqfI=
+github.com/mattn/go-ieproxy v0.0.1/go.mod h1:pYabZ6IHcRpFh7vIaLfK7rdcWgFEb3SFJ6/gNWuh88E=
 github.com/mattn/go-sqlite3 v1.10.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
 github.com/mattn/go-sqlite3 v1.14.0/go.mod h1:JIl7NbARA7phWnGvh0LKTyg7S9BA+6gx71ShQilpsus=
 github.com/mattn/go-sqlite3 v2.0.3+incompatible h1:gXHsfypPkaMZrKbD5209QV9jbUTJKjyR5WD3HYQSd+U=
 github.com/mattn/go-sqlite3 v2.0.3+incompatible/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
 github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
-github.com/mileusna/crontab v1.0.1 h1:YrDLc7l3xOiznmXq2FtAgg+1YQ3yC6pfFVPe+ywXNtg=
-github.com/mileusna/crontab v1.0.1/go.mod h1:dbns64w/u3tUnGZGf8pAa76ZqOfeBX4olW4U1ZwExmc=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@ -276,6 +308,8 @@ github.com/mrjones/oauth v0.0.0-20180629183705-f4e24b6d100c h1:3wkDRdxK92dF+c1ke
 github.com/mrjones/oauth v0.0.0-20180629183705-f4e24b6d100c/go.mod h1:skjdDftzkFALcuGzYSklqYd8gvat6F1gZJ4YPVbkZpM=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
+github.com/nu7hatch/gouuid v0.0.0-20131221200532-179d4d0c4d8d h1:VhgPp6v9qf9Agr/56bj7Y/xa04UccTW04VP0Qed4vnQ=
+github.com/nu7hatch/gouuid v0.0.0-20131221200532-179d4d0c4d8d/go.mod h1:YUTz3bUH2ZwIWBy3CJBeOBEugqcmXREj14T+iG/4k4U=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.12.0 h1:Iw5WCbBcaAAd0fpRb1c9r5YCylv4XDoCSigm1zLevwU=
@ -311,8 +345,11 @@ github.com/prometheus/procfs v0.1.3 h1:F0+tqvhOksq22sc6iCHF5WGlWjdwj92p0udFh1VFB
 github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
 github.com/qiangmzsx/string-adapter/v2 v2.1.0 h1:q0y8TPa/sTwtriJPRe8gWL++PuZ+XbOUuvKU+hvtTYs=
 github.com/qiangmzsx/string-adapter/v2 v2.1.0/go.mod h1:PElPB7b7HnGKTsuADAffFpOQXHqjEGJz1+U1a6yR5wA=
-github.com/qor/oss v0.0.0-20191031055114-aef9ba66bf76 h1:J2Xj92efYLxPl3BiibgEDEUiMsCBzwTurE/8JjD8CG4=
-github.com/qor/oss v0.0.0-20191031055114-aef9ba66bf76/go.mod h1:JhtPzUhP5KGtCB2yksmxuYAD4hEWw4qGQJpucjsm3U0=
+github.com/qiniu/dyn v1.3.0/go.mod h1:E8oERcm8TtwJiZvkQPbcAh0RL8jO1G0VXJMW3FAWdkk=
+github.com/qiniu/go-sdk/v7 v7.12.1/go.mod h1:btsaOc8CA3hdVloULfFdDgDc+g4f3TDZEFsDY0BLE+w=
+github.com/qiniu/x v1.10.5/go.mod h1:03Ni9tj+N2h2aKnAz+6N0Xfl8FwMEDRC2PAlxekASDs=
+github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
+github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
 github.com/rogpeppe/go-internal v1.8.0 h1:FCbCCtXNOY3UtUuHUYaghJg4y7Fd14rXifAYUAtL9R8=
@ -343,12 +380,15 @@ github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXf
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
-github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/syndtr/goleveldb v0.0.0-20160425020131-cfa635847112/go.mod h1:Z4AUp2Km+PwemOoO/VB5AOx9XSsIItzFjoJlOSiYmn0=
 github.com/syndtr/goleveldb v0.0.0-20181127023241-353a9fca669c/go.mod h1:Z4AUp2Km+PwemOoO/VB5AOx9XSsIItzFjoJlOSiYmn0=
 github.com/syndtr/goleveldb v1.0.0 h1:fBdIW9lB4Iz0n9khmH8w27SJ3QEJ7+IgjPEwGSZiFdE=
 github.com/syndtr/goleveldb v1.0.0/go.mod h1:ZVVdQEZoIme9iO1Ch2Jdy24qqXrMMOU6lpPAyBWyWuQ=
+github.com/tealeg/xlsx v1.0.5 h1:+f8oFmvY8Gw1iUXzPk+kz+4GpbDZPK1FhPiQRd+ypgE=
+github.com/tealeg/xlsx v1.0.5/go.mod h1:btRS8dz54TDnvKNosuAqxrM1QgN1udgk9O34bDCnORM=
 github.com/tencentcloud/tencentcloud-sdk-go v1.0.154 h1:THBgwGwUQtsw6L53cSSA2wwL3sLrm+HJ3Dk+ye/lMCI=
 github.com/tencentcloud/tencentcloud-sdk-go v1.0.154/go.mod h1:asUz5BPXxgoPGaRgZaVm1iGcUAuHyYUo1nXqKa83cvI=
 github.com/thanhpk/randstr v1.0.4 h1:IN78qu/bR+My+gHCvMEXhR/i5oriVHcTB/BJJIRTsNo=
@ -376,8 +416,13 @@ golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3 h1:0es+/5331RGQPcXlMfP+WrnIIS6dNnNRe0WB02W0F4M=
-golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.0.0-20211117183948-ae814b36b871/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.0.0-20220208233918-bba287dce954 h1:BkypuErRT9A9I/iljuaG3/zdMjd/J6m8tKKJQtGfSdA=
+golang.org/x/crypto v0.0.0-20220208233918-bba287dce954/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@ -424,6 +469,7 @@ golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20191112182307-2180aed22343/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@ -440,9 +486,11 @@ golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81R
 golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20200927032502-5d4f70055728/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20200930145003-4acb6c075d10/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
-golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2 h1:CIJ76btIcR3eFI5EgSo6k1qKw9KJexJuRLI9G7Hp5wE=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20210610132358-84b48f89b13b/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd h1:O7DYs+zxREGLKzKoMQrtrEacpb0ZVXA5rIwylE2Xchk=
+golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@ -459,6 +507,7 @@ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@ -473,6 +522,7 @@ golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191112214154-59a1497f0cea/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@ -492,24 +542,28 @@ golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 h1:SrN+KX8Art/Sf4HNj6Zcz06G7VEz+7w9tdXTPOZ7+l4=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211020174200-9d6173849985/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e h1:fLOSk5Q00efkSvAm+4xcoXD+RRmLmmulPn5I3Y9F2EM=
+golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba h1:O8mE0/t419eoIwhTFpKVkHiTs/Igowgfkj25AcZrtiE=
-golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.0.0-20220411224347-583f2d630306 h1:+gHMid33q6pen7kv9xvT+JRinntgeXO2AeZVd0AWD3w=
+golang.org/x/time v0.0.0-20220411224347-583f2d630306/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
@ -665,8 +719,9 @@ gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU=
+gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
@ -684,5 +739,6 @@ xorm.io/builder v0.3.7 h1:2pETdKRK+2QG4mLX4oODHEhn5Z8j1m8sXa7jfu+/SZI=
 xorm.io/builder v0.3.7/go.mod h1:aUW0S9eb9VCaPohFCH3j7czOx1PMW3i1HrSzbLYGBSE=
 xorm.io/core v0.7.2 h1:mEO22A2Z7a3fPaZMk6gKL/jMD80iiyNwRrX5HOv3XLw=
 xorm.io/core v0.7.2/go.mod h1:jJfd0UAEzZ4t87nbQYtVjmqpIODugN6PD2D9E+dJvdM=
-xorm.io/xorm v1.0.3 h1:3dALAohvINu2mfEix5a5x5ZmSVGSljinoSGgvGbaZp0=
 xorm.io/xorm v1.0.3/go.mod h1:uF9EtbhODq5kNWxMbnBEj8hRRZnlcNSz2t2N7HW/+A4=
+xorm.io/xorm v1.0.4 h1:UBXA4I3NhiyjXfPqxXUkS2t5hMta9SSPATeMMaZg9oA=
+xorm.io/xorm v1.0.4/go.mod h1:uF9EtbhODq5kNWxMbnBEj8hRRZnlcNSz2t2N7HW/+A4=
--- a/i18n/generate.go
+++ b/i18n/generate.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -21,7 +21,7 @@ import (
 	"regexp"
 	"strings"

-	"github.com/casbin/casdoor/util"
+	"github.com/casdoor/casdoor/util"
 )

 type I18nData map[string]map[string]string
--- a/i18n/generate_test.go
+++ b/i18n/generate_test.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
--- a/i18n/util.go
+++ b/i18n/util.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -18,7 +18,7 @@ import (
 	"fmt"
 	"strings"

-	"github.com/casbin/casdoor/util"
+	"github.com/casdoor/casdoor/util"
 )

