feat: fix bug that token endpoint doesn't return 400/401 when type is object.TokenError (#3808 )

feat: return HTTP status 400 instead of 200 in GetOAuthToken() (#3807 )
feat: change User.Avatar length back to 500
2025-08-02 02:20:30 +08:00 · 2025-05-20 10:39:55 +08:00 · 2025-05-20 01:05:43 +08:00 · 2025-05-18 09:47:56 +08:00 · 2025-05-17 19:59:17 +08:00 · 2025-05-17 18:53:38 +08:00
17 changed files with 104 additions and 47 deletions
--- a/conf/app.conf
+++ b/conf/app.conf
@@ -31,7 +31,7 @@ radiusServerPort = 1812
 radiusDefaultOrganization = "built-in"
 radiusSecret = "secret"
 quota = {"organization": -1, "user": -1, "application": -1, "provider": -1}
-logConfig = {"filename": "logs/casdoor.log", "maxdays":99999, "perm":"0770"}
+logConfig = {"adapter":"file", "filename": "logs/casdoor.log", "maxdays":99999, "perm":"0770"}
 initDataNewOnly = false
 initDataFile = "./init_data.json"
 frontendBaseDir = "../cc_0"
--- a/conf/conf_test.go
+++ b/conf/conf_test.go
@@ -115,7 +115,7 @@ func TestGetConfigLogs(t *testing.T) {
 		description string
 		expected    string
 	}{
-		{"Default log config", `{"filename": "logs/casdoor.log", "maxdays":99999, "perm":"0770"}`},
+		{"Default log config", `{"adapter":"file", "filename": "logs/casdoor.log", "maxdays":99999, "perm":"0770"}`},
 	}

 	err := beego.LoadAppConfig("ini", "app.conf")
--- a/controllers/auth.go
+++ b/controllers/auth.go
@@ -147,7 +147,7 @@ func (c *ApiController) HandleLoggedIn(application *object.Application, user *ob
 			c.ResponseError(c.T("auth:Challenge method should be S256"))
 			return
 		}
-		code, err := object.GetOAuthCode(userId, clientId, responseType, redirectUri, scope, state, nonce, codeChallenge, c.Ctx.Request.Host, c.GetAcceptLanguage())
+		code, err := object.GetOAuthCode(userId, clientId, form.Provider, responseType, redirectUri, scope, state, nonce, codeChallenge, c.Ctx.Request.Host, c.GetAcceptLanguage())
 		if err != nil {
 			c.ResponseError(err.Error(), nil)
 			return
--- a/controllers/token.go
+++ b/controllers/token.go
@@ -177,10 +177,6 @@ func (c *ApiController) GetOAuthToken() {
 		clientId, clientSecret, _ = c.Ctx.Request.BasicAuth()
 	}

-	if grantType == "urn:ietf:params:oauth:grant-type:device_code" {
-		clientId, clientSecret, _ = c.Ctx.Request.BasicAuth()
-	}
-
 	if len(c.Ctx.Input.RequestBody) != 0 && grantType != "urn:ietf:params:oauth:grant-type:device_code" {
 		// If clientId is empty, try to read data from RequestBody
 		var tokenRequest TokenRequest
@@ -228,30 +224,36 @@ func (c *ApiController) GetOAuthToken() {
 	if deviceCode != "" {
 		deviceAuthCache, ok := object.DeviceAuthMap.Load(deviceCode)
 		if !ok {
-			c.Data["json"] = object.TokenError{
+			c.Data["json"] = &object.TokenError{
 				Error:            "expired_token",
 				ErrorDescription: "token is expired",
 			}
+			c.SetTokenErrorHttpStatus()
 			c.ServeJSON()
+			c.SetTokenErrorHttpStatus()
 			return
 		}

 		deviceAuthCacheCast := deviceAuthCache.(object.DeviceAuthCache)
 		if !deviceAuthCacheCast.UserSignIn {
-			c.Data["json"] = object.TokenError{
+			c.Data["json"] = &object.TokenError{
 				Error:            "authorization_pending",
 				ErrorDescription: "authorization pending",
 			}
+			c.SetTokenErrorHttpStatus()
 			c.ServeJSON()
+			c.SetTokenErrorHttpStatus()
 			return
 		}

 		if deviceAuthCacheCast.RequestAt.Add(time.Second * 120).Before(time.Now()) {
-			c.Data["json"] = object.TokenError{
+			c.Data["json"] = &object.TokenError{
 				Error:            "expired_token",
 				ErrorDescription: "token is expired",
 			}
+			c.SetTokenErrorHttpStatus()
 			c.ServeJSON()
+			c.SetTokenErrorHttpStatus()
 			return
 		}
 		object.DeviceAuthMap.Delete(deviceCode)
--- a/idp/provider.go
+++ b/idp/provider.go
@@ -44,6 +44,7 @@ type ProviderInfo struct {
 	AppId         string
 	HostUrl       string
 	RedirectUrl   string
+	DisableSsl    bool

