(feat) OAuth2 scopes are now configurable from the interface

Previously, scopes were supported through OAUTH2_SCOPE since v5.3.1.
BREAKING CHANGE: update your oauth2 provider configuration if you need scopes support

CHANGELOG.md

@@ -1,6 +1,7 @@
 # Changelog Fab-manager
 
 - Support for Google Analytics V4
+- OAuth2 scopes are now configurable from the interface
 - Updated environment documentation
 - Updated react-i18next to 11.15.6
 - Updated i18next to 21.6.13
@@ -30,6 +31,7 @@
 - [TODO DEPLOY] `\curl -sSL https://raw.githubusercontent.com/sleede/fab-manager/master/scripts/cve-2021-44228.sh | bash`
 - [TODO DEPLOY] migrate your Google Analytics property to GA4, see [this guide](https://support.google.com/analytics/answer/9744165)
 - [TODO DEPLOY] update your tracking ID in Customization > Privacy > Statistics > Google Analytics
+- [TODO DEPLOY] update your oAuth2 provider configuration with the scopes previously defined in the OAUTH2_SCOPE environment variable
 
 ## v5.3.5 2022 March 02
 

app/controllers/api/auth_providers_controller.rb

@@ -83,7 +83,7 @@ class API::AuthProvidersController < API::ApiController
     params.require(:auth_provider)
           .permit(:name, :providable_type,
                   providable_attributes: [:id, :base_url, :token_endpoint, :authorization_endpoint, :logout_endpoint,
-                                          :profile_url, :client_id, :client_secret,
+                                          :profile_url, :client_id, :client_secret, :scopes,
                                           o_auth2_mappings_attributes: [:id, :local_model, :local_field, :api_field,
                                                                         :api_endpoint, :api_data_type, :_destroy,
                                                                         transformation: [:type, :format, :true_value,

app/frontend/templates/admin/authentications/_oauth2.html

@@ -90,4 +90,15 @@
     </div>
 </div>
 
+<div class="form-group" ng-class="{'has-error': providerForm['auth_provider[scopes]'].$dirty && providerForm['auth_provider[scopes]'].$invalid}">
+    <label for="provider_client_secret" class="col-sm-3 control-label" translate>{{ 'app.shared.oauth2.scopes' }}</label>
+    <div class="col-sm-9">
+        <input type="text"
+          ng-model="provider.providable_attributes.scopes"
+          class="form-control"
+          name="auth_provider[scopes]"
+          id="provider_scopes"
+          placeholder="profile,email...">
+    </div>
+</div>
 <ng-include src="'/admin/authentications/_oauth2_mapping.html'"></ng-include>

app/views/api/auth_providers/show.json.jbuilder

@@ -4,7 +4,7 @@ json.partial! 'api/auth_providers/auth_provider', auth_provider: @provider
 
 if @provider.providable_type == OAuth2Provider.name
   json.providable_attributes do
-    json.extract! @provider.providable, :id, :base_url, :token_endpoint, :authorization_endpoint, :profile_url, :client_id, :client_secret
+    json.extract! @provider.providable, :id, :base_url, :token_endpoint, :authorization_endpoint, :profile_url, :client_id, :client_secret, :scopes
     json.o_auth2_mappings_attributes @provider.providable.o_auth2_mappings do |m|
       json.extract! m, :id, :local_model, :local_field, :api_field, :api_endpoint, :api_data_type, :transformation
     end

config/locales/app.shared.en.yml

@@ -267,6 +267,7 @@ en:
         obtain_it_when_registering_with_your_provider: "Obtain it when registering with your provider."
         client_secret: "Client secret"
         oauth2_client_secret_is_required: "OAuth 2.0 client secret is required."
+        scopes: "Scopes"
         define_the_fields_mapping: "Define the fields mapping"
         add_a_match: "Add a match"
         model: "Model"

db/migrate/20220322135836_add_scopes_to_o_auth2_provider.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+# This migration saves the scopes of the OAuth2 provider to the database.
+# Previously, the scopes were defined in the OAUTH2_SCOPE environment variable.
+class AddScopesToOAuth2Provider < ActiveRecord::Migration[5.2]
+  def change
+    add_column :o_auth2_providers, :scopes, :string
+  end
+end

db/schema.rb

@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 2022_03_16_133304) do
+ActiveRecord::Schema.define(version: 2022_03_22_135836) do
 
   # These are extensions that must be enabled in order to support this database
   enable_extension "fuzzystrmatch"
@@ -391,6 +391,7 @@ ActiveRecord::Schema.define(version: 2022_03_16_133304) do
     t.datetime "created_at", null: false
     t.datetime "updated_at", null: false
     t.string "profile_url"
+    t.string "scopes"
   end
 
   create_table "offer_days", id: :serial, force: :cascade do |t|

doc/environment.md

@@ -138,11 +138,6 @@ Please, ensure you know what you're doing, as this can lead to serious security
 A comma separated list of settings that cannot be changed from the UI.
 Please refer to https://github.com/sleede/fab-manager/blob/master/app/models/setting.rb for a list of possible values.
 Only the system administrator can change them, with the command: `ENV=value rails fablab:setup:env_to_db`
-<a name="OAUTH2_SCOPE"></a>
-
-    OAUTH2_SCOPE
-
-A comma separated list of scopes that will be requested when authenticating with OAuth2.
 <a name="SSO_DEBUG"></a>
 
     SSO_DEBUG

lib/omni_auth/strategies/sso_oauth2_provider.rb

@@ -28,7 +28,7 @@ module OmniAuth::Strategies
 
     def authorize_params
       super.tap do |params|
-        params[:scope] = ENV['OAUTH2_SCOPE']
+        params[:scope] = active_provider.providable.scopes
       end
     end