 func getI18nFilePath(language string) string {
--- a/idp/adfs.go
+++ b/idp/adfs.go
@ -0,0 +1,136 @@
+// Copyright 2022 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package idp
+
+import (
+	"bytes"
+	"crypto/tls"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"time"
+
+	"github.com/lestrrat-go/jwx/jwa"
+	"github.com/lestrrat-go/jwx/jwk"
+	"github.com/lestrrat-go/jwx/jwt"
+	"golang.org/x/oauth2"
+)
+
+type AdfsIdProvider struct {
+	Client *http.Client
+	Config *oauth2.Config
+	Host   string
+}
+
+func NewAdfsIdProvider(clientId string, clientSecret string, redirectUrl string, hostUrl string) *AdfsIdProvider {
+	idp := &AdfsIdProvider{}
+
+	config := idp.getConfig(hostUrl)
+	config.ClientID = clientId
+	config.ClientSecret = clientSecret
+	config.RedirectURL = redirectUrl
+	idp.Config = config
+	idp.Host = hostUrl
+	return idp
+}
+
+func (idp *AdfsIdProvider) SetHttpClient(client *http.Client) {
+	tr := &http.Transport{
+		TLSClientConfig: &tls.Config{
+			InsecureSkipVerify: true,
+		},
+	}
+	idp.Client = client
+	idp.Client.Transport = tr
+}
+
+func (idp *AdfsIdProvider) getConfig(hostUrl string) *oauth2.Config {
+	var endpoint = oauth2.Endpoint{
+		AuthURL:  fmt.Sprintf("%s/adfs/oauth2/authorize", hostUrl),
+		TokenURL: fmt.Sprintf("%s/adfs/oauth2/token", hostUrl),
+	}
+
+	var config = &oauth2.Config{
+		Endpoint: endpoint,
+	}
+
+	return config
+}
+
+type AdfsToken struct {
+	IdToken   string `json:"id_token"`
+	ExpiresIn int    `json:"expires_in"`
+	ErrMsg    string `json:"error_description"`
+}
+
+// get more detail via: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-openid-connect-oauth-flows-scenarios#request-an-access-token
+func (idp *AdfsIdProvider) GetToken(code string) (*oauth2.Token, error) {
+	payload := url.Values{}
+	payload.Set("code", code)
+	payload.Set("grant_type", "authorization_code")
+	payload.Set("client_id", idp.Config.ClientID)
+	payload.Set("redirect_uri", idp.Config.RedirectURL)
+	resp, err := idp.Client.PostForm(idp.Config.Endpoint.TokenURL, payload)
+	if err != nil {
+		return nil, err
+	}
+	data, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	pToken := &AdfsToken{}
+	err = json.Unmarshal(data, pToken)
+	if err != nil {
+		return nil, fmt.Errorf("fail to unmarshal token response: %s", err.Error())
+	}
+	if pToken.ErrMsg != "" {
+		return nil, fmt.Errorf("pToken.Errmsg = %s", pToken.ErrMsg)
+	}
+
+	token := &oauth2.Token{
+		AccessToken: pToken.IdToken,
+		Expiry:      time.Unix(time.Now().Unix()+int64(pToken.ExpiresIn), 0),
+	}
+	return token, nil
+}
+
+// Since the userinfo endpoint of ADFS only returns sub,
+// the id_token is used to resolve the userinfo
+func (idp *AdfsIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
+	resp, err := idp.Client.Get(fmt.Sprintf("%s/adfs/discovery/keys", idp.Host))
+	if err != nil {
+		return nil, err
+	}
+	keyset, err := jwk.Parse(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+	tokenSrc := []byte(token.AccessToken)
+	publicKey, _ := keyset.Keys[0].Materialize()
+	id_token, _ := jwt.Parse(bytes.NewReader(tokenSrc), jwt.WithVerify(jwa.RS256, publicKey))
+	sid, _ := id_token.Get("sid")
+	upn, _ := id_token.Get("upn")
+	name, _ := id_token.Get("unique_name")
+	userinfo := &UserInfo{
+		Id:          sid.(string),
+		Username:    name.(string),
+		DisplayName: name.(string),
+		Email:       upn.(string),
+	}
+	return userinfo, nil
+}
--- a/idp/alipay.go
+++ b/idp/alipay.go
@ -0,0 +1,292 @@
+// Copyright 2022 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package idp
+
+import (
+	"crypto"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/sha256"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/json"
+	"encoding/pem"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"sort"
+	"strings"
+	"time"
+
+	"golang.org/x/oauth2"
+)
+
+type AlipayIdProvider struct {
+	Client *http.Client
+	Config *oauth2.Config
+}
+
+// NewAlipayIdProvider ...
+func NewAlipayIdProvider(clientId string, clientSecret string, redirectUrl string) *AlipayIdProvider {
+	idp := &AlipayIdProvider{}
+
+	config := idp.getConfig(clientId, clientSecret, redirectUrl)
+	idp.Config = config
+
+	return idp
+}
+
+// SetHttpClient ...
+func (idp *AlipayIdProvider) SetHttpClient(client *http.Client) {
+	idp.Client = client
+}
+
+// getConfig return a point of Config, which describes a typical 3-legged OAuth2 flow
+func (idp *AlipayIdProvider) getConfig(clientId string, clientSecret string, redirectUrl string) *oauth2.Config {
+	var endpoint = oauth2.Endpoint{
+		AuthURL:  "https://openauth.alipay.com/oauth2/publicAppAuthorize.htm",
+		TokenURL: "https://openapi.alipay.com/gateway.do",
+	}
+
+	var config = &oauth2.Config{
+		Scopes:       []string{"", ""},
+		Endpoint:     endpoint,
+		ClientID:     clientId,
+		ClientSecret: clientSecret,
+		RedirectURL:  redirectUrl,
+	}
+
+	return config
+}
+
+type AlipayAccessToken struct {
+	Response AlipaySystemOauthTokenResponse `json:"alipay_system_oauth_token_response"`
+	Sign     string                         `json:"sign"`
+}
+
+type AlipaySystemOauthTokenResponse struct {
+	AccessToken  string `json:"access_token"`
+	AlipayUserId string `json:"alipay_user_id"`
+	ExpiresIn    int    `json:"expires_in"`
+	ReExpiresIn  int    `json:"re_expires_in"`
+	RefreshToken string `json:"refresh_token"`
+	UserId       string `json:"user_id"`
+}
+
+// GetToken use code to get access_token
+func (idp *AlipayIdProvider) GetToken(code string) (*oauth2.Token, error) {
+	pTokenParams := &struct {
+		ClientId  string `json:"app_id"`
+		CharSet   string `json:"charset"`
+		Code      string `json:"code"`
+		GrantType string `json:"grant_type"`
+		Method    string `json:"method"`
+		SignType  string `json:"sign_type"`
+		TimeStamp string `json:"timestamp"`
+		Version   string `json:"version"`
+	}{idp.Config.ClientID, "utf-8", code, "authorization_code", "alipay.system.oauth.token", "RSA2", time.Now().Format("2006-01-02 15:04:05"), "1.0"}
+
+	data, err := idp.postWithBody(pTokenParams, idp.Config.Endpoint.TokenURL)
+	if err != nil {
+		return nil, err
+	}
+
+	pToken := &AlipayAccessToken{}
+	err = json.Unmarshal(data, pToken)
+	if err != nil {
+		return nil, err
+	}
+
+	token := &oauth2.Token{
+		AccessToken: pToken.Response.AccessToken,
+		Expiry:      time.Unix(time.Now().Unix()+int64(pToken.Response.ExpiresIn), 0),
+	}
+	return token, nil
+}
+
+/*
+{
+    "alipay_user_info_share_response":{
+        "code":"10000",
+        "msg":"Success",
+        "avatar":"https:\/\/tfs.alipayobjects.com\/images\/partner\/T1.QxFXk4aXXXXXXXX",
+        "nick_name":"zhangsan",
+        "user_id":"2099222233334444"
+    },
+    "sign":"m8rWJeqfoa5tDQRRVnPhRHcpX7NZEgjIPTPF1QBxos6XXXXXXXXXXXXXXXXXXXXXXXXXX"
+}
+*/
+
+type AlipayUserResponse struct {
+	AlipayUserInfoShareResponse AlipayUserInfoShareResponse `json:"alipay_user_info_share_response"`
+	Sign                        string                      `json:"sign"`
+}
+
+type AlipayUserInfoShareResponse struct {
+	Code     string `json:"code"`
+	Msg      string `json:"msg"`
+	Avatar   string `json:"avatar"`
+	NickName string `json:"nick_name"`
+	UserId   string `json:"user_id"`
+}
+
+// GetUserInfo Use access_token to get UserInfo
+func (idp *AlipayIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
+	atUserInfo := &AlipayUserResponse{}
+	accessToken := token.AccessToken
+
+	pTokenParams := &struct {
+		ClientId  string `json:"app_id"`
+		CharSet   string `json:"charset"`
+		AuthToken string `json:"auth_token"`
+		Method    string `json:"method"`
+		SignType  string `json:"sign_type"`
+		TimeStamp string `json:"timestamp"`
+		Version   string `json:"version"`
+	}{idp.Config.ClientID, "utf-8", accessToken, "alipay.user.info.share", "RSA2", time.Now().Format("2006-01-02 15:04:05"), "1.0"}
+	data, err := idp.postWithBody(pTokenParams, idp.Config.Endpoint.TokenURL)
+	if err != nil {
+		return nil, err
+	}
+
+	err = json.Unmarshal(data, atUserInfo)
+	if err != nil {
+		return nil, err
+	}
+
+	userInfo := UserInfo{
+		Id:          atUserInfo.AlipayUserInfoShareResponse.UserId,
+		Username:    atUserInfo.AlipayUserInfoShareResponse.NickName,
+		DisplayName: atUserInfo.AlipayUserInfoShareResponse.NickName,
+		AvatarUrl:   atUserInfo.AlipayUserInfoShareResponse.Avatar,
+	}
+
+	return &userInfo, nil
+}
+
+func (idp *AlipayIdProvider) postWithBody(body interface{}, targetUrl string) ([]byte, error) {
+	bs, err := json.Marshal(body)
+	if err != nil {
+		return nil, err
+	}
+
+	bodyJson := make(map[string]interface{})
+	err = json.Unmarshal(bs, &bodyJson)
+	if err != nil {
+		return nil, err
+	}
+
+	formData := url.Values{}
+	for k := range bodyJson {
+		formData.Set(k, bodyJson[k].(string))
+	}
+
+	sign, err := rsaSignWithRSA256(getStringToSign(formData), idp.Config.ClientSecret)
+	if err != nil {
+		return nil, err
+	}
+
+	formData.Set("sign", sign)
+
+	resp, err := idp.Client.PostForm(targetUrl, formData)
+	if err != nil {
+		return nil, err
+	}
+	data, err := ioutil.ReadAll(resp.Body)
+
+	if err != nil {
+		return nil, err
+	}
+	defer func(Body io.ReadCloser) {
+		err := Body.Close()
+		if err != nil {
+			return
+		}
+	}(resp.Body)
+
+	return data, nil
+}
+
+// get the string to sign, see https://opendocs.alipay.com/common/02kf5q
+func getStringToSign(formData url.Values) string {
+	keys := make([]string, 0, len(formData))
+	for k := range formData {
+		keys = append(keys, k)
+	}
+	sort.Strings(keys)
+	str := ""
+	for _, k := range keys {
+		if k == "sign" || formData[k][0] == "" {
+			continue
+		} else {
+			str += "&" + k + "=" + formData[k][0]
+		}
+	}
+	str = strings.Trim(str, "&")
+	return str
+}
+
+// use privateKey to sign the content
+func rsaSignWithRSA256(signContent string, privateKey string) (string, error) {
+	privateKey = formatPrivateKey(privateKey)
+	block, _ := pem.Decode([]byte(privateKey))
+	if block == nil {
+		panic("fail to parse privateKey")
+	}
+
+	h := sha256.New()
+	h.Write([]byte(signContent))
+	hashed := h.Sum(nil)
+
+	privateKeyRSA, err := x509.ParsePKCS8PrivateKey(block.Bytes)
+	if err != nil {
+		return "", err
+	}
+
+	signature, err := rsa.SignPKCS1v15(rand.Reader, privateKeyRSA.(*rsa.PrivateKey), crypto.SHA256, hashed)
+	if err != nil {
+		return "", err
+	}
+
+	return base64.StdEncoding.EncodeToString(signature), nil
+}
+
+// privateKey in database is a string, format it to PEM style
+func formatPrivateKey(privateKey string) string {
+	// each line length is 64
+	preFmtPrivateKey := ""
+	for i := 0; ; {
+		if i+64 <= len(privateKey) {
+			preFmtPrivateKey = preFmtPrivateKey + privateKey[i:i+64] + "\n"
+			i += 64
+		} else {
+			preFmtPrivateKey = preFmtPrivateKey + privateKey[i:]
+			break
+		}
+	}
+	privateKey = strings.Trim(preFmtPrivateKey, "\n")
+
+	// add pkcs#8 BEGIN and END
+	PemBegin := "-----BEGIN PRIVATE KEY-----\n"
+	PemEnd := "\n-----END PRIVATE KEY-----"
+	if !strings.HasPrefix(privateKey, PemBegin) {
+		privateKey = PemBegin + privateKey
+	}
+	if !strings.HasSuffix(privateKey, PemEnd) {
+		privateKey = privateKey + PemEnd
+	}
+	return privateKey
+}
--- a/idp/baidu.go
+++ b/idp/baidu.go
@ -0,0 +1,116 @@
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package idp
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+
+	"golang.org/x/oauth2"
+)
+
+type BaiduIdProvider struct {
+	Client *http.Client
+	Config *oauth2.Config
+}
+
+func NewBaiduIdProvider(clientId string, clientSecret string, redirectUrl string) *BaiduIdProvider {
+	idp := &BaiduIdProvider{}
+
+	config := idp.getConfig()
+	config.ClientID = clientId
+	config.ClientSecret = clientSecret
+	config.RedirectURL = redirectUrl
+	idp.Config = config
+
+	return idp
+}
+
+func (idp *BaiduIdProvider) SetHttpClient(client *http.Client) {
+	idp.Client = client
+}
+
+func (idp *BaiduIdProvider) getConfig() *oauth2.Config {
+	var endpoint = oauth2.Endpoint{
+		AuthURL:  "https://openapi.baidu.com/oauth/2.0/authorize",
+		TokenURL: "https://openapi.baidu.com/oauth/2.0/token",
+	}
+
+	var config = &oauth2.Config{
+		Scopes:   []string{"email"},
+		Endpoint: endpoint,
+	}
+
+	return config
+}
+
+func (idp *BaiduIdProvider) GetToken(code string) (*oauth2.Token, error) {
+	ctx := context.WithValue(context.Background(), oauth2.HTTPClient, idp.Client)
+	return idp.Config.Exchange(ctx, code)
+}
+
+/*
+{
+    "userid":"2097322476",
+    "username":"wl19871011",
+    "realname":"阳光",
+    "userdetail":"喜欢自由",
+    "birthday":"1987-01-01",
+    "marriage":"恋爱",
+    "sex":"男",
+    "blood":"O",
+    "constellation":"射手",
+    "figure":"小巧",
+    "education":"大学/专科",
+    "trade":"计算机/电子产品",
+    "job":"未知",
+    "birthday_year":"1987",
+    "birthday_month":"01",
+    "birthday_day":"01",
+}
+*/
+
+type BaiduUserInfo struct {
+	OpenId   string `json:"openid"`
+	Username string `json:"username"`
+	Portrait string `json:"portrait"`
+}
+
+func (idp *BaiduIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
+	resp, err := idp.Client.Get(fmt.Sprintf("https://openapi.baidu.com/rest/2.0/passport/users/getInfo?access_token=%s", token.AccessToken))
+	if err != nil {
+		return nil, err
+	}
+
+	data, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+	baiduUser := BaiduUserInfo{}
+	if err = json.Unmarshal(data, &baiduUser); err != nil {
+		return nil, err
+	}
+
+	userInfo := UserInfo{
+		Id:          baiduUser.OpenId,
+		Username:    baiduUser.Username,
+		DisplayName: baiduUser.Username,
+		AvatarUrl:   fmt.Sprintf("https://himg.bdimg.com/sys/portrait/item/%s", baiduUser.Portrait),
+	}
+	return &userInfo, nil
+}
--- a/idp/bilibili.go
+++ b/idp/bilibili.go
@ -0,0 +1,220 @@
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package idp
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+
+	"golang.org/x/oauth2"
+)
+
+type BilibiliIdProvider struct {
+	Client *http.Client
+	Config *oauth2.Config
+}
+
+func NewBilibiliIdProvider(clientId string, clientSecret string, redirectUrl string) *BilibiliIdProvider {
+	idp := &BilibiliIdProvider{}
+
+	config := idp.getConfig(clientId, clientSecret, redirectUrl)
+	idp.Config = config
+
+	return idp
+}
+
+func (idp *BilibiliIdProvider) SetHttpClient(client *http.Client) {
+	idp.Client = client
+}
+
+// getConfig return a point of Config, which describes a typical 3-legged OAuth2 flow
+func (idp *BilibiliIdProvider) getConfig(clientId string, clientSecret string, redirectUrl string) *oauth2.Config {
+	var endpoint = oauth2.Endpoint{
+		TokenURL: "https://api.bilibili.com/x/account-oauth2/v1/token",
+		AuthURL:  "http://member.bilibili.com/arcopen/fn/user/account/info",
+	}
+
+	var config = &oauth2.Config{
+		Scopes:       []string{"", ""},
+		Endpoint:     endpoint,
+		ClientID:     clientId,
+		ClientSecret: clientSecret,
+		RedirectURL:  redirectUrl,
+	}
+
+	return config
+}
+
+type BilibiliProviderToken struct {
+	AccessToken  string `json:"access_token"`
+	ExpiresIn    int    `json:"expires_in"`
+	RefreshToken string `json:"refresh_token"`
+}
+
+type BilibiliIdProviderTokenResponse struct {
+	Code    int                   `json:"code"`
+	Message string                `json:"message"`
+	TTL     int                   `json:"ttl"`
+	Data    BilibiliProviderToken `json:"data"`
+}
+
+/*
+{
+    "code": 0,
+    "message": "0",
+    "ttl": 1,
+    "data": {
+         "access_token": "d30bedaa4d8eb3128cf35ddc1030e27d",
+         "expires_in": 1630220614,
+         "refresh_token": "WxFDKwqScZIQDm4iWmKDvetyFugM6HkX"
+    }
+}
+*/
+// GetToken use code get access_token (*operation of getting code ought to be done in front)
+// get more detail via: https://openhome.bilibili.com/doc/4/eaf0e2b5-bde9-b9a0-9be1-019bb455701c
+func (idp *BilibiliIdProvider) GetToken(code string) (*oauth2.Token, error) {
+	pTokenParams := &struct {
+		ClientId     string `json:"client_id"`
+		ClientSecret string `json:"client_secret"`
+		GrantType    string `json:"grant_type"`
+		Code         string `json:"code"`
+	}{
+		idp.Config.ClientID,
+		idp.Config.ClientSecret,
+		"authorization_code",
+		code,
+	}
+
+	data, err := idp.postWithBody(pTokenParams, idp.Config.Endpoint.TokenURL)
+
+	if err != nil {
+		return nil, err
+	}
+
+	response := &BilibiliIdProviderTokenResponse{}
+	err = json.Unmarshal(data, response)
+	if err != nil {
+		return nil, err
+	}
+
+	if response.Code != 0 {
+		return nil, fmt.Errorf("pToken.Errcode = %d, pToken.Errmsg = %s", response.Code, response.Message)
+	}
+
+	token := &oauth2.Token{
+		AccessToken:  response.Data.AccessToken,
+		Expiry:       time.Unix(time.Now().Unix()+int64(response.Data.ExpiresIn), 0),
+		RefreshToken: response.Data.RefreshToken,
+	}
+
+	return token, nil
+}
+
+/*
+{
+    "code": 0,
+    "message": "0",
+    "ttl": 1,
+    "data": {
+        "name":"bilibili",
+        "face":"http://i0.hdslb.com/bfs/face/e1c99895a9f9df4f260a70dc7e227bcb46cf319c.jpg",
+        "openid":"9205eeaa1879skxys969ed47874f225c3"
+    }
+}
+*/
+
+type BilibiliUserInfo struct {
+	Name   string `json:"name"`
+	Face   string `json:"face"`
+	OpenId string `json:"openid`
+}
+
+type BilibiliUserInfoResponse struct {
+	Code    int              `json:"code"`
+	Message string           `json:"message"`
+	TTL     int              `json:"ttl"`
+	Data    BilibiliUserInfo `json:"data"`
+}
+
+// GetUserInfo Use  access_token to get UserInfo
+// get more detail via: https://openhome.bilibili.com/doc/4/feb66f99-7d87-c206-00e7-d84164cd701c
+func (idp *BilibiliIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
+	accessToken := token.AccessToken
+	clientId := idp.Config.ClientID
+
+	params := url.Values{}
+	params.Add("client_id", clientId)
+	params.Add("access_token", accessToken)
+
+	userInfoUrl := fmt.Sprintf("%s?%s", idp.Config.Endpoint.AuthURL, params.Encode())
+
+	resp, err := idp.Client.Get(userInfoUrl)
+
+	if err != nil {
+		return nil, err
+	}
+
+	data, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	bUserInfoResponse := &BilibiliUserInfoResponse{}
+	if err = json.Unmarshal(data, bUserInfoResponse); err != nil {
+		return nil, err
+	}
+
+	if bUserInfoResponse.Code != 0 {
+		return nil, fmt.Errorf("userinfo.Errcode = %d, userinfo.Errmsg = %s", bUserInfoResponse.Code, bUserInfoResponse.Message)
+	}
+
+	userInfo := &UserInfo{
+		Id:        bUserInfoResponse.Data.OpenId,
+		Username:  bUserInfoResponse.Data.Name,
+		AvatarUrl: bUserInfoResponse.Data.Face,
+	}
+
+	return userInfo, nil
+}
+
+func (idp *BilibiliIdProvider) postWithBody(body interface{}, url string) ([]byte, error) {
+	bs, err := json.Marshal(body)
+	if err != nil {
+		return nil, err
+	}
+	r := strings.NewReader(string(bs))
+	resp, err := idp.Client.Post(url, "application/json;charset=UTF-8", r)
+	if err != nil {
+		return nil, err
+	}
+	data, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+	defer func(Body io.ReadCloser) {
+		err := Body.Close()
+		if err != nil {
+			return
+		}
+	}(resp.Body)
+
+	return data, nil
+}
--- a/idp/casdoor.go
+++ b/idp/casdoor.go
@ -0,0 +1,159 @@
+// Copyright 2022 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package idp
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"time"
+
+	"golang.org/x/oauth2"
+)
+
+type CasdoorIdProvider struct {
+	Client *http.Client
+	Config *oauth2.Config
+	Host   string
+}
+
+func NewCasdoorIdProvider(clientId string, clientSecret string, redirectUrl string, hostUrl string) *CasdoorIdProvider {
+	idp := &CasdoorIdProvider{}
+	config := idp.getConfig(hostUrl)
+	config.ClientID = clientId
+	config.ClientSecret = clientSecret
+	config.RedirectURL = redirectUrl
+	idp.Config = config
+	idp.Host = hostUrl
+	return idp
+}
+
+func (idp *CasdoorIdProvider) SetHttpClient(client *http.Client) {
+	idp.Client = client
+}
+
+func (idp *CasdoorIdProvider) getConfig(hostUrl string) *oauth2.Config {
+	return &oauth2.Config{
+		Endpoint: oauth2.Endpoint{
+			TokenURL: hostUrl + "/api/login/oauth/access_token",
+		},
+		Scopes: []string{"openid email profile"},
+	}
+}
+
+type CasdoorToken struct {
+	AccessToken string `json:"access_token"`
+	ExpiresIn   int    `json:"expires_in"`
+}
+
+func (idp *CasdoorIdProvider) GetToken(code string) (*oauth2.Token, error) {
+	resp, err := http.PostForm(idp.Config.Endpoint.TokenURL, url.Values{
+		"client_id":     {idp.Config.ClientID},
+		"client_secret": {idp.Config.ClientSecret},
+		"code":          {code},
+		"grant_type":    {"authorization_code"},
+	})
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+	body, err := ioutil.ReadAll(resp.Body)
+
+	if err != nil {
+		return nil, err
+	}
+	pToken := &CasdoorToken{}
+	err = json.Unmarshal(body, pToken)
+	if err != nil {
+		return nil, err
+	}
+
+	//check if token is expired
+	if pToken.ExpiresIn <= 0 {
+		return nil, fmt.Errorf("%s", pToken.AccessToken)
+	}
+	token := &oauth2.Token{
+		AccessToken: pToken.AccessToken,
+		Expiry:      time.Unix(time.Now().Unix()+int64(pToken.ExpiresIn), 0),
+	}
+	return token, nil
+
+}
+
+/*
+{
+    "sub": "2f80c349-4beb-407f-b1f0-528aac0f1acd",
+    "iss": "https://door.casbin.com",
+    "aud": "7a11****0fa2172",
+    "name": "admin",
+    "preferred_username": "Admin",
+    "email": "admin@example.com",
+    "picture": "https://casbin.org/img/casbin.svg",
+    "address": "Guangdong",
+    "phone": "12345678910"
+}
+*/
+
+type CasdoorUserInfo struct {
+	Id          string `json:"sub"`
+	Name        string `json:"name"`
+	DisplayName string `json:"preferred_username"`
+	Email       string `json:"email"`
+	AvatarUrl   string `json:"picture"`
+	Status      string `json:"status"`
+	Msg         string `json:"msg"`
+}
+
+func (idp *CasdoorIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
+	cdUserinfo := &CasdoorUserInfo{}
+	accessToken := token.AccessToken
+	request, err := http.NewRequest("GET", fmt.Sprintf("%s/api/userinfo", idp.Host), nil)
+	if err != nil {
+		return nil, err
+	}
+	//add accesstoken to bearer token
+	request.Header.Add("Authorization", fmt.Sprintf("Bearer %s", accessToken))
+	resp, err := idp.Client.Do(request)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	data, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	err = json.Unmarshal(data, cdUserinfo)
+	if err != nil {
+		return nil, err
+	}
+
+	if cdUserinfo.Status != "" {
+		return nil, fmt.Errorf("err: %s", cdUserinfo.Msg)
+	}
+
+	userInfo := &UserInfo{
+		Id:          cdUserinfo.Id,
+		Username:    cdUserinfo.Name,
+		DisplayName: cdUserinfo.DisplayName,
+		Email:       cdUserinfo.Email,
+		AvatarUrl:   cdUserinfo.AvatarUrl,
+	}
+	return userInfo, nil
+
+}
--- a/idp/custom.go
+++ b/idp/custom.go
@ -0,0 +1,109 @@
+// Copyright 2022 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package idp
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	_ "net/url"
+	_ "time"
+
+	"golang.org/x/oauth2"
+)
+
+type CustomIdProvider struct {
+	Client      *http.Client
+	Config      *oauth2.Config
+	UserInfoUrl string
+}
+
+func NewCustomIdProvider(clientId string, clientSecret string, redirectUrl string, authUrl string, tokenUrl string, userInfoUrl string) *CustomIdProvider {
+	idp := &CustomIdProvider{}
+	idp.UserInfoUrl = userInfoUrl
+
+	var config = &oauth2.Config{
+		ClientID:     clientId,
+		ClientSecret: clientSecret,
+		RedirectURL:  redirectUrl,
+		Endpoint: oauth2.Endpoint{
+			AuthURL:  authUrl,
+			TokenURL: tokenUrl,
+		},
+	}
+	idp.Config = config
+
+	return idp
+}
+
+func (idp *CustomIdProvider) SetHttpClient(client *http.Client) {
+	idp.Client = client
+}
+
+func (idp *CustomIdProvider) GetToken(code string) (*oauth2.Token, error) {
+	ctx := context.WithValue(context.Background(), oauth2.HTTPClient, idp.Client)
+	return idp.Config.Exchange(ctx, code)
+}
+
+type CustomUserInfo struct {
+	Id          string `json:"sub"`
+	Name        string `json:"name"`
+	DisplayName string `json:"preferred_username"`
+	Email       string `json:"email"`
+	AvatarUrl   string `json:"picture"`
+	Status      string `json:"status"`
+	Msg         string `json:"msg"`
+}
+
+func (idp *CustomIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
+	ctUserinfo := &CustomUserInfo{}
+	accessToken := token.AccessToken
+	request, err := http.NewRequest("GET", idp.UserInfoUrl, nil)
+	if err != nil {
+		return nil, err
+	}
+	//add accessToken to request header
+	request.Header.Add("Authorization", fmt.Sprintf("Bearer %s", accessToken))
+	resp, err := idp.Client.Do(request)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	data, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	err = json.Unmarshal(data, ctUserinfo)
+	if err != nil {
+		return nil, err
+	}
+
+	if ctUserinfo.Status != "" {
+		return nil, fmt.Errorf("err: %s", ctUserinfo.Msg)
+	}
+
+	userInfo := &UserInfo{
+		Id:          ctUserinfo.Id,
+		Username:    ctUserinfo.Name,
+		DisplayName: ctUserinfo.DisplayName,
+		Email:       ctUserinfo.Email,
+		AvatarUrl:   ctUserinfo.AvatarUrl,
+	}
+	return userInfo, nil
+}
--- a/idp/dingtalk.go
+++ b/idp/dingtalk.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -15,32 +15,17 @@
 package idp