 	TokenURL    string
 	AuthURL     string
@@ -79,9 +80,9 @@ func GetIdProvider(idpInfo *ProviderInfo, redirectUrl string) (IdProvider, error
 		return NewLinkedInIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl), nil
 	case "WeCom":
 		if idpInfo.SubType == "Internal" {
-			return NewWeComInternalIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl), nil
+			return NewWeComInternalIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl, idpInfo.DisableSsl), nil
 		} else if idpInfo.SubType == "Third-party" {
-			return NewWeComIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl), nil
+			return NewWeComIdProvider(idpInfo.ClientId, idpInfo.ClientSecret, redirectUrl, idpInfo.DisableSsl), nil
 		} else {
 			return nil, fmt.Errorf("WeCom provider subType: %s is not supported", idpInfo.SubType)
 		}
--- a/idp/wecom_internal.go
+++ b/idp/wecom_internal.go
@@ -29,13 +29,16 @@ import (
 type WeComInternalIdProvider struct {
 	Client *http.Client
 	Config *oauth2.Config
+
+	UseIdAsName bool
 }

-func NewWeComInternalIdProvider(clientId string, clientSecret string, redirectUrl string) *WeComInternalIdProvider {
+func NewWeComInternalIdProvider(clientId string, clientSecret string, redirectUrl string, useIdAsName bool) *WeComInternalIdProvider {
 	idp := &WeComInternalIdProvider{}

 	config := idp.getConfig(clientId, clientSecret, redirectUrl)
 	idp.Config = config
+	idp.UseIdAsName = useIdAsName

 	return idp
 }
@@ -169,5 +172,9 @@ func (idp *WeComInternalIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo,
 		userInfo.Id = userInfo.Username
 	}

+	if idp.UseIdAsName {
+		userInfo.Username = userInfo.Id
+	}
+
 	return &userInfo, nil
 }
--- a/idp/wecom_third_party.go
+++ b/idp/wecom_third_party.go
@@ -28,13 +28,16 @@ import (
 type WeComIdProvider struct {
 	Client *http.Client
 	Config *oauth2.Config
+
+	UseIdAsName bool
 }

-func NewWeComIdProvider(clientId string, clientSecret string, redirectUrl string) *WeComIdProvider {
+func NewWeComIdProvider(clientId string, clientSecret string, redirectUrl string, useIdAsName bool) *WeComIdProvider {
 	idp := &WeComIdProvider{}

 	config := idp.getConfig(clientId, clientSecret, redirectUrl)
 	idp.Config = config
+	idp.UseIdAsName = useIdAsName

 	return idp
 }
@@ -183,6 +186,10 @@ func (idp *WeComIdProvider) GetUserInfo(token *oauth2.Token) (*UserInfo, error)
 		DisplayName: wecomUserInfo.UserInfo.Name,
 		AvatarUrl:   wecomUserInfo.UserInfo.Avatar,
 	}
+
+	if idp.UseIdAsName {
+		userInfo.Username = userInfo.Id
+	}
 	return &userInfo, nil
 }

--- a/main.go
+++ b/main.go
@@ -15,6 +15,7 @@
 package main

 import (
+	"encoding/json"
 	"fmt"

 	"github.com/beego/beego"
@@ -77,10 +78,26 @@ func main() {
 	beego.BConfig.WebConfig.Session.SessionGCMaxLifetime = 3600 * 24 * 30
 	// beego.BConfig.WebConfig.Session.SessionCookieSameSite = http.SameSiteNoneMode

