Add Google support, sub fallback

9p4 · Jan 23, 2022 · dfc427e · dfc427e
1 parent 444d93b
commit dfc427e
Showing 1 changed file with 23 additions and 2 deletions.
diff --git a/SSO-Auth/Api/SSOController.cs b/SSO-Auth/Api/SSOController.cs
@@ -2,6 +2,7 @@
 using System.Collections.Generic;
 using System.Net.Mime;
 using System.Threading.Tasks;
+using IdentityModel.Client;
 using IdentityModel.OidcClient;
 using Jellyfin.Data.Entities;
 using Jellyfin.Data.Enums;
@@ -56,8 +57,9 @@ public ActionResult OIDPost(string provider)
                     ClientId = config.OIDClientId,
                     ClientSecret = config.OIDSecret,
                     RedirectUri = GetRequestBase() + "/sso/OID/r/" + provider,
-                    Scope = "openid profile"
+                    Scope = "openid profile",
                 };
+                options.Policy.Discovery.ValidateEndpoints = false; // For Google and other providers with different endpoints
                 var oidcClient = new OidcClient(options);
                 var state = StateManager[Request.Query["state"]].State;
                 var result = oidcClient.ProcessResponseAsync(Request.QueryString.Value, state).Result;
@@ -114,13 +116,29 @@ public ActionResult OIDPost(string provider)
                         }
                     }
                 }
+
+                // If the provider doesn't support preferred_username, then use sub
+                if (!StateManager[Request.Query["state"]].Valid)
+                {
+                    foreach (var claim in result.User.Claims)
+                    {
+                        if (claim.Type == "sub")
+                        {
+                            StateManager[Request.Query["state"]].Username = claim.Value;
+                            if (config.Roles.Length == 0)
+                            {
+                                StateManager[Request.Query["state"]].Valid = true;
+                            }
+                        }
+                    }
+                }
                 if (StateManager[Request.Query["state"]].Valid)
                 {
                     return Content(WebResponse.OIDGenerator(data: Request.Query["state"], provider: provider, baseUrl: GetRequestBase()), MediaTypeNames.Text.Html);
                 }
                 else
                 {
-                    return Content("Error. Check permissions");
+                    return Content("Error. Check permissions."); // TODO: Return error code as well
                 }
             }
         }
@@ -144,6 +162,7 @@ public async Task<ActionResult> OIDChallenge(string provider)
                     RedirectUri = GetRequestBase() + "/sso/OID/r/" + provider,
                     Scope = "openid profile"
                 };
+                options.Policy.Discovery.ValidateEndpoints = false; // For Google and other providers with different endpoints
                 var oidcClient = new OidcClient(options);
                 var state = await oidcClient.PrepareLoginAsync().ConfigureAwait(false);
                 StateManager.Add(state.State, new TimedAuthorizeState(state, DateTime.Now));
@@ -426,4 +445,6 @@ public TimedAuthorizeState(AuthorizeState state, DateTime created)
     public string Username { get; set; }
 
     public bool Admin { get; set; }
+
+    public string Email { get; set; }
 }