 import (
-	"bytes"
-	"crypto/hmac"
-	"crypto/sha256"
-	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"net/http"
-	"net/url"
-	"strconv"
 	"strings"
 	"time"

 	"golang.org/x/oauth2"
 )

-// A total of three steps are required:
-//
-// 1. Construct the link and get the temporary authorization code
-//	tmp_auth_code through the code at the end of the url.
-//
-// 2. Use hmac256 to calculate the signature, and then submit it together with timestamp,
-//	tmp_auth_code, accessKey to obtain unionid, userid, accessKey.
-//
-// 3. Get detailed information through userid.
-
 type DingTalkIdProvider struct {
 	Client *http.Client
 	Config *oauth2.Config
@ -64,8 +49,8 @@ func (idp *DingTalkIdProvider) SetHttpClient(client *http.Client) {
 // getConfig return a point of Config, which describes a typical 3-legged OAuth2 flow
 func (idp *DingTalkIdProvider) getConfig(clientId string, clientSecret string, redirectUrl string) *oauth2.Config {
 	var endpoint = oauth2.Endpoint{
-		AuthURL:  "https://oapi.dingtalk.com/sns/getuserinfo_bycode",
-		TokenURL: "https://oapi.dingtalk.com/gettoken",
+		AuthURL:  "https://api.dingtalk.com/v1.0/contact/users/me",
+		TokenURL: "https://api.dingtalk.com/v1.0/oauth2/userAccessToken",
 	}

 	var config = &oauth2.Config{
@ -83,256 +68,122 @@ func (idp *DingTalkIdProvider) getConfig(clientId string, clientSecret string, r
 }

 type DingTalkAccessToken struct {
-	ErrCode     int    `json:"errcode"`
-	ErrMsg      string `json:"errmsg"`
-	AccessToken string `json:"access_token"` // Interface call credentials
-	ExpiresIn   int64  `json:"expires_in"`   // access_token interface call credential timeout time, unit (seconds)
+	ErrCode     int    `json:"code"`
+	ErrMsg      string `json:"message"`
+	AccessToken string `json:"accessToken"` // Interface call credentials
+	ExpiresIn   int64  `json:"expireIn"`    // access_token interface call credential timeout time, unit (seconds)
 }

-type DingTalkIds struct {
-	UserId  string `json:"user_id"`
-	UnionId string `json:"union_id"`
-}
-
-type InfoResp struct {
-	Errcode  int `json:"errcode"`
-	UserInfo struct {
-		Nick                 string `json:"nick"`
-		Unionid              string `json:"unionid"`
-		Openid               string `json:"openid"`
-		MainOrgAuthHighLevel bool   `json:"main_org_auth_high_level"`
-	} `json:"user_info"`
-	Errmsg string `json:"errmsg"`
-}
-
-// GetToken use code get access_token (*operation of getting code ought to be done in front)
-// get more detail via: https://developers.dingtalk.com/document/app/dingtalk-retrieve-user-information?spm=ding_open_doc.document.0.0.51b91a31wWV3tY#doc-api-dingtalk-GetUser
+// GetToken use code get access_token (*operation of getting authCode ought to be done in front)
+// get more detail via: https://open.dingtalk.com/document/orgapp-server/obtain-user-token
 func (idp *DingTalkIdProvider) GetToken(code string) (*oauth2.Token, error) {
-	timestamp := strconv.FormatInt(time.Now().UnixNano()/1e6, 10)
-	signature := EncodeSHA256(timestamp, idp.Config.ClientSecret)
-	u := fmt.Sprintf(
-		"%s?accessKey=%s&timestamp=%s&signature=%s", idp.Config.Endpoint.AuthURL,
-		idp.Config.ClientID, timestamp, signature)
+	pTokenParams := &struct {
+		ClientId     string `json:"clientId"`
+		ClientSecret string `json:"clientSecret"`
+		Code         string `json:"code"`
+		GrantType    string `json:"grantType"`
+	}{idp.Config.ClientID, idp.Config.ClientSecret, code, "authorization_code"}

-	tmpCode := struct {
-		TmpAuthCode string `json:"tmp_auth_code"`
-	}{code}
-	bs, _ := json.Marshal(tmpCode)
-	r := strings.NewReader(string(bs))
-	resp, err := http.Post(u, "application/json;charset=UTF-8", r)
+	data, err := idp.postWithBody(pTokenParams, idp.Config.Endpoint.TokenURL)
 	if err != nil {
 		return nil, err
 	}

-	defer func(Body io.ReadCloser) {
-		err := Body.Close()
-		if err != nil {
-			return
-		}
-	}(resp.Body)
-
-	body, _ := io.ReadAll(resp.Body)
-	info := InfoResp{}
-	_ = json.Unmarshal(body, &info)
-	errCode := info.Errcode
-	if errCode != 0 {
-		return nil, fmt.Errorf("%d: %s", errCode, info.Errmsg)
-	}
-
-	u2 := fmt.Sprintf("%s?appkey=%s&appsecret=%s", idp.Config.Endpoint.TokenURL, idp.Config.ClientID, idp.Config.ClientSecret)
-	resp, _ = http.Get(u2)
-	defer func(Body io.ReadCloser) {
-		err := Body.Close()
-		if err != nil {
-			return
-		}
-	}(resp.Body)
-	body, _ = io.ReadAll(resp.Body)
-	tokenResp := DingTalkAccessToken{}
-	_ = json.Unmarshal(body, &tokenResp)
-	if tokenResp.ErrCode != 0 {
-		return nil, fmt.Errorf("%d: %s", tokenResp.ErrCode, tokenResp.ErrMsg)
-	}
-
-	// use unionid to get userid
-	unionid := info.UserInfo.Unionid
-	userid, err := idp.GetUseridByUnionid(tokenResp.AccessToken, unionid)
+	pToken := &DingTalkAccessToken{}
+	err = json.Unmarshal(data, pToken)
 	if err != nil {
 		return nil, err
 	}

-	// Since DingTalk does not require scopes, put userid and unionid into
-	// idp.config.scopes to facilitate GetUserInfo() to obtain these two parameters.
-	idp.Config.Scopes = []string{unionid, userid}
+	if pToken.ErrCode != 0 {
+		return nil, fmt.Errorf("pToken.Errcode = %d, pToken.Errmsg = %s", pToken.ErrCode, pToken.ErrMsg)
+	}

 	token := &oauth2.Token{
-		AccessToken: tokenResp.AccessToken,
-		Expiry:      time.Unix(time.Now().Unix()+tokenResp.ExpiresIn, 0),
+		AccessToken: pToken.AccessToken,
+		Expiry:      time.Unix(time.Now().Unix()+int64(pToken.ExpiresIn), 0),
 	}
-
 	return token, nil
 }

-type UnionIdResponse struct {
-	Errcode int    `json:"errcode"`
-	Errmsg  string `json:"errmsg"`
-	Result  struct {
-		ContactType string `json:"contact_type"`
-		Userid      string `json:"userid"`
-	} `json:"result"`
-	RequestId string `json:"request_id"`
-}
-
-// GetUseridByUnionid ...
-func (idp *DingTalkIdProvider) GetUseridByUnionid(accesstoken, unionid string) (userid string, err error) {
-	u := fmt.Sprintf("https://oapi.dingtalk.com/topapi/user/getbyunionid?access_token=%s&unionid=%s",
-		accesstoken, unionid)
-	useridInfo, err := idp.GetUrlResp(u)
-	if err != nil {
-		return "", err
-	}
-
-	uresp := UnionIdResponse{}
-	_ = json.Unmarshal([]byte(useridInfo), &uresp)
-	errcode := uresp.Errcode
-	if errcode != 0 {
-		return "", fmt.Errorf("%d: %s", errcode, uresp.Errmsg)
-	}
-	return uresp.Result.Userid, nil
-}
-
 /*
 {
-	"errcode":0,
-	"result":{
-		"boss":false,
-		"unionid":"5M6zgZBKQPCxdiPdANeJ6MgiEiE",
-		"role_list":[
-			{
-				"group_name":"默认",
-				"name":"主管理员",
-				"id":2062489174
-			}
-		],
-		"exclusive_account":false,
-		"mobile":"15236176076",
-		"active":true,
-		"admin":true,
-		"avatar":"https://static-legacy.dingtalk.com/media/lALPDeRETW9WAnnNAyDNAyA_800_800.png",
-		"hide_mobile":false,
-		"userid":"manager4713",
-		"senior":false,
-		"dept_order_list":[
-			{
-				"dept_id":1,
-				"order":176294576350761512
-			}
-		],
-		"real_authed":true,
-		"name":"刘继坤",
-		"dept_id_list":[
-			1
-		],
-		"state_code":"86",
-		"email":"",
-		"leader_in_dept":[
-			{
-				"leader":false,
-				"dept_id":1
-			}
-		]
-	},
-	"errmsg":"ok",
-	"request_id":"3sug9d2exsla"
+{
+  "nick" : "zhangsan",
+  "avatarUrl" : "https://xxx",
+  "mobile" : "150xxxx9144",
+  "openId" : "123",
+  "unionId" : "z21HjQliSzpw0Yxxxx",
+  "email" : "zhangsan@alibaba-inc.com",
+  "stateCode" : "86"
 }
 */

 type DingTalkUserResponse struct {
-	Errcode int    `json:"errcode"`
-	Errmsg  string `json:"errmsg"`
-	Result  struct {
-		Extension   string `json:"extension"`
-		Unionid     string `json:"unionid"`
-		Boss        bool   `json:"boss"`
-		UnionEmpExt struct {
-			CorpId          string `json:"corpId"`
-			Userid          string `json:"userid"`
-			UnionEmpMapList []struct {
-				CorpId string `json:"corpId"`
-				Userid string `json:"userid"`
-			} `json:"unionEmpMapList"`
-		} `json:"unionEmpExt"`
-		RoleList []struct {
-			GroupName string `json:"group_name"`
-			Id        int    `json:"id"`
-			Name      string `json:"name"`
-		} `json:"role_list"`
-		Admin         bool   `json:"admin"`
-		Remark        string `json:"remark"`
-		Title         string `json:"title"`
-		HiredDate     int64  `json:"hired_date"`
-		Userid        string `json:"userid"`
-		WorkPlace     string `json:"work_place"`
-		DeptOrderList []struct {
-			DeptId int   `json:"dept_id"`
-			Order  int64 `json:"order"`
-		} `json:"dept_order_list"`
-		RealAuthed   bool   `json:"real_authed"`
-		DeptIdList   []int  `json:"dept_id_list"`
-		JobNumber    string `json:"job_number"`
-		Email        string `json:"email"`
-		LeaderInDept []struct {
-			DeptId int  `json:"dept_id"`
-			Leader bool `json:"leader"`
-		} `json:"leader_in_dept"`
-		ManagerUserid string `json:"manager_userid"`
-		Mobile        string `json:"mobile"`
-		Active        bool   `json:"active"`
-		Telephone     string `json:"telephone"`
-		Avatar        string `json:"avatar"`
-		HideMobile    bool   `json:"hide_mobile"`
-		Senior        bool   `json:"senior"`
-		Name          string `json:"name"`
-		StateCode     string `json:"state_code"`
-	} `json:"result"`
-	RequestId string `json:"request_id"`
+	Nick      string `json:"nick"`
+	OpenId    string `json:"openId"`
+	AvatarUrl string `json:"avatarUrl"`
+	Email     string `json:"email"`
+	Errmsg    string `json:"message"`
+	Errcode   string `json:"code"`
 }

-// GetUserInfo Use userid and access_token to get UserInfo
-// get more detail via: https://developers.dingtalk.com/document/app/query-user-details
+// GetUserInfo Use  access_token to get UserInfo
+// get more detail via: https://open.dingtalk.com/document/orgapp-server/dingtalk-retrieve-user-information
 func (idp *DingTalkIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
-	var dtUserInfo DingTalkUserResponse
+	dtUserInfo := &DingTalkUserResponse{}
 	accessToken := token.AccessToken

-	u := fmt.Sprintf("https://oapi.dingtalk.com/topapi/v2/user/get?access_token=%s&userid=%s",
-		accessToken, idp.Config.Scopes[1])
+	reqest, err := http.NewRequest("GET", idp.Config.Endpoint.AuthURL, nil)
+	if err != nil {
+		return nil, err
+	}
+	reqest.Header.Add("x-acs-dingtalk-access-token", accessToken)
+	resp, err := idp.Client.Do(reqest)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()

-	userinfoResp, err := idp.GetUrlResp(u)
+	data, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}

-	if err = json.Unmarshal([]byte(userinfoResp), &dtUserInfo); err != nil {
+	err = json.Unmarshal(data, dtUserInfo)
+	if err != nil {
 		return nil, err
 	}

+	if dtUserInfo.Errmsg != "" {
+		return nil, fmt.Errorf("userIdResp.Errcode = %s, userIdResp.Errmsg = %s", dtUserInfo.Errcode, dtUserInfo.Errmsg)
+	}
+
 	userInfo := UserInfo{
-		Id:          strconv.Itoa(dtUserInfo.Result.RoleList[0].Id),
-		Username:    dtUserInfo.Result.RoleList[0].Name,
-		DisplayName: dtUserInfo.Result.Name,
-		Email:       dtUserInfo.Result.Email,
-		AvatarUrl:   dtUserInfo.Result.Avatar,
+		Id:          dtUserInfo.OpenId,
+		Username:    dtUserInfo.Nick,
+		DisplayName: dtUserInfo.Nick,
+		Email:       dtUserInfo.Email,
+		AvatarUrl:   dtUserInfo.AvatarUrl,
 	}

 	return &userInfo, nil
 }

-func (idp *DingTalkIdProvider) GetUrlResp(url string) (string, error) {
-	resp, err := idp.Client.Get(url)
+func (idp *DingTalkIdProvider) postWithBody(body interface{}, url string) ([]byte, error) {
+	bs, err := json.Marshal(body)
 	if err != nil {
-		return "", err
+		return nil, err
+	}
+	r := strings.NewReader(string(bs))
+	resp, err := idp.Client.Post(url, "application/json;charset=UTF-8", r)
+	if err != nil {
+		return nil, err
+	}
+	data, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
 	}
-
 	defer func(Body io.ReadCloser) {
 		err := Body.Close()
 		if err != nil {
@ -340,26 +191,5 @@ func (idp *DingTalkIdProvider) GetUrlResp(url string) (string, error) {
 		}
 	}(resp.Body)