-	err := logs.SetLogger(logs.AdapterFile, conf.GetConfigString("logConfig"))
+	var logAdapter string
+	logConfigMap := make(map[string]interface{})
+	err := json.Unmarshal([]byte(conf.GetConfigString("logConfig")), &logConfigMap)
 	if err != nil {
 		panic(err)
 	}
+	_, ok := logConfigMap["adapter"]
+	if !ok {
+		logAdapter = "file"
+	} else {
+		logAdapter = logConfigMap["adapter"].(string)
+	}
+	if logAdapter == "console" {
+		logs.Reset()
+	}
+	err = logs.SetLogger(logAdapter, conf.GetConfigString("logConfig"))
+	if err != nil {
+		panic(err)
+	}
+
 	port := beego.AppConfig.DefaultInt("httpport", 8000)
 	// logs.SetLevel(logs.LevelInformational)
 	logs.SetLogFuncCall(false)
--- a/object/provider.go
+++ b/object/provider.go
@@ -475,6 +475,7 @@ func FromProviderToIdpInfo(ctx *context.Context, provider *Provider) *idp.Provid
 		AuthURL:       provider.CustomAuthUrl,
 		UserInfoURL:   provider.CustomUserInfoUrl,
 		UserMapping:   provider.UserMapping,
+		DisableSsl:    provider.DisableSsl,
 	}

 	if provider.Type == "WeChat" {
--- a/object/token_jwt.go
+++ b/object/token_jwt.go
@@ -31,7 +31,8 @@ type Claims struct {
 	Tag       string `json:"tag"`
 	Scope     string `json:"scope,omitempty"`
 	// the `azp` (Authorized Party) claim. Optional. See https://openid.net/specs/openid-connect-core-1_0.html#IDToken
-	Azp string `json:"azp,omitempty"`
+	Azp      string `json:"azp,omitempty"`
+	Provider string `json:"provider,omitempty"`
 	jwt.RegisteredClaims
 }

@@ -140,6 +141,7 @@ type ClaimsShort struct {
 	Nonce     string `json:"nonce,omitempty"`
 	Scope     string `json:"scope,omitempty"`
 	Azp       string `json:"azp,omitempty"`
+	Provider  string `json:"provider,omitempty"`
 	jwt.RegisteredClaims
 }

@@ -159,6 +161,7 @@ type ClaimsWithoutThirdIdp struct {
 	Tag       string `json:"tag"`
 	Scope     string `json:"scope,omitempty"`
 	Azp       string `json:"azp,omitempty"`
+	Provider  string `json:"provider,omitempty"`
 	jwt.RegisteredClaims
 }

@@ -274,6 +277,7 @@ func getShortClaims(claims Claims) ClaimsShort {
 		Scope:            claims.Scope,
 		RegisteredClaims: claims.RegisteredClaims,
 		Azp:              claims.Azp,
+		Provider:         claims.Provider,
 	}
 	return res
 }
@@ -287,6 +291,7 @@ func getClaimsWithoutThirdIdp(claims Claims) ClaimsWithoutThirdIdp {
 		Scope:               claims.Scope,
 		RegisteredClaims:    claims.RegisteredClaims,
 		Azp:                 claims.Azp,
+		Provider:            claims.Provider,
 	}
 	return res
 }
@@ -308,6 +313,7 @@ func getClaimsCustom(claims Claims, tokenField []string) jwt.MapClaims {
 	res["tag"] = claims.Tag
 	res["scope"] = claims.Scope
 	res["azp"] = claims.Azp
+	res["provider"] = claims.Provider

 	for _, field := range tokenField {
 		userField := userValue.FieldByName(field)
@@ -342,7 +348,7 @@ func refineUser(user *User) *User {
 	return user
 }

-func generateJwtToken(application *Application, user *User, nonce string, scope string, host string) (string, string, string, error) {
+func generateJwtToken(application *Application, user *User, provider string, nonce string, scope string, host string) (string, string, string, error) {
 	nowTime := time.Now()
 	expireTime := nowTime.Add(time.Duration(application.ExpireInHours) * time.Hour)
 	refreshExpireTime := nowTime.Add(time.Duration(application.RefreshExpireInHours) * time.Hour)
@@ -362,9 +368,10 @@ func generateJwtToken(application *Application, user *User, nonce string, scope
 		TokenType: "access-token",
 		Nonce:     nonce,
 		// FIXME: A workaround for custom claim by reusing `tag` in user info
-		Tag:   user.Tag,
-		Scope: scope,
-		Azp:   application.ClientId,
+		Tag:      user.Tag,
+		Scope:    scope,
+		Azp:      application.ClientId,
+		Provider: provider,
 		RegisteredClaims: jwt.RegisteredClaims{
 			Issuer:    originBackend,
 			Subject:   user.Id,
--- a/object/token_oauth.go
+++ b/object/token_oauth.go
@@ -136,7 +136,7 @@ func CheckOAuthLogin(clientId string, responseType string, redirectUri string, s
 	return "", application, nil
 }

