From dc49252ea46d86ac2b2f3530402de2ccf8cc90d7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89loi=20Rivard?= <eloi@yaal.coop>
Date: Wed, 26 Jul 2023 12:38:35 +0200
Subject: [PATCH 1/3] fix: do not raise an exception if attendee name cannot be
 read in the userinfo

this can happen in case of OIDC provider misconfiguration, such as
wrongly configurated scopes, resulting in `given_name` and `family_name`
claims being absent from the user profile.
---
 web/flaskr/routes.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/web/flaskr/routes.py b/web/flaskr/routes.py
index ac74e5aa..02ed7456 100755
--- a/web/flaskr/routes.py
+++ b/web/flaskr/routes.py
@@ -1482,9 +1482,9 @@ def join_mail_meeting():
 def get_authenticated_attendee_fullname():
     attendee_session = UserSession(session)
     attendee_info = attendee_session.userinfo
-    given_name = attendee_info["given_name"]
-    family_name = attendee_info["family_name"]
-    fullname = f"{given_name} {family_name}"
+    given_name = attendee_info.get("given_name", "")
+    family_name = attendee_info.get("family_name", "")
+    fullname = f"{given_name} {family_name}".strip()
     return fullname
 
 

From 7e20db1ec62022ad138fbe38895e65883107f023 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89loi=20Rivard?= <eloi@yaal.coop>
Date: Fri, 28 Jul 2023 10:26:34 +0200
Subject: [PATCH 2/3] fix: 404 error when joining an authenticated room with
 uncorrectly set OIDC parameters

---
 web/flaskr/routes.py | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/web/flaskr/routes.py b/web/flaskr/routes.py
index 02ed7456..281e96e8 100755
--- a/web/flaskr/routes.py
+++ b/web/flaskr/routes.py
@@ -1382,15 +1382,18 @@ def authenticate_then_signin_meeting(meeting_fake_id, user_id, h):
 
 
 @bp.route(
-    "/meeting/wait/<meeting_fake_id>/creator/<int:user_id>/hash/<h>/fullname/<path:fullname>/fullname_suffix/",
-    methods=["GET"],
-    defaults={"fullname_suffix": ""},
+    "/meeting/wait/<meeting_fake_id>/creator/<user_id>/hash/<h>/fullname/fullname_suffix/",
 )
 @bp.route(
-    "/meeting/wait/<meeting_fake_id>/creator/<int:user_id>/hash/<h>/fullname/<path:fullname>/fullname_suffix/<path:fullname_suffix>",
-    methods=["GET"],
+    "/meeting/wait/<meeting_fake_id>/creator/<user_id>/hash/<h>/fullname/<path:fullname>/fullname_suffix/",
+)
+@bp.route(
+    "/meeting/wait/<meeting_fake_id>/creator/<user_id>/hash/<h>/fullname/fullname_suffix/<path:fullname_suffix>",
+)
+@bp.route(
+    "/meeting/wait/<meeting_fake_id>/creator/<user_id>/hash/<h>/fullname/<path:fullname>/fullname_suffix/<path:fullname_suffix>",
 )
-def waiting_meeting(meeting_fake_id, user_id, h, fullname, fullname_suffix):
+def waiting_meeting(meeting_fake_id, user_id, h, fullname="", fullname_suffix=""):
     meeting = get_meeting_from_meeting_id_and_user_id(meeting_fake_id, user_id)
     if meeting is None:
         return redirect("/")
@@ -1501,7 +1504,6 @@ def join_meeting_as_authenticated(meeting_id):
             user_id=meeting.user.id,
             h=meeting.get_hash(role),
             fullname=fullname,
-            fullname_suffix="",
         )
     )
 

From 0d9968164041abd2d90ec81295e00721f054a37e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89loi=20Rivard?= <eloi@yaal.coop>
Date: Fri, 28 Jul 2023 10:00:27 +0200
Subject: [PATCH 3/3] feat: read `OIDC_SCOPES` and `OIDC_ATTENDEE_SCOPES` from
 the environment variables. By default if `OIDC_ATTENDEE_SCOPES` is undefined,
 it will take the value of `OIDC_SCOPES`.

If defined in an environment variable, this must be a single string of
values separated by commas, like:

OIDC_SCOPES="openid, email, profile"
---
 web/flaskr/routes.py   |  5 +----
 web/instance/config.py | 15 ++++++++++++++-
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/web/flaskr/routes.py b/web/flaskr/routes.py
index 281e96e8..4b980772 100755
--- a/web/flaskr/routes.py
+++ b/web/flaskr/routes.py
@@ -110,10 +110,7 @@
         ),
         post_logout_redirect_uris=[f'{current_app.config.get("SERVER_FQDN")}/logout'],
     ),
-    auth_request_params={
-        "scope": current_app.config.get("OIDC_ATTENDEE_SCOPES")
-        or current_app.config["OIDC_SCOPES"]
-    },
+    auth_request_params={"scope": current_app.config["OIDC_ATTENDEE_SCOPES"]},
 )
 
 auth = OIDCAuthentication(
diff --git a/web/instance/config.py b/web/instance/config.py
index d069a41b..ffb8e884 100755
--- a/web/instance/config.py
+++ b/web/instance/config.py
@@ -32,7 +32,15 @@
 OIDC_REQUIRE_VERIFIED_EMAIL = False
 OIDC_USER_INFO_ENABLED = True
 OIDC_OPENID_REALM = os.environ.get("OIDC_OPENID_REALM")
-OIDC_SCOPES = ["openid", "email", "profile"]
+OIDC_SCOPES = (
+    list(map(str.strip, os.environ["OIDC_SCOPES"].split(",")))
+    if os.environ.get("OIDC_SCOPES")
+    else [
+        "openid",
+        "email",
+        "profile",
+    ]
+)
 OIDC_INTROSPECTION_AUTH_METHOD = "client_secret_post"
 OIDC_USERINFO_HTTP_METHOD = os.environ.get("OIDC_USERINFO_HTTP_METHOD")
 OIDC_INFO_REQUESTED_FIELDS = ["email", "given_name", "family_name"]
@@ -70,6 +78,11 @@
 OIDC_ATTENDEE_SERVICE_NAME = (
     os.environ.get("OIDC_ATTENDEE_SERVICE_NAME") or OIDC_SERVICE_NAME
 )
+OIDC_ATTENDEE_SCOPES = (
+    list(map(str.strip, os.environ["OIDC_ATTENDEE_SCOPES"].split(",")))
+    if os.environ.get("OIDC_ATTENDEE_SCOPES")
+    else OIDC_SCOPES
+)
 
 # Links
 DOCUMENTATION_LINK = {