-	buf := new(bytes.Buffer)
-	_, err = buf.ReadFrom(resp.Body)
-	if err != nil {
-		return "", err
-	}
-
-	return buf.String(), nil
-}
-
-// EncodeSHA256 Use the HmacSHA256 algorithm to sign, the signature data is the current timestamp,
-// and the key is the appSecret corresponding to the appId. Use this key to calculate the timestamp signature value.
-// get more detail via: https://developers.dingtalk.com/document/app/signature-calculation-for-logon-free-scenarios-1?spm=ding_open_doc.document.0.0.63262ea7l6iEm1#topic-2021698
-func EncodeSHA256(message, secret string) string {
-	h := hmac.New(sha256.New, []byte(secret))
-	h.Write([]byte(message))
-	sum := h.Sum(nil)
-	msg1 := base64.StdEncoding.EncodeToString(sum)
-
-	uv := url.Values{}
-	uv.Add("0", msg1)
-	msg2 := uv.Encode()[2:]
-	return msg2
+	return data, nil
 }
--- a/idp/douyin.go
+++ b/idp/douyin.go
@ -0,0 +1,198 @@
+// Copyright 2022 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package idp
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"time"
+
+	"golang.org/x/oauth2"
+)
+
+type DouyinIdProvider struct {
+	Client *http.Client
+	Config *oauth2.Config
+}
+
+func NewDouyinIdProvider(clientId string, clientSecret string, redirectUrl string) *DouyinIdProvider {
+	idp := &DouyinIdProvider{}
+	idp.Config = idp.getConfig(clientId, clientSecret, redirectUrl)
+	return idp
+}
+
+func (idp *DouyinIdProvider) SetHttpClient(client *http.Client) {
+	idp.Client = client
+}
+
+func (idp *DouyinIdProvider) getConfig(clientId string, clientSecret string, redirectUrl string) *oauth2.Config {
+	var endpoint = oauth2.Endpoint{
+		TokenURL: "https://open.douyin.com/oauth/access_token",
+		AuthURL:  "https://open.douyin.com/platform/oauth/connect",
+	}
+
+	var config = &oauth2.Config{
+		Scopes:       []string{"user_info"},
+		Endpoint:     endpoint,
+		ClientID:     clientId,
+		ClientSecret: clientSecret,
+		RedirectURL:  redirectUrl,
+	}
+
+	return config
+}
+
+// get more details via: https://open.douyin.com/platform/doc?doc=docs/openapi/account-permission/get-access-token
+/*
+{
+  "data": {
+    "access_token": "access_token",
+    "description": "",
+    "error_code": "0",
+    "expires_in": "86400",
+    "open_id": "aaa-bbb-ccc",
+    "refresh_expires_in": "86400",
+    "refresh_token": "refresh_token",
+    "scope": "user_info"
+  },
+  "message": "<nil>"
+}
+*/
+
+type DouyinTokenResp struct {
+	Data struct {
+		AccessToken  string `json:"access_token"`
+		ExpiresIn    int64  `json:"expires_in"`
+		OpenId       string `json:"open_id"`
+		RefreshToken string `json:"refresh_token"`
+		Scope        string `json:"scope"`
+	} `json:"data"`
+	Message string `json:"message"`
+}
+
+// GetToken use code to get access_token
+// get more details via: https://open.douyin.com/platform/doc?doc=docs/openapi/account-permission/get-access-token
+func (idp *DouyinIdProvider) GetToken(code string) (*oauth2.Token, error) {
+	payload := url.Values{}
+	payload.Set("code", code)
+	payload.Set("grant_type", "authorization_code")
+	payload.Set("client_key", idp.Config.ClientID)
+	payload.Set("client_secret", idp.Config.ClientSecret)
+	resp, err := idp.Client.PostForm(idp.Config.Endpoint.TokenURL, payload)
+	if err != nil {
+		return nil, err
+	}
+	data, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+	tokenResp := &DouyinTokenResp{}
+	err = json.Unmarshal(data, tokenResp)
+	if err != nil {
+		return nil, fmt.Errorf("fail to unmarshal token response: %s", err.Error())
+	}
+
+	token := &oauth2.Token{
+		AccessToken:  tokenResp.Data.AccessToken,
+		RefreshToken: tokenResp.Data.RefreshToken,
+		Expiry:       time.Unix(time.Now().Unix()+tokenResp.Data.ExpiresIn, 0),
+	}
+
+	raw := make(map[string]interface{})
+	raw["open_id"] = tokenResp.Data.OpenId
+	token = token.WithExtra(raw)
+
+	return token, nil
+}
+
+// get more details via: https://open.douyin.com/platform/doc?doc=docs/openapi/account-management/get-account-open-info
+/*
+{
+  "data": {
+    "avatar": "https://example.com/x.jpeg",
+    "city": "上海",
+    "country": "中国",
+    "description": "",
+    "e_account_role": "<nil>",
+    "error_code": "0",
+    "gender": "<nil>",
+    "nickname": "张伟",
+    "open_id": "0da22181-d833-447f-995f-1beefea5bef3",
+    "province": "上海",
+    "union_id": "1ad4e099-4a0c-47d1-a410-bffb4f2f64a4"
+  }
+}
+*/
+
+type DouyinUserInfo struct {
+	Data struct {
+		Avatar  string `json:"avatar"`
+		City    string `json:"city"`
+		Country string `json:"country"`
+		// 0->unknown, 1->male, 2->female
+		Gender   int64  `json:"gender"`
+		Nickname string `json:"nickname"`
+		OpenId   string `json:"open_id"`
+		Province string `json:"province"`
+	} `json:"data"`
+}
+
+// GetUserInfo use token to get user profile
+func (idp *DouyinIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
+	body := &struct {
+		AccessToken string `json:"access_token"`
+		OpenId      string `json:"open_id"`
+	}{token.AccessToken, token.Extra("open_id").(string)}
+	data, err := json.Marshal(body)
+	if err != nil {
+		return nil, err
+	}
+	req, err := http.NewRequest("GET", "https://open.douyin.com/oauth/userinfo/", bytes.NewReader(data))
+	if err != nil {
+		return nil, err
+	}
+	req.Header.Add("access-token", token.AccessToken)
+	req.Header.Add("Accept", "application/json")
+	req.Header.Add("Content-Type", "application/json")
+	resp, err := idp.Client.Do(req)
+	if err != nil {
+		return nil, err
+	}
+
+	defer resp.Body.Close()
+
+	respBody, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	var douyinUserInfo DouyinUserInfo
+	err = json.Unmarshal(respBody, &douyinUserInfo)
+	if err != nil {
+		return nil, err
+	}
+
+	userInfo := UserInfo{
+		Id:          douyinUserInfo.Data.OpenId,
+		Username:    douyinUserInfo.Data.Nickname,
+		DisplayName: douyinUserInfo.Data.Nickname,
+		AvatarUrl:   douyinUserInfo.Data.Avatar,
+	}
+	return &userInfo, nil
+}
--- a/idp/facebook.go
+++ b/idp/facebook.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -164,6 +164,7 @@ func (idp *FacebookIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, erro

 	userInfo := UserInfo{
 		Id:          facebookUserInfo.Id,
+		Username:    facebookUserInfo.Name,
 		DisplayName: facebookUserInfo.Name,
 		Email:       facebookUserInfo.Email,
 		AvatarUrl:   facebookUserInfo.Picture.Data.Url,
--- a/idp/gitee.go
+++ b/idp/gitee.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -19,6 +19,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"net/http"
 	"net/url"
 	"strconv"
@ -92,7 +93,7 @@ func (idp *GiteeIdProvider) GetToken(code string) (*oauth2.Token, error) {
 	if err != nil {
 		return nil, err
 	}
-	rbs, err := io.ReadAll(resp.Body)
+	rbs, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}
--- a/idp/github.go
+++ b/idp/github.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -15,11 +15,13 @@
 package idp

 import (
-	"context"
 	"encoding/json"
+	"fmt"
 	"io"
+	"io/ioutil"
 	"net/http"
 	"strconv"
+	"strings"
 	"time"

 	"golang.org/x/oauth2"
@ -60,9 +62,38 @@ func (idp *GithubIdProvider) getConfig() *oauth2.Config {
 	return config
 }

+type GithubToken struct {
+	AccessToken string `json:"access_token"`
+	TokenType   string `json:"token_type"`
+	Scope       string `json:"scope"`
+	Error       string `json:"error"`
+}
+
 func (idp *GithubIdProvider) GetToken(code string) (*oauth2.Token, error) {
-	ctx := context.WithValue(context.Background(), oauth2.HTTPClient, idp.Client)
-	return idp.Config.Exchange(ctx, code)
+	params := &struct {
+		Code         string `json:"code"`
+		ClientId     string `json:"client_id"`
+		ClientSecret string `json:"client_secret"`
+	}{code, idp.Config.ClientID, idp.Config.ClientSecret}
+	data, err := idp.postWithBody(params, idp.Config.Endpoint.TokenURL)
+	if err != nil {
+		return nil, err
+	}
+	pToken := &GithubToken{}
+	if err = json.Unmarshal(data, pToken); err != nil {
+		return nil, err
+	}
+	if pToken.Error != "" {
+		return nil, fmt.Errorf("err: %s", pToken.Error)
+	}
+
+	token := &oauth2.Token{
+		AccessToken: pToken.AccessToken,
+		TokenType:   "Bearer",
+	}
+
+	return token, nil
+
 }

 //{
@ -172,7 +203,7 @@ func (idp *GithubIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error)

 	defer resp.Body.Close()

-	body, err := io.ReadAll(resp.Body)
+	body, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}
@ -192,3 +223,30 @@ func (idp *GithubIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error)
 	}
 	return &userInfo, nil
 }
+
+func (idp *GithubIdProvider) postWithBody(body interface{}, url string) ([]byte, error) {
+	bs, err := json.Marshal(body)
+	if err != nil {
+		return nil, err
+	}
+	r := strings.NewReader(string(bs))
+	req, _ := http.NewRequest("POST", url, r)
+	req.Header.Set("Accept", "application/json")
+	req.Header.Set("Content-Type", "application/json")
+	resp, err := idp.Client.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	data, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+	defer func(Body io.ReadCloser) {
+		err := Body.Close()
+		if err != nil {
+			return
+		}
+	}(resp.Body)
+
+	return data, nil
+}
--- a/idp/gitlab.go
+++ b/idp/gitlab.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -17,7 +17,7 @@ package idp
 import (
 	"encoding/json"
 	"fmt"
-	"io"
+	"io/ioutil"
 	"net/http"
 	"net/url"
 	"strconv"
@ -85,7 +85,7 @@ func (idp *GitlabIdProvider) GetToken(code string) (*oauth2.Token, error) {
 		return nil, err
 	}

-	data, err := io.ReadAll(resp.Body)
+	data, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}
@ -209,7 +209,7 @@ func (idp *GitlabIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error)
 		return nil, err
 	}

-	data, err := io.ReadAll(resp.Body)
+	data, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}
--- a/idp/google.go
+++ b/idp/google.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -19,7 +19,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"io"
+	"io/ioutil"
 	"net/http"

 	"golang.org/x/oauth2"
@ -95,7 +95,7 @@ func (idp *GoogleIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error)
 	}

 	defer resp.Body.Close()
-	body, err := io.ReadAll(resp.Body)
+	body, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}
--- a/idp/goth.go
+++ b/idp/goth.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -21,34 +21,36 @@ import (
 	"reflect"
 	"time"

-	"github.com/markbates/goth"
-	"github.com/markbates/goth/providers/amazon"
-	"github.com/markbates/goth/providers/apple"
-	"github.com/markbates/goth/providers/azuread"
-	"github.com/markbates/goth/providers/bitbucket"
-	"github.com/markbates/goth/providers/digitalocean"
-	"github.com/markbates/goth/providers/discord"
-	"github.com/markbates/goth/providers/dropbox"
-	"github.com/markbates/goth/providers/facebook"
-	"github.com/markbates/goth/providers/gitea"
-	"github.com/markbates/goth/providers/github"
-	"github.com/markbates/goth/providers/gitlab"
-	"github.com/markbates/goth/providers/google"
-	"github.com/markbates/goth/providers/heroku"
-	"github.com/markbates/goth/providers/instagram"
-	"github.com/markbates/goth/providers/kakao"
-	"github.com/markbates/goth/providers/line"
-	"github.com/markbates/goth/providers/linkedin"
-	"github.com/markbates/goth/providers/microsoftonline"
-	"github.com/markbates/goth/providers/paypal"
-	"github.com/markbates/goth/providers/salesforce"
-	"github.com/markbates/goth/providers/shopify"
-	"github.com/markbates/goth/providers/slack"
-	"github.com/markbates/goth/providers/tumblr"
-	"github.com/markbates/goth/providers/twitter"
-	"github.com/markbates/goth/providers/yahoo"
-	"github.com/markbates/goth/providers/yandex"
-	"github.com/markbates/goth/providers/zoom"
+	"github.com/casdoor/casdoor/util"
+	"github.com/casdoor/goth"
+	"github.com/casdoor/goth/providers/amazon"
+	"github.com/casdoor/goth/providers/apple"
+	"github.com/casdoor/goth/providers/azuread"
+	"github.com/casdoor/goth/providers/bitbucket"
+	"github.com/casdoor/goth/providers/digitalocean"
+	"github.com/casdoor/goth/providers/discord"
+	"github.com/casdoor/goth/providers/dropbox"
+	"github.com/casdoor/goth/providers/facebook"
+	"github.com/casdoor/goth/providers/gitea"
+	"github.com/casdoor/goth/providers/github"
+	"github.com/casdoor/goth/providers/gitlab"
+	"github.com/casdoor/goth/providers/google"
+	"github.com/casdoor/goth/providers/heroku"
+	"github.com/casdoor/goth/providers/instagram"
+	"github.com/casdoor/goth/providers/kakao"
+	"github.com/casdoor/goth/providers/line"
+	"github.com/casdoor/goth/providers/linkedin"
+	"github.com/casdoor/goth/providers/microsoftonline"
+	"github.com/casdoor/goth/providers/paypal"
+	"github.com/casdoor/goth/providers/salesforce"
+	"github.com/casdoor/goth/providers/shopify"
+	"github.com/casdoor/goth/providers/slack"
+	"github.com/casdoor/goth/providers/steam"
+	"github.com/casdoor/goth/providers/tumblr"
+	"github.com/casdoor/goth/providers/twitter"
+	"github.com/casdoor/goth/providers/yahoo"
+	"github.com/casdoor/goth/providers/yandex"
+	"github.com/casdoor/goth/providers/zoom"
 	"golang.org/x/oauth2"
 )

@ -170,6 +172,11 @@ func NewGothIdProvider(providerType string, clientId string, clientSecret string
 			Provider: slack.New(clientId, clientSecret, redirectUrl),
 			Session:  &slack.Session{},
 		}
+	case "Steam":
+		idp = GothIdProvider{
+			Provider: steam.New(clientSecret, redirectUrl),
+			Session:  &steam.Session{},
+		}
 	case "Tumblr":
 		idp = GothIdProvider{
 			Provider: tumblr.New(clientId, clientSecret, redirectUrl),
@ -208,11 +215,26 @@ func (idp *GothIdProvider) SetHttpClient(client *http.Client) {

 func (idp *GothIdProvider) GetToken(code string) (*oauth2.Token, error) {
 	var expireAt time.Time
-	//Need to construct variables supported by goth
-	//to call the function to obtain accessToken
-	value := url.Values{}
-	value.Add("code", code)
+	var value url.Values
+	var err error
+	if idp.Provider.Name() == "steam" {
+		value, err = url.ParseQuery(code)
+		returnUrl := reflect.ValueOf(idp.Session).Elem().FieldByName("CallbackURL")
+		returnUrl.Set(reflect.ValueOf(value.Get("openid.return_to")))
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		//Need to construct variables supported by goth
+		//to call the function to obtain accessToken
+		value = url.Values{}
+		value.Add("code", code)
+	}
 	accessToken, err := idp.Session.Authorize(idp.Provider, value)
+	if err != nil {
+		return nil, err
+	}
+
 	//Get ExpiresAt's value
 	valueOfExpire := reflect.ValueOf(idp.Session).Elem().FieldByName("ExpiresAt")
 	if valueOfExpire.IsValid() {
@ -222,7 +244,8 @@ func (idp *GothIdProvider) GetToken(code string) (*oauth2.Token, error) {
 		AccessToken: accessToken,
 		Expiry:      expireAt,
 	}
-	return &token, err
+
+	return &token, nil
 }

 func (idp *GothIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
@ -230,10 +253,10 @@ func (idp *GothIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
 	if err != nil {
 		return nil, err
 	}
-	return getUser(gothUser), nil
+	return getUser(gothUser, idp.Provider.Name()), nil
 }