-func GetOAuthCode(userId string, clientId string, responseType string, redirectUri string, scope string, state string, nonce string, challenge string, host string, lang string) (*Code, error) {
+func GetOAuthCode(userId string, clientId string, provider string, responseType string, redirectUri string, scope string, state string, nonce string, challenge string, host string, lang string) (*Code, error) {
 	user, err := GetUser(userId)
 	if err != nil {
 		return nil, err
@@ -171,7 +171,7 @@ func GetOAuthCode(userId string, clientId string, responseType string, redirectU
 	if err != nil {
 		return nil, err
 	}
-	accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, nonce, scope, host)
+	accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, provider, nonce, scope, host)
 	if err != nil {
 		return nil, err
 	}
@@ -379,7 +379,7 @@ func RefreshToken(grantType string, refreshToken string, scope string, clientId
 		return nil, err
 	}

-	newAccessToken, newRefreshToken, tokenName, err := generateJwtToken(application, user, "", scope, host)
+	newAccessToken, newRefreshToken, tokenName, err := generateJwtToken(application, user, "", "", scope, host)
 	if err != nil {
 		return &TokenError{
 			Error:            EndpointError,
@@ -558,7 +558,7 @@ func GetPasswordToken(application *Application, username string, password string
 		return nil, nil, err
 	}

-	accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, "", scope, host)
+	accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, "", "", scope, host)
 	if err != nil {
 		return nil, &TokenError{
 			Error:            EndpointError,
@@ -604,7 +604,7 @@ func GetClientCredentialsToken(application *Application, clientSecret string, sc
 		Type:  "application",
 	}

-	accessToken, _, tokenName, err := generateJwtToken(application, nullUser, "", scope, host)
+	accessToken, _, tokenName, err := generateJwtToken(application, nullUser, "", "", scope, host)
 	if err != nil {
 		return nil, &TokenError{
 			Error:            EndpointError,
@@ -668,7 +668,7 @@ func GetTokenByUser(application *Application, user *User, scope string, nonce st
 		return nil, err
 	}

-	accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, nonce, scope, host)
+	accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, "", nonce, scope, host)
 	if err != nil {
 		return nil, err
 	}
@@ -775,7 +775,7 @@ func GetWechatMiniProgramToken(application *Application, code string, host strin
 		return nil, nil, err
 	}

-	accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, "", "", host)
+	accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, "", "", "", host)
 	if err != nil {
 		return nil, &TokenError{
 			Error:            EndpointError,
--- a/object/token_standard_jwt.go
+++ b/object/token_standard_jwt.go
@@ -33,6 +33,7 @@ type ClaimsStandard struct {
 	Scope               string      `json:"scope,omitempty"`
 	Address             OIDCAddress `json:"address,omitempty"`
 	Azp                 string      `json:"azp,omitempty"`
+	Provider            string      `json:"provider,omitempty"`

 	jwt.RegisteredClaims
 }
@@ -54,6 +55,7 @@ func getStandardClaims(claims Claims) ClaimsStandard {
 		Scope:            claims.Scope,
 		RegisteredClaims: claims.RegisteredClaims,
 		Azp:              claims.Azp,
+		Provider:         claims.Provider,
 	}

 	res.Phone = ""
--- a/object/user.go
+++ b/object/user.go
@@ -837,7 +837,7 @@ func AddUser(user *User) (bool, error) {
 		return false, fmt.Errorf("the user's owner and name should not be empty")
 	}

-	if CheckUsername(user.Name, "en") != "" {
+	if CheckUsernameWithEmail(user.Name, "en") != "" {
 		user.Name = util.GetRandomName()
 	}

--- a/routers/static_filter.go
+++ b/routers/static_filter.go
@@ -89,7 +89,7 @@ func fastAutoSignin(ctx *context.Context) (string, error) {
 		return "", nil
 	}