-func getUser(gothUser goth.User) *UserInfo {
+func getUser(gothUser goth.User, provider string) *UserInfo {
 	user := UserInfo{
 		Id:          gothUser.UserID,
 		Username:    gothUser.Name,
@ -244,11 +267,30 @@ func getUser(gothUser goth.User) *UserInfo {
 	//Some idp return an empty Name
 	//so construct the Name with firstname and lastname or nickname
 	if user.Username == "" {
-		user.Username = fmt.Sprintf("%v%v", gothUser.FirstName, gothUser.LastName)
+		if gothUser.FirstName != "" && gothUser.LastName != "" {
+			user.Username = getName(gothUser.FirstName, gothUser.LastName)
+		} else {
+			user.Username = gothUser.NickName
+		}
 	}
-	if user.Username == "" {
-		user.Username = gothUser.NickName
+	if user.DisplayName == "" {
+		if gothUser.FirstName != "" && gothUser.LastName != "" {
+			user.DisplayName = getName(gothUser.FirstName, gothUser.LastName)
+		} else {
+			user.DisplayName = user.Username
+		}
+	}
+	if provider == "steam" {
+		user.Username = user.DisplayName
+		user.Email = ""
 	}
-
 	return &user
 }
+
+func getName(firstName, lastName string) string {
+	if util.IsChinese(firstName) || util.IsChinese(lastName) {
+		return fmt.Sprintf("%s%s", lastName, firstName)
+	} else {
+		return fmt.Sprintf("%s %s", firstName, lastName)
+	}
+}
--- a/idp/infoflow_internal.go
+++ b/idp/infoflow_internal.go
@ -0,0 +1,192 @@
+// Copyright 2022 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package idp
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+
+	"golang.org/x/oauth2"
+)
+
+type InfoflowInternalIdProvider struct {
+	Client  *http.Client
+	Config  *oauth2.Config
+	AgentId string
+}
+
+func NewInfoflowInternalIdProvider(clientId string, clientSecret string, appId string, redirectUrl string) *InfoflowInternalIdProvider {
+	idp := &InfoflowInternalIdProvider{}
+
+	config := idp.getConfig(clientId, clientSecret, redirectUrl)
+	idp.Config = config
+	idp.AgentId = appId
+	return idp
+}
+
+func (idp *InfoflowInternalIdProvider) SetHttpClient(client *http.Client) {
+	idp.Client = client
+}
+
+func (idp *InfoflowInternalIdProvider) getConfig(clientId string, clientSecret string, redirectUrl string) *oauth2.Config {
+	var config = &oauth2.Config{
+		ClientID:     clientId,
+		ClientSecret: clientSecret,
+		RedirectURL:  redirectUrl,
+	}
+
+	return config
+}
+
+type InfoflowInterToken struct {
+	Errcode     int    `json:"errcode"`
+	Errmsg      string `json:"errmsg"`
+	AccessToken string `json:"access_token"`
+}
+
+// get more detail via: https://qy.baidu.com/doc/index.html#/inner_quickstart/flow?id=%E8%8E%B7%E5%8F%96accesstoken
+func (idp *InfoflowInternalIdProvider) GetToken(code string) (*oauth2.Token, error) {
+	pTokenParams := &struct {
+		CorpId     string `json:"corpid"`
+		Corpsecret string `json:"corpsecret"`
+	}{idp.Config.ClientID, idp.Config.ClientSecret}
+	resp, err := idp.Client.Get(fmt.Sprintf("https://qy.im.baidu.com/api/gettoken?corpid=%s&corpsecret=%s", pTokenParams.CorpId, pTokenParams.Corpsecret))
+	if err != nil {
+		return nil, err
+	}
+
+	data, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+	pToken := &InfoflowInterToken{}
+	err = json.Unmarshal(data, pToken)
+	if err != nil {
+		return nil, err
+	}
+	if pToken.Errcode != 0 {
+		return nil, fmt.Errorf("pToken.Errcode = %d, pToken.Errmsg = %s", pToken.Errcode, pToken.Errmsg)
+	}
+	token := &oauth2.Token{
+		AccessToken: pToken.AccessToken,
+	}
+
+	raw := make(map[string]interface{})
+	raw["code"] = code
+	token = token.WithExtra(raw)
+
+	return token, nil
+}
+
+/*
+{
+    "errcode": 0,
+    "errmsg": "ok",
+    "userid": "lili",
+    "name": "丽丽",
+    "department": [1],
+    "mobile": "13500088888",
+    "email": "lili4@gzdev.com",
+    "imid": 40000318,
+    "hiuname": "lili4",
+    "status": 1,
+    "extattr":
+        {
+            "attrs": [
+                {
+                    "name": "爱好",
+                    "value": "旅游"
+                },
+                {
+                    "name": "卡号,
+                    "value": "1234567234"
+                }
+            ]
+        },
+   "lm": 14236463257
+}
+*/
+
+type InfoflowInternalUserResp struct {
+	Errcode int    `json:"errcode"`
+	Errmsg  string `json:"errmsg"`
+	UserId  string `json:"UserId"`
+}
+
+type InfoflowInternalUserInfo struct {
+	Errcode int    `json:"errcode"`
+	Errmsg  string `json:"errmsg"`
+	UserId  string `json:"userid"`
+	Imid    int    `json:"imid"`
+	Name    string `json:"name"`
+	Avatar  string `json:"headimg"`
+	Email   string `json:"email"`
+}
+
+// get more detail via: https://qy.baidu.com/doc/index.html#/inner_serverapi/contacts?id=%e8%8e%b7%e5%8f%96%e6%88%90%e5%91%98
+func (idp *InfoflowInternalIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
+	//Get userid first
+	accessToken := token.AccessToken
+	code := token.Extra("code").(string)
+	resp, err := idp.Client.Get(fmt.Sprintf("https://qy.im.baidu.com/api/user/getuserinfo?access_token=%s&code=%s&agentid=%s", accessToken, code, idp.AgentId))
+	if err != nil {
+		return nil, err
+	}
+
+	data, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+	userResp := &InfoflowInternalUserResp{}
+	err = json.Unmarshal(data, userResp)
+	if err != nil {
+		return nil, err
+	}
+	if userResp.Errcode != 0 {
+		return nil, fmt.Errorf("userIdResp.Errcode = %d, userIdResp.Errmsg = %s", userResp.Errcode, userResp.Errmsg)
+	}
+	//Use userid and accesstoken to get user information
+	resp, err = idp.Client.Get(fmt.Sprintf("https://api.im.baidu.com/api/user/get?access_token=%s&userid=%s", accessToken, userResp.UserId))
+	if err != nil {
+		return nil, err
+	}
+
+	data, err = ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+	infoResp := &InfoflowInternalUserInfo{}
+	err = json.Unmarshal(data, infoResp)
+	if err != nil {
+		return nil, err
+	}
+	if infoResp.Errcode != 0 {
+		return nil, fmt.Errorf("userInfoResp.errcode = %d, userInfoResp.errmsg = %s", infoResp.Errcode, infoResp.Errmsg)
+	}
+	userInfo := UserInfo{
+		Id:          infoResp.UserId,
+		Username:    infoResp.UserId,
+		DisplayName: infoResp.Name,
+		AvatarUrl:   infoResp.Avatar,
+		Email:       infoResp.Email,
+	}
+
+	if userInfo.Id == "" {
+		userInfo.Id = userInfo.Username
+	}
+	return &userInfo, nil
+}
--- a/idp/infoflow_third_party.go
+++ b/idp/infoflow_third_party.go
@ -0,0 +1,212 @@
+// Copyright 2022 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package idp
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"time"
+
+	"golang.org/x/oauth2"
+)
+
+type InfoflowIdProvider struct {
+	Client  *http.Client
+	Config  *oauth2.Config
+	AgentId string
+	Ticket  string
+}
+
+func NewInfoflowIdProvider(clientId string, clientSecret string, appId string, redirectUrl string) *InfoflowIdProvider {
+	idp := &InfoflowIdProvider{}
+
+	config := idp.getConfig(clientId, clientSecret, redirectUrl)
+	idp.Config = config
+	idp.AgentId = appId
+	return idp
+}
+
+func (idp *InfoflowIdProvider) SetHttpClient(client *http.Client) {
+	idp.Client = client
+}
+
+func (idp *InfoflowIdProvider) getConfig(clientId string, clientSecret string, redirectUrl string) *oauth2.Config {
+	var config = &oauth2.Config{
+		ClientID:     clientId,
+		ClientSecret: clientSecret,
+		RedirectURL:  redirectUrl,
+	}
+
+	return config
+}
+
+type InfoflowToken struct {
+	Errcode     int    `json:"errcode"`
+	Errmsg      string `json:"errmsg"`
+	AccessToken string `json:"suite_access_token"`
+	ExpiresIn   int    `json:"expires_in"`
+}
+
+// get more detail via: https://qy.baidu.com/doc/index.html#/third_serverapi/authority
+func (idp *InfoflowIdProvider) GetToken(code string) (*oauth2.Token, error) {
+	pTokenParams := &struct {
+		SuiteId     string `json:"suite_id"`
+		SuiteSecret string `json:"suite_secret"`
+		SuiteTicket string `json:"suite_ticket"`
+	}{idp.Config.ClientID, idp.Config.ClientSecret, idp.Ticket}
+	data, err := idp.postWithBody(pTokenParams, "https://api.im.baidu.com/api/service/get_suite_token")
+
+	pToken := &InfoflowToken{}
+	err = json.Unmarshal(data, pToken)
+	if err != nil {
+		return nil, err
+	}
+	if pToken.Errcode != 0 {
+		return nil, fmt.Errorf("pToken.Errcode = %d, pToken.Errmsg = %s", pToken.Errcode, pToken.Errmsg)
+	}
+	token := &oauth2.Token{
+		AccessToken: pToken.AccessToken,
+		Expiry:      time.Unix(time.Now().Unix()+int64(pToken.ExpiresIn), 0),
+	}
+
+	raw := make(map[string]interface{})
+	raw["code"] = code
+	token = token.WithExtra(raw)
+
+	return token, nil
+}
+
+/*
+{
+    "errcode": 0,
+    "errmsg": "ok",
+    "userid": "lili",
+    "name": "丽丽",
+    "department": [1],
+    "mobile": "13500088888",
+    "email": "lili4@gzdev.com",
+    "imid": 40000318,
+    "hiuname": "lili4",
+    "status": 1,
+    "extattr": {
+        "attrs": [
+            {
+                "name": "爱好",
+                "value": "旅游"
+            },
+            {
+                "name": "卡号",
+                "value": "1234567234"
+            }
+        ]
+    },
+    "lm" : 14236463257
+}
+*/
+
+type InfoflowUserResp struct {
+	Errcode int    `json:"errcode"`
+	Errmsg  string `json:"errmsg"`
+	UserId  string `json:"UserId"`
+}
+
+type InfoflowUserInfo struct {
+	Errcode int    `json:"errcode"`
+	Errmsg  string `json:"errmsg"`
+	Imid    string `json:"imid"`
+	Name    string `json:"name"`
+	Email   string `json:"email"`
+}
+
+// get more detail via: https://qy.baidu.com/doc/index.html#/third_serverapi/contacts?id=%e8%8e%b7%e5%8f%96%e6%88%90%e5%91%98
+func (idp *InfoflowIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
+	//Get userid first
+	accessToken := token.AccessToken
+	code := token.Extra("code").(string)
+	resp, err := idp.Client.Get(fmt.Sprintf("https://api.im.baidu.com/api/user/getuserinfo?access_token=%s&code=%s&agentid=%s", accessToken, code, idp.AgentId))
+	if err != nil {
+		return nil, err
+	}
+
+	data, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+	userResp := &InfoflowUserResp{}
+	err = json.Unmarshal(data, userResp)
+	if err != nil {
+		return nil, err
+	}
+	if userResp.Errcode != 0 {
+		return nil, fmt.Errorf("userIdResp.Errcode = %d, userIdResp.Errmsg = %s", userResp.Errcode, userResp.Errmsg)
+	}
+	//Use userid and accesstoken to get user information
+	resp, err = idp.Client.Get(fmt.Sprintf("https://api.im.baidu.com/api/user/get?access_token=%s&userid=%s", accessToken, userResp.UserId))
+	if err != nil {
+		return nil, err
+	}
+
+	data, err = ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+	infoResp := &InfoflowUserInfo{}
+	err = json.Unmarshal(data, infoResp)
+	if err != nil {
+		return nil, err
+	}
+	if infoResp.Errcode != 0 {
+		return nil, fmt.Errorf("userInfoResp.errcode = %d, userInfoResp.errmsg = %s", infoResp.Errcode, infoResp.Errmsg)
+	}
+	userInfo := UserInfo{
+		Id:          infoResp.Imid,
+		Username:    infoResp.Name,
+		DisplayName: infoResp.Name,
+		Email:       infoResp.Email,
+	}
+
+	if userInfo.Id == "" {
+		userInfo.Id = userInfo.Username
+	}
+	return &userInfo, nil
+}
+
+func (idp *InfoflowIdProvider) postWithBody(body interface{}, url string) ([]byte, error) {
+	bs, err := json.Marshal(body)
+	if err != nil {
+		return nil, err
+	}
+	r := strings.NewReader(string(bs))
+	resp, err := idp.Client.Post(url, "application/json;charset=UTF-8", r)
+	if err != nil {
+		return nil, err
+	}
+	data, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+	defer func(Body io.ReadCloser) {
+		err := Body.Close()
+		if err != nil {
+			return
+		}
+	}(resp.Body)
+
+	return data, nil
+}
--- a/idp/lark.go
+++ b/idp/lark.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -17,6 +17,7 @@ package idp
 import (
 	"encoding/json"
 	"io"
+	"io/ioutil"
 	"net/http"
 	"strings"
 	"time"
@ -168,8 +169,11 @@ func (idp *LarkIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
 	req.Header.Set("Authorization", "Bearer "+token.AccessToken)

 	resp, err := idp.Client.Do(req)
-	data, err = io.ReadAll(resp.Body)
-	err = resp.Body.Close()
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+	data, err = ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}
@ -200,7 +204,7 @@ func (idp *LarkIdProvider) postWithBody(body interface{}, url string) ([]byte, e
 	if err != nil {
 		return nil, err
 	}
-	data, err := io.ReadAll(resp.Body)
+	data, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}
--- a/idp/linkedin.go
+++ b/idp/linkedin.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -18,6 +18,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"net/http"
 	"net/url"
 	"strings"
@ -84,7 +85,7 @@ func (idp *LinkedInIdProvider) GetToken(code string) (*oauth2.Token, error) {
 	if err != nil {
 		return nil, err
 	}
-	rbs, err := io.ReadAll(resp.Body)
+	rbs, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}
@ -322,7 +323,7 @@ func (idp *LinkedInIdProvider) GetUrlRespWithAuthorization(url, token string) ([
 		}
 	}(resp.Body)

-	bs, err := io.ReadAll(resp.Body)
+	bs, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}
--- a/idp/okta.go
+++ b/idp/okta.go
@ -0,0 +1,200 @@
+// Copyright 2022 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package idp
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"time"
+
+	"golang.org/x/oauth2"
+)
+
+type OktaIdProvider struct {
+	Client *http.Client
+	Config *oauth2.Config
+	Host   string
+}
+
+func NewOktaIdProvider(clientId string, clientSecret string, redirectUrl string, hostUrl string) *OktaIdProvider {
+	idp := &OktaIdProvider{}
+
+	config := idp.getConfig(hostUrl, clientId, clientSecret, redirectUrl)
+	config.ClientID = clientId
+	config.ClientSecret = clientSecret
+	config.RedirectURL = redirectUrl
+	idp.Config = config
+	idp.Host = hostUrl
+	return idp
+}
+
+func (idp *OktaIdProvider) SetHttpClient(client *http.Client) {
+	idp.Client = client
+}
+
+func (idp *OktaIdProvider) getConfig(hostUrl string, clientId string, clientSecret string, redirectUrl string) *oauth2.Config {
+	var endpoint = oauth2.Endpoint{
+		TokenURL: fmt.Sprintf("%s/v1/token", hostUrl),
+		AuthURL:  fmt.Sprintf("%s/v1/authorize", hostUrl),
+	}
+
+	var config = &oauth2.Config{
+		// openid is required for authentication requests
+		// get more details via: https://developer.okta.com/docs/reference/api/oidc/#reserved-scopes
+		Scopes:       []string{"openid", "profile", "email"},
+		Endpoint:     endpoint,
+		ClientID:     clientId,
+		ClientSecret: clientSecret,
+		RedirectURL:  redirectUrl,
+	}
+
+	return config
+}
+
+// get more details via: https://developer.okta.com/docs/reference/api/oidc/#token
+/*
+{
+    "access_token" : "eyJhbGciOiJSUzI1NiJ9.eyJ2ZXIiOjEsImlzcyI6Imh0dHA6Ly9yYWluLm9rdGExLmNvbToxODAyIiwiaWF0IjoxNDQ5Nj
+                      I0MDI2LCJleHAiOjE0NDk2Mjc2MjYsImp0aSI6IlVmU0lURzZCVVNfdHA3N21BTjJxIiwic2NvcGVzIjpbIm9wZW5pZCIsI
+                      mVtYWlsIl0sImNsaWVudF9pZCI6InVBYXVub2ZXa2FESnh1a0NGZUJ4IiwidXNlcl9pZCI6IjAwdWlkNEJ4WHc2STZUVjRt
+                      MGczIn0.HaBu5oQxdVCIvea88HPgr2O5evqZlCT4UXH4UKhJnZ5px-ArNRqwhxXWhHJisslswjPpMkx1IgrudQIjzGYbtLF
+                      jrrg2ueiU5-YfmKuJuD6O2yPWGTsV7X6i7ABT6P-t8PRz_RNbk-U1GXWIEkNnEWbPqYDAm_Ofh7iW0Y8WDA5ez1jbtMvd-o
+                      XMvJLctRiACrTMLJQ2e5HkbUFxgXQ_rFPNHJbNSUBDLqdi2rg_ND64DLRlXRY7hupNsvWGo0gF4WEUk8IZeaLjKw8UoIs-E
+                      TEwJlAMcvkhoVVOsN5dPAaEKvbyvPC1hUGXb4uuThlwdD3ECJrtwgKqLqcWonNtiw",
+    "token_type" : "Bearer",
+    "expires_in" : 3600,
+    "scope"      : "openid email",
+    "refresh_token" : "a9VpZDRCeFh3Nkk2VdY",
+    "id_token" : "eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiIwMHVpZDRCeFh3Nkk2VFY0bTBnMyIsImVtYWlsIjoid2VibWFzdGVyQGNsb3VkaXR1ZG
+                  UubmV0IiwiZW1haWxfdmVyaWZpZWQiOnRydWUsInZlciI6MSwiaXNzIjoiaHR0cDovL3JhaW4ub2t0YTEuY29tOjE4MDIiLCJsb
+                  2dpbiI6ImFkbWluaXN0cmF0b3IxQGNsb3VkaXR1ZGUubmV0IiwiYXVkIjoidUFhdW5vZldrYURKeHVrQ0ZlQngiLCJpYXQiOjE0
+                  NDk2MjQwMjYsImV4cCI6MTQ0OTYyNzYyNiwiYW1yIjpbInB3ZCJdLCJqdGkiOiI0ZUFXSk9DTUIzU1g4WGV3RGZWUiIsImF1dGh
+                  fdGltZSI6MTQ0OTYyNDAyNiwiYXRfaGFzaCI6ImNwcUtmZFFBNWVIODkxRmY1b0pyX1EifQ.Btw6bUbZhRa89DsBb8KmL9rfhku
+                  --_mbNC2pgC8yu8obJnwO12nFBepui9KzbpJhGM91PqJwi_AylE6rp-ehamfnUAO4JL14PkemF45Pn3u_6KKwxJnxcWxLvMuuis
+                  nvIs7NScKpOAab6ayZU0VL8W6XAijQmnYTtMWQfSuaaR8rYOaWHrffh3OypvDdrQuYacbkT0csxdrayXfBG3UF5-ZAlhfch1fhF
+                  T3yZFdWwzkSDc0BGygfiFyNhCezfyT454wbciSZgrA9ROeHkfPCaX7KCFO8GgQEkGRoQntFBNjluFhNLJIUkEFovEDlfuB4tv_M
+                  8BM75celdy3jkpOurg"
+}
+*/
+
+type OktaToken struct {
+	AccessToken  string `json:"access_token"`
+	TokenType    string `json:"token_type"`
+	ExpiresIn    int    `json:"expires_in"`
+	Scope        string `json:"scope"`
+	RefreshToken string `json:"refresh_token"`
+	IdToken      string `json:"id_token"`
+}
+
+// GetToken use code to get access_token
+// get more details via: https://developer.okta.com/docs/reference/api/oidc/#token
+func (idp *OktaIdProvider) GetToken(code string) (*oauth2.Token, error) {
+	payload := url.Values{}
+	payload.Set("code", code)
+	payload.Set("grant_type", "authorization_code")
+	payload.Set("client_id", idp.Config.ClientID)
+	payload.Set("client_secret", idp.Config.ClientSecret)
+	payload.Set("redirect_uri", idp.Config.RedirectURL)
+	resp, err := idp.Client.PostForm(idp.Config.Endpoint.TokenURL, payload)
+	if err != nil {
+		return nil, err
+	}
+	data, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	pToken := &OktaToken{}
+	err = json.Unmarshal(data, pToken)
+	if err != nil {
+		return nil, fmt.Errorf("fail to unmarshal token response: %s", err.Error())
+	}
+
+	token := &oauth2.Token{
+		AccessToken:  pToken.AccessToken,
+		TokenType:    "Bearer",
+		RefreshToken: pToken.RefreshToken,
+		Expiry:       time.Unix(time.Now().Unix()+int64(pToken.ExpiresIn), 0),
+	}
+	return token, nil
+}
+
+// get more details via: https://developer.okta.com/docs/reference/api/oidc/#userinfo
+/*
+{
+  "sub": "00uid4BxXw6I6TV4m0g3",
+  "name" :"John Doe",
+  "nickname":"Jimmy",
+  "given_name":"John",
+  "middle_name":"James",
+  "family_name":"Doe",
+  "profile":"https://example.com/john.doe",
+  "zoneinfo":"America/Los_Angeles",
+  "locale":"en-US",
+  "updated_at":1311280970,
+  "email":"john.doe@example.com",
+  "email_verified":true,
+  "address" : { "street_address":"123 Hollywood Blvd.", "locality":"Los Angeles", "region":"CA", "postal_code":"90210", "country":"US" },
+  "phone_number":"+1 (425) 555-1212"
+}
+*/
+
+type OktaUserInfo struct {
+	Email             string `json:"email"`
+	Name              string `json:"name"`
+	PreferredUsername string `json:"preferred_username"`
+	Picture           string `json:"picture"`
+	Sub               string `json:"sub"`
+}
+
+// GetUserInfo use token to get user profile
+// get more details via: https://developer.okta.com/docs/reference/api/oidc/#userinfo
+func (idp *OktaIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
+	req, err := http.NewRequest("GET", fmt.Sprintf("%s/v1/userinfo", idp.Host), nil)
+	if err != nil {
+		return nil, err
+	}
+	req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", token.AccessToken))
+	req.Header.Add("Accept", "application/json")
+	resp, err := idp.Client.Do(req)
+	if err != nil {
+		return nil, err
+	}
+
+	defer resp.Body.Close()
+
+	body, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	var oktaUserInfo OktaUserInfo
+	err = json.Unmarshal(body, &oktaUserInfo)
+	if err != nil {
+		return nil, err
+	}
+
+	userInfo := UserInfo{
+		Id:          oktaUserInfo.Sub,
+		Username:    oktaUserInfo.PreferredUsername,
+		DisplayName: oktaUserInfo.Name,
+		Email:       oktaUserInfo.Email,
+		AvatarUrl:   oktaUserInfo.Picture,
+	}
+	return &userInfo, nil
+}
--- a/idp/provider.go
+++ b/idp/provider.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -35,39 +35,69 @@ type IdProvider interface {
 	GetUserInfo(token *oauth2.Token) (*UserInfo, error)
 }

-func GetIdProvider(providerType string, clientId string, clientSecret string, redirectUrl string) IdProvider {
-	if providerType == "GitHub" {
+func GetIdProvider(typ string, subType string, clientId string, clientSecret string, appId string, redirectUrl string, hostUrl string, authUrl string, tokenUrl string, userInfoUrl string) IdProvider {
+	if typ == "GitHub" {
 		return NewGithubIdProvider(clientId, clientSecret, redirectUrl)
-	} else if providerType == "Google" {
+	} else if typ == "Google" {
 		return NewGoogleIdProvider(clientId, clientSecret, redirectUrl)
-	} else if providerType == "QQ" {
+	} else if typ == "QQ" {
 		return NewQqIdProvider(clientId, clientSecret, redirectUrl)
-	} else if providerType == "WeChat" {
+	} else if typ == "WeChat" {
 		return NewWeChatIdProvider(clientId, clientSecret, redirectUrl)
-	} else if providerType == "Facebook" {
+	} else if typ == "Facebook" {
 		return NewFacebookIdProvider(clientId, clientSecret, redirectUrl)
-	} else if providerType == "DingTalk" {
+	} else if typ == "DingTalk" {
 		return NewDingTalkIdProvider(clientId, clientSecret, redirectUrl)
-	} else if providerType == "Weibo" {
+	} else if typ == "Weibo" {
 		return NewWeiBoIdProvider(clientId, clientSecret, redirectUrl)
-	} else if providerType == "Gitee" {
+	} else if typ == "Gitee" {
 		return NewGiteeIdProvider(clientId, clientSecret, redirectUrl)
-	} else if providerType == "LinkedIn" {
+	} else if typ == "LinkedIn" {
 		return NewLinkedInIdProvider(clientId, clientSecret, redirectUrl)
-	} else if providerType == "WeCom" {
-		return NewWeComIdProvider(clientId, clientSecret, redirectUrl)
-	} else if providerType == "Lark" {
+	} else if typ == "WeCom" {
+		if subType == "Internal" {
+			return NewWeComInternalIdProvider(clientId, clientSecret, redirectUrl)
+		} else if subType == "Third-party" {
+			return NewWeComIdProvider(clientId, clientSecret, redirectUrl)
+		} else {
+			return nil
+		}
+	} else if typ == "Lark" {
 		return NewLarkIdProvider(clientId, clientSecret, redirectUrl)
-	} else if providerType == "GitLab" {
+	} else if typ == "GitLab" {
 		return NewGitlabIdProvider(clientId, clientSecret, redirectUrl)
-	} else if isGothSupport(providerType) {
-		return NewGothIdProvider(providerType, clientId, clientSecret, redirectUrl)
+	} else if typ == "Adfs" {
+		return NewAdfsIdProvider(clientId, clientSecret, redirectUrl, hostUrl)
+	} else if typ == "Baidu" {
+		return NewBaiduIdProvider(clientId, clientSecret, redirectUrl)
+	} else if typ == "Alipay" {
+		return NewAlipayIdProvider(clientId, clientSecret, redirectUrl)
+	} else if typ == "Custom" {
+		return NewCustomIdProvider(clientId, clientSecret, redirectUrl, authUrl, tokenUrl, userInfoUrl)
+	} else if typ == "Infoflow" {
+		if subType == "Internal" {
+			return NewInfoflowInternalIdProvider(clientId, clientSecret, appId, redirectUrl)
+		} else if subType == "Third-party" {
+			return NewInfoflowIdProvider(clientId, clientSecret, appId, redirectUrl)
+		} else {
+			return nil
+		}
+	} else if typ == "Casdoor" {
+		return NewCasdoorIdProvider(clientId, clientSecret, redirectUrl, hostUrl)
+	} else if typ == "Okta" {
+		return NewOktaIdProvider(clientId, clientSecret, redirectUrl, hostUrl)
+	} else if typ == "Douyin" {
+		return NewDouyinIdProvider(clientId, clientSecret, redirectUrl)
+	} else if isGothSupport(typ) {
+		return NewGothIdProvider(typ, clientId, clientSecret, redirectUrl)
+	} else if typ == "Bilibili" {
+		return NewBilibiliIdProvider(clientId, clientSecret, redirectUrl)
 	}

 	return nil
 }

-var gothList = []string{"Apple", "AzureAd", "Slack"}
+var gothList = []string{"Apple", "AzureAd", "Slack", "Steam"}

 func isGothSupport(provider string) bool {
 	for _, value := range gothList {
--- a/idp/qq.go
+++ b/idp/qq.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -18,7 +18,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"io"
+	"io/ioutil"
 	"net/http"
 	"net/url"
 	"regexp"
@ -75,7 +75,10 @@ func (idp *QqIdProvider) GetToken(code string) (*oauth2.Token, error) {
 	}

 	defer resp.Body.Close()
-	tokenContent, err := io.ReadAll(resp.Body)
+	tokenContent, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}

 	re := regexp.MustCompile("token=(.*?)&")
 	matched := re.FindAllStringSubmatch(string(tokenContent), -1)
@ -145,7 +148,10 @@ func (idp *QqIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
 	}

 	defer resp.Body.Close()
-	openIdBody, err := io.ReadAll(resp.Body)
+	openIdBody, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}

 	re := regexp.MustCompile("\"openid\":\"(.*?)\"}")
 	matched := re.FindAllStringSubmatch(string(openIdBody), -1)
@ -161,7 +167,7 @@ func (idp *QqIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
 	}

 	defer resp.Body.Close()
-	userInfoBody, err := io.ReadAll(resp.Body)
+	userInfoBody, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}
@ -178,6 +184,7 @@ func (idp *QqIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {

 	userInfo := UserInfo{
 		Id:          openId,
+		Username:    qqUserInfo.Nickname,
 		DisplayName: qqUserInfo.Nickname,
 		AvatarUrl:   qqUserInfo.FigureurlQq1,
 	}
--- a/idp/wechat.go
+++ b/idp/wechat.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -21,6 +21,7 @@ import (
 	"io"
 	"net/http"
 	"net/url"
+	"strings"
 	"time"

 	"golang.org/x/oauth2"
@ -98,6 +99,11 @@ func (idp *WeChatIdProvider) GetToken(code string) (*oauth2.Token, error) {
 		return nil, err
 	}

+	// {"errcode":40163,"errmsg":"code been used, rid: 6206378a-793424c0-2e4091cc"}
+	if strings.Contains(buf.String(), "errcode") {
+		return nil, fmt.Errorf(buf.String())
+	}
+
 	var wechatAccessToken WechatAccessToken
 	if err = json.Unmarshal(buf.Bytes(), &wechatAccessToken); err != nil {
 		return nil, err
--- a/idp/wechat_miniprogram.go
+++ b/idp/wechat_miniprogram.go
@ -0,0 +1,82 @@
+// Copyright 2022 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package idp
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+
+	"golang.org/x/oauth2"
+)
+
+type WeChatMiniProgramIdProvider struct {
+	Client *http.Client
+	Config *oauth2.Config
+}
+
+func NewWeChatMiniProgramIdProvider(clientId string, clientSecret string) *WeChatMiniProgramIdProvider {
+	idp := &WeChatMiniProgramIdProvider{}
+
+	config := idp.getConfig(clientId, clientSecret)
+	idp.Config = config
+	idp.Client = &http.Client{}
+	return idp
+}
+
+func (idp *WeChatMiniProgramIdProvider) SetHttpClient(client *http.Client) {
+	idp.Client = client
+}
+
+func (idp *WeChatMiniProgramIdProvider) getConfig(clientId string, clientSecret string) *oauth2.Config {
+	var config = &oauth2.Config{
+		ClientID:     clientId,
+		ClientSecret: clientSecret,
+	}
+
+	return config
+}
+
+type WeChatMiniProgramSessionResponse struct {
+	Openid     string `json:"openid"`
+	SessionKey string `json:"session_key"`
+	Unionid    string `json:"unionid"`
+	Errcode    int    `json:"errcode"`
+	Errmsg     string `json:"errmsg"`
+}
+
+func (idp *WeChatMiniProgramIdProvider) GetSessionByCode(code string) (*WeChatMiniProgramSessionResponse, error) {
+	sessionUri := fmt.Sprintf("https://api.weixin.qq.com/sns/jscode2session?appid=%s&secret=%s&js_code=%s&grant_type=authorization_code", idp.Config.ClientID, idp.Config.ClientSecret, code)
+	sessionResponse, err := idp.Client.Get(sessionUri)
+	if err != nil {
+		return nil, err
+	}
+	defer sessionResponse.Body.Close()
+	data, err := ioutil.ReadAll(sessionResponse.Body)
+	if err != nil {
+		return nil, err
+	}
+	var session WeChatMiniProgramSessionResponse
+	err = json.Unmarshal(data, &session)
+	if err != nil {
+		return nil, err
+	}
+	if session.Errcode != 0 {
+		return nil, fmt.Errorf("err: %s", session.Errmsg)
+	}
+	return &session, nil
+
+}
--- a/idp/wecom_internal.go
+++ b/idp/wecom_internal.go
@ -0,0 +1,172 @@
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package idp
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"time"
+
+	"golang.org/x/oauth2"
+)
+
+//This idp is using wecom internal application api as idp
+type WeComInternalIdProvider struct {
+	Client *http.Client
+	Config *oauth2.Config
+}
+
+func NewWeComInternalIdProvider(clientId string, clientSecret string, redirectUrl string) *WeComInternalIdProvider {
+	idp := &WeComInternalIdProvider{}
+
+	config := idp.getConfig(clientId, clientSecret, redirectUrl)
+	idp.Config = config
+
+	return idp
+}
+
+func (idp *WeComInternalIdProvider) SetHttpClient(client *http.Client) {
+	idp.Client = client
+}
+
+func (idp *WeComInternalIdProvider) getConfig(clientId string, clientSecret string, redirectUrl string) *oauth2.Config {
+	var config = &oauth2.Config{
+		ClientID:     clientId,
+		ClientSecret: clientSecret,
+		RedirectURL:  redirectUrl,
+	}
+
+	return config
+}
+
+type WecomInterToken struct {
+	Errcode     int    `json:"errcode"`
+	Errmsg      string `json:"errmsg"`
+	AccessToken string `json:"access_token"`
+	ExpiresIn   int    `json:"expires_in"`
+}
+
+// GetToken use code get access_token (*operation of getting code ought to be done in front)
+// get more detail via: https://developer.work.weixin.qq.com/document/path/91039
+func (idp *WeComInternalIdProvider) GetToken(code string) (*oauth2.Token, error) {
+	pTokenParams := &struct {
+		CorpId     string `json:"corpid"`
+		Corpsecret string `json:"corpsecret"`
+	}{idp.Config.ClientID, idp.Config.ClientSecret}
+	resp, err := idp.Client.Get(fmt.Sprintf("https://qyapi.weixin.qq.com/cgi-bin/gettoken?corpid=%s&corpsecret=%s", pTokenParams.CorpId, pTokenParams.Corpsecret))
+	if err != nil {
+		return nil, err
+	}
+
+	data, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+	pToken := &WecomInterToken{}
+	err = json.Unmarshal(data, pToken)
+	if err != nil {
+		return nil, err
+	}
+	if pToken.Errcode != 0 {
+		return nil, fmt.Errorf("pToken.Errcode = %d, pToken.Errmsg = %s", pToken.Errcode, pToken.Errmsg)
+	}
+
+	token := &oauth2.Token{
+		AccessToken: pToken.AccessToken,
+		Expiry:      time.Unix(time.Now().Unix()+int64(pToken.ExpiresIn), 0),
+	}
+
+	raw := make(map[string]interface{})
+	raw["code"] = code
+	token = token.WithExtra(raw)
+
+	return token, nil
+}
+
+type WecomInternalUserResp struct {
+	Errcode int    `json:"errcode"`
+	Errmsg  string `json:"errmsg"`
+	UserId  string `json:"UserId"`
+	OpenId  string `json:"OpenId"`
+}
+
+type WecomInternalUserInfo struct {
+	Errcode int    `json:"errcode"`
+	Errmsg  string `json:"errmsg"`
+	Name    string `json:"name"`
+	Email   string `json:"email"`
+	Avatar  string `json:"avatar"`
+	OpenId  string `json:"open_userid"`
+	UserId  string `json:"userid"`
+}
+
+func (idp *WeComInternalIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error) {
+	//Get userid first
+	accessToken := token.AccessToken
+	code := token.Extra("code").(string)
+	resp, err := idp.Client.Get(fmt.Sprintf("https://qyapi.weixin.qq.com/cgi-bin/user/getuserinfo?access_token=%s&code=%s", accessToken, code))
+	if err != nil {
+		return nil, err
+	}
+
+	data, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+	userResp := &WecomInternalUserResp{}
+	err = json.Unmarshal(data, userResp)
+	if err != nil {
+		return nil, err
+	}
+	if userResp.Errcode != 0 {
+		return nil, fmt.Errorf("userIdResp.Errcode = %d, userIdResp.Errmsg = %s", userResp.Errcode, userResp.Errmsg)
+	}
+	if userResp.OpenId != "" {
+		return nil, fmt.Errorf("not an internal user")
+	}
+	//Use userid and accesstoken to get user information
+	resp, err = idp.Client.Get(fmt.Sprintf("https://qyapi.weixin.qq.com/cgi-bin/user/get?access_token=%s&userid=%s", accessToken, userResp.UserId))
+	if err != nil {
+		return nil, err
+	}
+
+	data, err = ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+	infoResp := &WecomInternalUserInfo{}
+	err = json.Unmarshal(data, infoResp)
+	if err != nil {
+		return nil, err
+	}
+	if infoResp.Errcode != 0 {
+		return nil, fmt.Errorf("userInfoResp.errcode = %d, userInfoResp.errmsg = %s", infoResp.Errcode, infoResp.Errmsg)
+	}
+	userInfo := UserInfo{
+		Id:          infoResp.UserId,
+		Username:    infoResp.Name,
+		DisplayName: infoResp.Name,
+		Email:       infoResp.Email,
+		AvatarUrl:   infoResp.Avatar,
+	}
+
+	if userInfo.Id == "" {
+		userInfo.Id = userInfo.Username
+	}
+
+	return &userInfo, nil
+}
--- a/idp/wecom_third_party.go
+++ b/idp/wecom_third_party.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -18,6 +18,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"net/http"
 	"strings"
 	"time"
@ -194,7 +195,7 @@ func (idp *WeComIdProvider) postWithBody(body interface{}, url string) ([]byte,
 	if err != nil {
 		return nil, err
 	}
-	data, err := io.ReadAll(resp.Body)
+	data, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}
--- a/idp/weibo.go
+++ b/idp/weibo.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -19,6 +19,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"net/http"
 	"net/url"
 	"strconv"
@ -91,7 +92,7 @@ func (idp *WeiBoIdProvider) GetToken(code string) (*oauth2.Token, error) {
 			return
 		}
 	}(resp.Body)
-	bs, err := io.ReadAll(resp.Body)
+	bs, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}
--- a/k8s.yaml
+++ b/k8s.yaml
@ -0,0 +1,56 @@
+# this is only an EXAMPLE of deploying casddor in kubernetes
+# please modify this file according to your requirements
+apiVersion: v1
+kind: Service
+metadata:
+  #EDIT IT: if you don't want to run casdoor in default namespace, please modify this field
+  #namespace: casdoor
+  name: casdoor-svc
+  labels:
+    app: casdoor
+spec:
+  #EDIT IT: if you don't want to run casdoor in default namespace, please modify this filed
+  type: NodePort
+  ports:
+    - port: 8000
+  selector:
+    app: casdoor
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  #EDIT IT: if you don't want to run casdoor in default namespace, please modify this field
+  #namespace: casdoor
+  name: casdoor-deployment
+  labels:
+    app: casdoor
+spec:
+  #EDIT IT: if you don't use redis, casdoor should not have multiple replicas
+  replicas: 1
+  selector:
+    matchLabels:
+      app: casdoor
+  template:
+    metadata:
+      labels:
+        app: casdoor
+    spec:
+      containers:
+        - name: casdoor-container
+          image: casbin/casdoor:latest
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 8000
+          volumeMounts:
+            # the mounted directory path in THE CONTAINER
+            - mountPath: /conf
+              name: conf
+          env:       
+            - name: RUNNING_IN_DOCKER
+              value: "true"
+      #if you want to deploy this in real prod env, consider the config map
+      volumes:
+        - name: conf
+          hostPath:
+            #EDIT IT: the mounted directory path in THE HOST
+            path: /conf
--- a/main.go
+++ b/main.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -15,35 +15,33 @@
 package main