-	code, err := object.GetOAuthCode(userId, clientId, responseType, redirectUri, scope, state, nonce, codeChallenge, ctx.Request.Host, getAcceptLanguage(ctx))
+	code, err := object.GetOAuthCode(userId, clientId, "", responseType, redirectUri, scope, state, nonce, codeChallenge, ctx.Request.Host, getAcceptLanguage(ctx))
 	if err != nil {
 		return "", err
 	} else if code.Message != "" {
--- a/web/src/ApplicationEditPage.js
+++ b/web/src/ApplicationEditPage.js
@@ -454,6 +454,7 @@ class ApplicationEditPage extends React.Component {
          </Col>
          <Col span={22} >
            <Select virtual={false} disabled={this.state.application.tokenFormat !== "JWT-Custom"} mode="tags" showSearch style={{width: "100%"}} value={this.state.application.tokenFields} onChange={(value => {this.updateApplicationField("tokenFields", value);})}>
+              <Option key={"provider"} value={"provider"}>{"Provider"}</Option>)
              {
                Setting.getUserCommonFields().map((item, index) => <Option key={index} value={item}>{item}</Option>)
              }
--- a/web/src/ProviderEditPage.js
+++ b/web/src/ProviderEditPage.js
@@ -692,23 +692,35 @@ class ProviderEditPage extends React.Component {
              </Row>
              {
                this.state.provider.type !== "WeCom" ? null : (
-                  <Row style={{marginTop: "20px"}} >
-                    <Col style={{marginTop: "5px"}} span={2}>
-                      {Setting.getLabel(i18next.t("general:Method"), i18next.t("provider:Method - Tooltip"))} :
-                    </Col>
-                    <Col span={22} >
-                      <Select virtual={false} style={{width: "100%"}} value={this.state.provider.method} onChange={value => {
-                        this.updateProviderField("method", value);
-                      }}>
-                        {
-                          [
-                            {id: "Normal", name: i18next.t("provider:Normal")},
-                            {id: "Silent", name: i18next.t("provider:Silent")},
-                          ].map((method, index) => <Option key={index} value={method.id}>{method.name}</Option>)
-                        }
-                      </Select>
-                    </Col>
-                  </Row>)
+                  <React.Fragment>
+                    <Row style={{marginTop: "20px"}} >
+                      <Col style={{marginTop: "5px"}} span={2}>
+                        {Setting.getLabel(i18next.t("general:Method"), i18next.t("provider:Method - Tooltip"))} :
+                      </Col>
+                      <Col span={22} >
+                        <Select virtual={false} style={{width: "100%"}} value={this.state.provider.method} onChange={value => {
+                          this.updateProviderField("method", value);
+                        }}>
+                          {
+                            [
+                              {id: "Normal", name: i18next.t("provider:Normal")},
+                              {id: "Silent", name: i18next.t("provider:Silent")},
+                            ].map((method, index) => <Option key={index} value={method.id}>{method.name}</Option>)
+                          }
+                        </Select>
+                      </Col>
+                    </Row>
+                    <Row style={{marginTop: "20px"}} >
+                      <Col style={{marginTop: "5px"}} span={2}>
+                        {Setting.getLabel(i18next.t("provider:Use id as name"), i18next.t("provider:Use id as name - Tooltip"))} :
+                      </Col>
+                      <Col span={22} >
+                        <Switch checked={this.state.provider.disableSsl} onChange={checked => {
+                          this.updateProviderField("disableSsl", checked);
+                        }} />
+                      </Col>
+                    </Row>
+                  </React.Fragment>)
              }
            </React.Fragment>
          )
--- a/web/src/Setting.js
+++ b/web/src/Setting.js
@@ -1616,7 +1616,7 @@ export function isDarkTheme(themeAlgorithm) {

 function getPreferredMfaProp(mfaProps) {
  for (const i in mfaProps) {
-    if (mfaProps[i].isPreffered) {
+    if (mfaProps[i].isPreferred) {
      return mfaProps[i];
    }
  }
Author	SHA1	Message	Date
DacongDA	9190db1099	feat: fix bug that token endpoint doesn't return 400/401 when type is object.TokenError (#3808 )	2025-05-20 10:39:55 +08:00
DacongDA	1173f75794	feat: return HTTP status 400 instead of 200 in GetOAuthToken() (#3807 )	2025-05-20 01:05:43 +08:00
Yang Luo	086859d1ce	feat: change User.Avatar length back to 500	2025-05-18 09:47:56 +08:00
Yang Luo	9afaf5d695	feat: increase User.Avatar length to 1000	2025-05-17 19:59:17 +08:00
DacongDA	521f90a603	feat: fix access_token endpoint cannot read clientId in form when using device code flow (#3800 )	2025-05-17 18:53:38 +08:00
DacongDA	4260efcfd0	feat: add useIdAsName field for WeCom OAuth provider (#3797 )	2025-05-17 02:27:06 +08:00
DacongDA	d772b0b7a8	feat: fix bug that username will be random with useEmailAsUsername enabled (#3793 )	2025-05-16 18:40:50 +08:00
DacongDA	702b390da1	feat: fix MFA preference doesn't work bug (#3790 )	2025-05-15 21:04:36 +08:00
DacongDA	b15b3b9335	feat: support adapter in app.conf logConfig (#3784 )	2025-05-14 08:27:11 +08:00
DacongDA	f8f864c5b9	feat: add logged-in IDP provider info to access token (#3776 )	2025-05-11 09:51:51 +08:00