 import (
+	"flag"
+	"fmt"
+
 	"github.com/astaxie/beego"
 	"github.com/astaxie/beego/logs"
-	"github.com/astaxie/beego/plugins/cors"
 	_ "github.com/astaxie/beego/session/redis"
-	"github.com/casbin/casdoor/authz"
-	"github.com/casbin/casdoor/object"
-	"github.com/casbin/casdoor/proxy"
-	"github.com/casbin/casdoor/routers"
-
-	_ "github.com/casbin/casdoor/routers"
+	"github.com/casdoor/casdoor/authz"
+	"github.com/casdoor/casdoor/conf"
+	"github.com/casdoor/casdoor/object"
+	"github.com/casdoor/casdoor/proxy"
+	"github.com/casdoor/casdoor/routers"
+	_ "github.com/casdoor/casdoor/routers"
+	"github.com/casdoor/casdoor/util"
 )

 func main() {
-	object.InitAdapter()
+	createDatabase := flag.Bool("createDatabase", false, "true if you need Casdoor to create database")
+	flag.Parse()
+
+	object.InitAdapter(*createDatabase)
 	object.InitDb()
 	object.InitDefaultStorageProvider()
 	object.InitLdapAutoSynchronizer()
 	proxy.InitHttpClient()
 	authz.InitAuthz()

-	go object.RunSyncUsersJob()
-
-	beego.InsertFilter("*", beego.BeforeRouter, cors.Allow(&cors.Options{
-		AllowOrigins:     []string{"*"},
-		AllowMethods:     []string{"GET", "PUT", "PATCH"},
-		AllowHeaders:     []string{"Origin"},
-		ExposeHeaders:    []string{"Content-Length"},
-		AllowCredentials: true,
-	}))
+	util.SafeGoroutine(func() {object.RunSyncUsersJob()})

 	//beego.DelStaticPath("/static")
 	beego.SetStaticPath("/static", "web/build/static")
@ -57,12 +55,12 @@ func main() {
 	beego.InsertFilter("*", beego.BeforeRouter, routers.RecordMessage)

 	beego.BConfig.WebConfig.Session.SessionName = "casdoor_session_id"
-	if beego.AppConfig.String("redisEndpoint") == "" {
+	if conf.GetConfigString("redisEndpoint") == "" {
 		beego.BConfig.WebConfig.Session.SessionProvider = "file"
 		beego.BConfig.WebConfig.Session.SessionProviderConfig = "./tmp"
 	} else {
 		beego.BConfig.WebConfig.Session.SessionProvider = "redis"
-		beego.BConfig.WebConfig.Session.SessionProviderConfig = beego.AppConfig.String("redisEndpoint")
+		beego.BConfig.WebConfig.Session.SessionProviderConfig = conf.GetConfigString("redisEndpoint")
 	}
 	beego.BConfig.WebConfig.Session.SessionCookieLifeTime = 3600 * 24 * 30
 	//beego.BConfig.WebConfig.Session.SessionCookieSameSite = http.SameSiteNoneMode
@ -71,8 +69,8 @@ func main() {
 	if err != nil {
 		panic(err)
 	}
+	port := beego.AppConfig.DefaultInt("httpport", 8000)
 	//logs.SetLevel(logs.LevelInformational)
 	logs.SetLogFuncCall(false)
-
-	beego.Run()
+	beego.Run(fmt.Sprintf(":%v", port))
 }
--- a/manifests/casdoor/.helmignore
+++ b/manifests/casdoor/.helmignore
@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
--- a/manifests/casdoor/Chart.yaml
+++ b/manifests/casdoor/Chart.yaml
@ -0,0 +1,24 @@
+apiVersion: v2
+name: casdoor
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.16.0"
--- a/manifests/casdoor/templates/NOTES.txt
+++ b/manifests/casdoor/templates/NOTES.txt
@ -0,0 +1,22 @@
+1. Get the application URL by running these commands:
+{{- if .Values.ingress.enabled }}
+{{- range $host := .Values.ingress.hosts }}
+  {{- range .paths }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
+  {{- end }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "casdoor.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "casdoor.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "casdoor.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+  echo http://$SERVICE_IP:{{ .Values.service.port }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "casdoor.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
+  echo "Visit http://127.0.0.1:8080 to use your application"
+  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
+{{- end }}
--- a/manifests/casdoor/templates/_helpers.tpl
+++ b/manifests/casdoor/templates/_helpers.tpl
@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "casdoor.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "casdoor.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "casdoor.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "casdoor.labels" -}}
+helm.sh/chart: {{ include "casdoor.chart" . }}
+{{ include "casdoor.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "casdoor.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "casdoor.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "casdoor.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "casdoor.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
--- a/manifests/casdoor/templates/configmap.yaml
+++ b/manifests/casdoor/templates/configmap.yaml
@ -0,0 +1,23 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: casdoor-config
+data:
+  app.conf: |
+    appname = casdoor
+    httpport = 80
+    runmode = dev
+    SessionOn = true
+    copyrequestbody = true
+    driverName = mysql
+    dataSourceName = root:123456@tcp(localhost:3306)/
+    dbName = casdoor
+    redisEndpoint =
+    defaultStorageProvider = 
+    isCloudIntranet = false
+    authState = "casdoor"
+    sock5Proxy = "127.0.0.1:10808"
+    verificationCodeTimeout = 10
+    initScore = 2000
+    logPostOnly = true
+    origin = "https://door.casbin.com"
--- a/manifests/casdoor/templates/deployment.yaml
+++ b/manifests/casdoor/templates/deployment.yaml
@ -0,0 +1,75 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "casdoor.fullname" . }}
+  labels:
+    {{- include "casdoor.labels" . | nindent 4 }}
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "casdoor.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "casdoor.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "casdoor.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}/{{ .Values.image.name }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          # command: ["sleep", "100000000"]
+          ports:
+            - name: http
+              containerPort: 80
+              protocol: TCP
+          # livenessProbe:
+          #   httpGet:
+          #     path: /
+          #     port: http
+          # readinessProbe:
+          #   httpGet:
+          #     path: /
+          #     port: http
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          volumeMounts:
+          - name: config-volume
+            mountPath: /conf
+      volumes:
+       - name: config-volume
+         projected:
+           defaultMode: 420
+           sources:
+           - configMap:
+               items:
+               - key: app.conf
+                 path: app.conf
+               name: casdoor-config
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
--- a/manifests/casdoor/templates/hpa.yaml
+++ b/manifests/casdoor/templates/hpa.yaml
@ -0,0 +1,28 @@
+{{- if .Values.autoscaling.enabled }}
+apiVersion: autoscaling/v2beta1
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "casdoor.fullname" . }}
+  labels:
+    {{- include "casdoor.labels" . | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ include "casdoor.fullname" . }}
+  minReplicas: {{ .Values.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+  metrics:
+    {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: cpu
+        targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+    {{- end }}
+    {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: memory
+        targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    {{- end }}
+{{- end }}
--- a/manifests/casdoor/templates/ingress.yaml
+++ b/manifests/casdoor/templates/ingress.yaml
@ -0,0 +1,61 @@
+{{- if .Values.ingress.enabled -}}
+{{- $fullName := include "casdoor.fullname" . -}}
+{{- $svcPort := .Values.service.port -}}
+{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
+  {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
+  {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
+  {{- end }}
+{{- end }}
+{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1
+{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  labels:
+    {{- include "casdoor.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
+  ingressClassName: {{ .Values.ingress.className }}
+  {{- end }}
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- range .paths }}
+          - path: {{ .path }}
+            {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
+            pathType: {{ .pathType }}
+            {{- end }}
+            backend:
+              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+              service:
+                name: {{ $fullName }}
+                port:
+                  number: {{ $svcPort }}
+              {{- else }}
+              serviceName: {{ $fullName }}
+              servicePort: {{ $svcPort }}
+              {{- end }}
+          {{- end }}
+    {{- end }}
+{{- end }}
--- a/manifests/casdoor/templates/service.yaml
+++ b/manifests/casdoor/templates/service.yaml
@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "casdoor.fullname" . }}
+  labels:
+    {{- include "casdoor.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "casdoor.selectorLabels" . | nindent 4 }}
--- a/manifests/casdoor/templates/serviceaccount.yaml
+++ b/manifests/casdoor/templates/serviceaccount.yaml
@ -0,0 +1,12 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "casdoor.serviceAccountName" . }}
+  labels:
+    {{- include "casdoor.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
--- a/manifests/casdoor/templates/tests/test-connection.yaml
+++ b/manifests/casdoor/templates/tests/test-connection.yaml
@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ include "casdoor.fullname" . }}-test-connection"
+  labels:
+    {{- include "casdoor.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": test
+spec:
+  containers:
+    - name: wget
+      image: busybox
+      command: ['wget']
+      args: ['{{ include "casdoor.fullname" . }}:{{ .Values.service.port }}']
+  restartPolicy: Never
--- a/manifests/casdoor/values.yaml
+++ b/manifests/casdoor/values.yaml
@ -0,0 +1,83 @@
+# Default values for casdoor.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+replicaCount: 1
+
+image:
+  repository: casbin
+  name: casdoor-all-in-one
+  pullPolicy: IfNotPresent
+  # Overrides the image tag whose default is the chart appVersion.
+  tag: ""
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+podAnnotations: {}
+
+podSecurityContext: {}
+  # fsGroup: 2000
+
+securityContext: {}
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+
+service:
+  type: ClusterIP
+  port: 80
+
+ingress:
+  enabled: false
+  className: ""
+  annotations: {}
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+  hosts:
+    - host: chart-example.local
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
+  tls: []
+  #  - secretName: chart-example-tls
+  #    hosts:
+  #      - chart-example.local
+
+resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+autoscaling:
+  enabled: false
+  minReplicas: 1
+  maxReplicas: 100
+  targetCPUUtilizationPercentage: 80
+  # targetMemoryUtilizationPercentage: 80
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
--- a/object/adapter.go
+++ b/object/adapter.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -19,9 +19,12 @@ import (
 	"runtime"

 	"github.com/astaxie/beego"
-	"github.com/casbin/casdoor/conf"
+	"github.com/casdoor/casdoor/conf"
+	"github.com/casdoor/casdoor/util"
+	//_ "github.com/denisenkom/go-mssqldb" // db = mssql
 	_ "github.com/go-sql-driver/mysql" // db = mysql
-	//_ "github.com/lib/pq"              // db = postgres
+	//_ "github.com/lib/pq"                // db = postgres
+	"xorm.io/core"
 	"xorm.io/xorm"
 )

@ -33,11 +36,15 @@ func InitConfig() {
 		panic(err)
 	}

-	InitAdapter()
+	InitAdapter(true)
 }

-func InitAdapter() {
-	adapter = NewAdapter(beego.AppConfig.String("driverName"), conf.GetBeegoConfDataSourceName(), beego.AppConfig.String("dbName"))
+func InitAdapter(createDatabase bool) {
+
+	adapter = NewAdapter(conf.GetConfigString("driverName"), conf.GetBeegoConfDataSourceName(), conf.GetConfigString("dbName"))
+	if createDatabase {
+		adapter.CreateDatabase()
+	}
 	adapter.createTable()
 }

@ -73,25 +80,24 @@ func NewAdapter(driverName string, dataSourceName string, dbName string) *Adapte
 	return a
 }

-func (a *Adapter) createDatabase() error {
+func (a *Adapter) CreateDatabase() error {
 	engine, err := xorm.NewEngine(a.driverName, a.dataSourceName)
 	if err != nil {
 		return err
 	}
 	defer engine.Close()

-	_, err = engine.Exec(fmt.Sprintf("CREATE DATABASE IF NOT EXISTS %s default charset utf8 COLLATE utf8_general_ci", a.dbName))
+	_, err = engine.Exec(fmt.Sprintf("CREATE DATABASE IF NOT EXISTS %s default charset utf8mb4 COLLATE utf8mb4_general_ci", a.dbName))
 	return err
 }

 func (a *Adapter) open() {
-	if a.driverName != "postgres" {
-		if err := a.createDatabase(); err != nil {
-			panic(err)
-		}
+	dataSourceName := a.dataSourceName + a.dbName
+	if a.driverName != "mysql" {
+		dataSourceName = a.dataSourceName
 	}

-	engine, err := xorm.NewEngine(a.driverName, a.dataSourceName+a.dbName)
+	engine, err := xorm.NewEngine(a.driverName, dataSourceName)
 	if err != nil {
 		panic(err)
 	}
@ -105,6 +111,13 @@ func (a *Adapter) close() {
 }

 func (a *Adapter) createTable() {
+	showSql, _ := conf.GetConfigBool("showSql")
+	a.Engine.ShowSQL(showSql)
+
+	tableNamePrefix := conf.GetConfigString("tableNamePrefix")
+	tbMapper := core.NewPrefixMapper(core.SnakeMapper{}, tableNamePrefix)
+	a.Engine.SetTableMapper(tbMapper)
+
 	err := a.Engine.Sync2(new(Organization))
 	if err != nil {
 		panic(err)
@ -115,6 +128,16 @@ func (a *Adapter) createTable() {
 		panic(err)
 	}

+	err = a.Engine.Sync2(new(Role))
+	if err != nil {
+		panic(err)
+	}
+
+	err = a.Engine.Sync2(new(Permission))
+	if err != nil {
+		panic(err)
+	}
+
 	err = a.Engine.Sync2(new(Provider))
 	if err != nil {
 		panic(err)
@ -155,8 +178,47 @@ func (a *Adapter) createTable() {
 		panic(err)
 	}

+	err = a.Engine.Sync2(new(Cert))
+	if err != nil {
+		panic(err)
+	}
+
+	err = a.Engine.Sync2(new(Product))
+	if err != nil {
+		panic(err)
+	}
+
+	err = a.Engine.Sync2(new(Payment))
+	if err != nil {
+		panic(err)
+	}
+
 	err = a.Engine.Sync2(new(Ldap))
 	if err != nil {
 		panic(err)
 	}
 }
+
+func GetSession(owner string, offset, limit int, field, value, sortField, sortOrder string) *xorm.Session {
+	session := adapter.Engine.Prepare()
+	if offset != -1 && limit != -1 {
+		session.Limit(limit, offset)
+	}
+	if owner != "" {
+		session = session.And("owner=?", owner)
+	}
+	if field != "" && value != "" {
+		if filterField(field) {
+			session = session.And(fmt.Sprintf("%s like ?", util.SnakeString(field)), fmt.Sprintf("%%%s%%", value))
+		}
+	}
+	if sortField == "" || sortOrder == "" {
+		sortField = "created_time"
+	}
+	if sortOrder == "ascend" {
+		session = session.Asc(util.SnakeString(sortField))
+	} else {
+		session = session.Desc(util.SnakeString(sortField))
+	}
+	return session
+}
--- a/object/application.go
+++ b/object/application.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -16,8 +16,9 @@ package object

 import (
 	"fmt"
+	"strings"

-	"github.com/casbin/casdoor/util"
+	"github.com/casdoor/casdoor/util"
 	"xorm.io/core"
 )

@ -26,17 +27,20 @@ type Application struct {
 	Name        string `xorm:"varchar(100) notnull pk" json:"name"`
 	CreatedTime string `xorm:"varchar(100)" json:"createdTime"`

-	DisplayName      string          `xorm:"varchar(100)" json:"displayName"`
-	Logo             string          `xorm:"varchar(100)" json:"logo"`
-	HomepageUrl      string          `xorm:"varchar(100)" json:"homepageUrl"`
-	Description      string          `xorm:"varchar(100)" json:"description"`
-	Organization     string          `xorm:"varchar(100)" json:"organization"`
-	EnablePassword   bool            `json:"enablePassword"`
-	EnableSignUp     bool            `json:"enableSignUp"`
-	EnableCodeSignin bool            `json:"enableCodeSignin"`
-	Providers        []*ProviderItem `xorm:"mediumtext" json:"providers"`
-	SignupItems      []*SignupItem   `xorm:"varchar(1000)" json:"signupItems"`
-	OrganizationObj  *Organization   `xorm:"-" json:"organizationObj"`
+	DisplayName         string          `xorm:"varchar(100)" json:"displayName"`
+	Logo                string          `xorm:"varchar(100)" json:"logo"`
+	HomepageUrl         string          `xorm:"varchar(100)" json:"homepageUrl"`
+	Description         string          `xorm:"varchar(100)" json:"description"`
+	Organization        string          `xorm:"varchar(100)" json:"organization"`
+	Cert                string          `xorm:"varchar(100)" json:"cert"`
+	EnablePassword      bool            `json:"enablePassword"`
+	EnableSignUp        bool            `json:"enableSignUp"`
+	EnableSigninSession bool            `json:"enableSigninSession"`
+	EnableCodeSignin    bool            `json:"enableCodeSignin"`
+	Providers           []*ProviderItem `xorm:"mediumtext" json:"providers"`
+	SignupItems         []*SignupItem   `xorm:"varchar(1000)" json:"signupItems"`
+	GrantTypes          []string        `xorm:"varchar(1000)" json:"grantTypes"`
+	OrganizationObj     *Organization   `xorm:"-" json:"organizationObj"`

 	ClientId             string   `xorm:"varchar(100)" json:"clientId"`
 	ClientSecret         string   `xorm:"varchar(100)" json:"clientSecret"`
@ -53,8 +57,9 @@ type Application struct {
 	SigninHtml           string   `xorm:"mediumtext" json:"signinHtml"`
 }

-func GetApplicationCount(owner string) int {
-	count, err := adapter.Engine.Count(&Application{Owner: owner})
+func GetApplicationCount(owner, field, value string) int {
+	session := GetSession(owner, -1, -1, field, value, "", "")
+	count, err := session.Count(&Application{})
 	if err != nil {
 		panic(err)
 	}
@ -72,9 +77,10 @@ func GetApplications(owner string) []*Application {
 	return applications
 }

-func GetPaginationApplications(owner string, offset, limit int) []*Application {
+func GetPaginationApplications(owner string, offset, limit int, field, value, sortField, sortOrder string) []*Application {
 	applications := []*Application{}
-	err := adapter.Engine.Desc("created_time").Limit(limit, offset).Find(&applications, &Application{Owner: owner})
+	session := GetSession(owner, offset, limit, field, value, sortField, sortOrder)
+	err := session.Find(&applications)
 	if err != nil {
 		panic(err)
 	}
@ -82,7 +88,7 @@ func GetPaginationApplications(owner string, offset, limit int) []*Application {
 	return applications
 }

-func getApplicationsByOrganizationName(owner string, organization string) []*Application {
+func GetApplicationsByOrganizationName(owner string, organization string) []*Application {
 	applications := []*Application{}
 	err := adapter.Engine.Desc("created_time").Find(&applications, &Application{Owner: owner, Organization: organization})
 	if err != nil {
@ -194,24 +200,49 @@ func GetApplicationByClientId(clientId string) *Application {
 	}
 }

-func GetApplicationByClientIdAndSecret(clientId, clientSecret string) *Application {
-	if util.IsStrsEmpty(clientId, clientSecret) {
-		return nil
-	}
-
-	app := GetApplicationByClientId(clientId)
-	if app == nil || app.ClientSecret != clientSecret {
-		return nil
-	}
-
-	return app
-}
-
 func GetApplication(id string) *Application {
 	owner, name := util.GetOwnerAndNameFromId(id)
 	return getApplication(owner, name)
 }

+func GetMaskedApplication(application *Application, userId string) *Application {
+	if isUserIdGlobalAdmin(userId) {
+		return application
+	}
+
+	if application == nil {
+		return nil
+	}
+
+	if application.ClientSecret != "" {
+		application.ClientSecret = "***"
+	}
+
+	if application.OrganizationObj != nil {
+		if application.OrganizationObj.MasterPassword != "" {
+			application.OrganizationObj.MasterPassword = "***"
+		}
+		if application.OrganizationObj.PasswordType != "" {
+			application.OrganizationObj.PasswordType = "***"
+		}
+		if application.OrganizationObj.PasswordSalt != "" {
+			application.OrganizationObj.PasswordSalt = "***"
+		}
+	}
+	return application
+}
+
+func GetMaskedApplications(applications []*Application, userId string) []*Application {
+	if isUserIdGlobalAdmin(userId) {
+		return applications
+	}
+
+	for _, application := range applications {
+		application = GetMaskedApplication(application, userId)
+	}
+	return applications
+}
+
 func UpdateApplication(id string, application *Application) bool {
 	owner, name := util.GetOwnerAndNameFromId(id)
 	if getApplication(owner, name) == nil {
@ -226,7 +257,11 @@ func UpdateApplication(id string, application *Application) bool {
 		providerItem.Provider = nil
 	}

-	affected, err := adapter.Engine.ID(core.PK{owner, name}).AllCols().Update(application)
+	session := adapter.Engine.ID(core.PK{owner, name}).AllCols()
+	if application.ClientSecret == "***" {
+		session.Omit("client_secret")
+	}
+	affected, err := session.Update(application)
 	if err != nil {
 		panic(err)
 	}
@ -265,3 +300,14 @@ func DeleteApplication(application *Application) bool {
 func (application *Application) GetId() string {
 	return fmt.Sprintf("%s/%s", application.Owner, application.Name)
 }
+
+func CheckRedirectUriValid(application *Application, redirectUri string) bool {
+	var validUri = false
+	for _, tmpUri := range application.RedirectUris {
+		if strings.Contains(redirectUri, tmpUri) {
+			validUri = true
+			break
+		}
+	}
+	return validUri
+}
--- a/object/application_item.go
+++ b/object/application_item.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
--- a/object/avatar.go
+++ b/object/avatar.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -19,14 +19,14 @@ import (
 	"fmt"
 	"io"

-	"github.com/astaxie/beego"
-	"github.com/casbin/casdoor/proxy"
+	"github.com/casdoor/casdoor/conf"
+	"github.com/casdoor/casdoor/proxy"
 )

 var defaultStorageProvider *Provider = nil

 func InitDefaultStorageProvider() {
-	defaultStorageProviderStr := beego.AppConfig.String("defaultStorageProvider")
+	defaultStorageProviderStr := conf.GetConfigString("defaultStorageProvider")
 	if defaultStorageProviderStr != "" {
 		defaultStorageProvider = getProvider("admin", defaultStorageProviderStr)
 	}
--- a/object/avatar_test.go
+++ b/object/avatar_test.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -18,7 +18,7 @@ import (
 	"fmt"
 	"testing"

-	"github.com/casbin/casdoor/proxy"
+	"github.com/casdoor/casdoor/proxy"
 )

 func TestSyncPermanentAvatars(t *testing.T) {
--- a/object/captcha.go
+++ b/object/captcha.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
--- a/object/cert.go
+++ b/object/cert.go
@ -0,0 +1,163 @@
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package object
+
+import (
+	"fmt"
+
+	"github.com/casdoor/casdoor/util"
+	"xorm.io/core"
+)
+
+type Cert struct {
+	Owner       string `xorm:"varchar(100) notnull pk" json:"owner"`
+	Name        string `xorm:"varchar(100) notnull pk" json:"name"`
+	CreatedTime string `xorm:"varchar(100)" json:"createdTime"`
+
+	DisplayName     string `xorm:"varchar(100)" json:"displayName"`
+	Scope           string `xorm:"varchar(100)" json:"scope"`
+	Type            string `xorm:"varchar(100)" json:"type"`
+	CryptoAlgorithm string `xorm:"varchar(100)" json:"cryptoAlgorithm"`
+	BitSize         int    `json:"bitSize"`
+	ExpireInYears   int    `json:"expireInYears"`
+
+	PublicKey              string `xorm:"mediumtext" json:"publicKey"`
+	PrivateKey             string `xorm:"mediumtext" json:"privateKey"`
+	AuthorityPublicKey     string `xorm:"mediumtext" json:"authorityPublicKey"`
+	AuthorityRootPublicKey string `xorm:"mediumtext" json:"authorityRootPublicKey"`
+}
+
+func GetMaskedCert(cert *Cert) *Cert {
+	if cert == nil {
+		return nil
+	}
+
+	return cert
+}
+
+func GetMaskedCerts(certs []*Cert) []*Cert {
+	for _, cert := range certs {
+		cert = GetMaskedCert(cert)
+	}
+	return certs
+}
+
+func GetCertCount(owner, field, value string) int {
+	session := GetSession(owner, -1, -1, field, value, "", "")
+	count, err := session.Count(&Cert{})
+	if err != nil {
+		panic(err)
+	}
+
+	return int(count)
+}
+
+func GetCerts(owner string) []*Cert {
+	certs := []*Cert{}
+	err := adapter.Engine.Desc("created_time").Find(&certs, &Cert{Owner: owner})
+	if err != nil {
+		panic(err)
+	}
+
+	return certs
+}
+
+func GetPaginationCerts(owner string, offset, limit int, field, value, sortField, sortOrder string) []*Cert {
+	certs := []*Cert{}
+	session := GetSession(owner, offset, limit, field, value, sortField, sortOrder)
+	err := session.Find(&certs)
+	if err != nil {
+		panic(err)
+	}
+
+	return certs
+}
+
+func getCert(owner string, name string) *Cert {
+	if owner == "" || name == "" {
+		return nil
+	}
+
+	cert := Cert{Owner: owner, Name: name}
+	existed, err := adapter.Engine.Get(&cert)
+	if err != nil {
+		panic(err)
+	}
+
+	if existed {
+		return &cert
+	} else {
+		return nil
+	}
+}
+
+func GetCert(id string) *Cert {
+	owner, name := util.GetOwnerAndNameFromId(id)
+	return getCert(owner, name)
+}
+
+func UpdateCert(id string, cert *Cert) bool {
+	owner, name := util.GetOwnerAndNameFromId(id)
+	if getCert(owner, name) == nil {
+		return false
+	}
+
+	affected, err := adapter.Engine.ID(core.PK{owner, name}).AllCols().Update(cert)
+	if err != nil {
+		panic(err)
+	}
+
+	return affected != 0
+}
+
+func AddCert(cert *Cert) bool {
+	if cert.PublicKey == "" || cert.PrivateKey == "" {
+		publicKey, privateKey := generateRsaKeys(cert.BitSize, cert.ExpireInYears, cert.Name, cert.Owner)
+		cert.PublicKey = publicKey
+		cert.PrivateKey = privateKey
+	}
+
+	affected, err := adapter.Engine.Insert(cert)
+	if err != nil {
+		panic(err)
+	}
+
+	return affected != 0
+}
+
+func DeleteCert(cert *Cert) bool {
+	affected, err := adapter.Engine.ID(core.PK{cert.Owner, cert.Name}).Delete(&Cert{})
+	if err != nil {
+		panic(err)
+	}
+
+	return affected != 0
+}
+
+func (p *Cert) GetId() string {
+	return fmt.Sprintf("%s/%s", p.Owner, p.Name)
+}
+
+func getCertByApplication(application *Application) *Cert {
+	if application.Cert != "" {
+		return getCert("admin", application.Cert)
+	} else {
+		return GetDefaultCert()
+	}
+}
+
+func GetDefaultCert() *Cert {
+	return getCert("admin", "cert-built-in")
+}
--- a/object/check.go
+++ b/object/check.go
@ -1,4 +1,4 @@
-// Copyright 2021 The casbin Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@ -17,19 +17,24 @@ package object
 import (
 	"fmt"
 	"regexp"
+	"strings"

-	"github.com/casbin/casdoor/cred"
-	"github.com/casbin/casdoor/util"
+	"github.com/casdoor/casdoor/cred"
+	"github.com/casdoor/casdoor/util"
 	goldap "github.com/go-ldap/ldap/v3"
 )

-var reWhiteSpace *regexp.Regexp
+var (
+	reWhiteSpace     *regexp.Regexp
+	reFieldWhiteList *regexp.Regexp
+)

 func init() {
 	reWhiteSpace, _ = regexp.Compile(`\s`)
+	reFieldWhiteList, _ = regexp.Compile(`^[A-Za-z0-9]+$`)
 }

-func CheckUserSignup(application *Application, organization *Organization, username string, password string, displayName string, email string, phone string, affiliation string) string {
+func CheckUserSignup(application *Application, organization *Organization, username string, password string, displayName string, firstName string, lastName string, email string, phone string, affiliation string) string {
 	if organization == nil {
 		return "organization does not exist"
 	}
@ -81,11 +86,19 @@ func CheckUserSignup(application *Application, organization *Organization, usern
 	}

 	if application.IsSignupItemVisible("Display name") {
-		if displayName == "" {
-			return "displayName cannot be blank"
-		} else if application.GetSignupItemRule("Display name") == "Personal" {
-			if !isValidPersonalName(displayName) {
-				return "displayName is not valid personal name"
+		if application.GetSignupItemRule("Display name") == "First, last" && (firstName != "" || lastName != "") {
+			if firstName == "" {
+				return "firstName cannot be blank"
+			} else if lastName == "" {
+				return "lastName cannot be blank"
+			}
+		} else {
+			if displayName == "" {
+				return "displayName cannot be blank"
+			} else if application.GetSignupItemRule("Display name") == "Real name" {
+				if !isValidRealName(displayName) {
+					return "displayName is not valid real name"
+				}
 			}
 		}
 	}
@ -167,15 +180,53 @@ func CheckUserPassword(organization string, username string, password string) (*
 	if user.IsForbidden {
 		return nil, "the user is forbidden to sign in, please contact the administrator"
 	}
-	//for ldap users
+
 	if user.Ldap != "" {
+		//ONLY for ldap users
 		return checkLdapUserPassword(user, password)
+	} else {
+		msg := CheckPassword(user, password)
+		if msg != "" {
+			return nil, msg
+		}
 	}
-
-	msg := CheckPassword(user, password)
-	if msg != "" {
-		return nil, msg
-	}
-
 	return user, ""
 }
+
+func filterField(field string) bool {
+	return reFieldWhiteList.MatchString(field)
+}
+
+func CheckUserPermission(requestUserId, userId string, strict bool) (bool, error) {
+	if requestUserId == "" {
+		return false, fmt.Errorf("please login first")
+	}
+
+	targetUser := GetUser(userId)
+	if targetUser == nil {
+		return false, fmt.Errorf("the user: %s doesn't exist", userId)
+	}
+
+	hasPermission := false
+	if strings.HasPrefix(requestUserId, "app/") {
+		hasPermission = true
+	} else {
+		requestUser := GetUser(requestUserId)
+		if requestUser == nil {
+			return false, fmt.Errorf("session outdated, please login again")
+		}
+		if requestUser.IsGlobalAdmin {
+			hasPermission = true
+		} else if requestUserId == userId {
+			hasPermission = true
+		} else if targetUser.Owner == requestUser.Owner {
+			if strict {
+				hasPermission = requestUser.IsAdmin
+			} else {
+				hasPermission = true
+			}
+		}
+	}
+
+	return hasPermission, fmt.Errorf("you don't have the permission to do this")
+}
--- a/Show More
+++ b/Show More