Support mailclient oidc claim

Only apps with addon email have access to the claims' scopes
2026-02-17 14:06:40 +01:00
parent 4ed6fbbd74
commit 135c9fb64d
2 changed files with 49 additions and 2 deletions
--- a/src/oidcserver.js
+++ b/src/oidcserver.js
@@ -13,6 +13,7 @@ import ejs from 'ejs';
 import express from 'express';
 import eventlog from './eventlog.js';
 import fs from 'node:fs';
+import mail from './mail.js';
 import * as marked from 'marked';
 import middleware from './middleware/index.js';
 import oidcClients from './oidcclients.js';
@@ -467,6 +468,15 @@ async function interactionConfirm(req, res, next) {

            return await gOidcProvider.interactionFinished(req, res, result, { mergeWithLastSubmission: false });
        }
+
+        if (!app.manifest.addons.email && params.scope.indexOf('mailclient')) {
+            const result = {
+                error: 'access_denied',
+                error_description: 'App has no access to mailclient claims',
+            };
+
+            return await gOidcProvider.interactionFinished(req, res, result, { mergeWithLastSubmission: false });
+        }
    }

    let grant;
@@ -522,6 +532,9 @@ async function getClaims(username/*, use, scope*/) {
    const [groupsError, allGroups] = await safe(groups.listWithMembers());
    if (groupsError) return { error: groupsError.message };

+    const [mailboxesError, mailboxes] = await safe(mail.listMailboxesByUserId(user.id));
+    if (mailboxesError) return { error: mailboxesError.message };
+
    const displayName = user.displayName || user.username || ''; // displayName can be empty and username can be null
    const { firstName, lastName, middleName } = users.parseDisplayName(displayName);

@@ -539,7 +552,10 @@ async function getClaims(username/*, use, scope*/) {
        name: user.displayName,
        picture: `https://${dashboardFqdn}/api/v1/profile/avatar/${user.id}`, // we always store as png
        preferred_username: user.username,
-        groups: allGroups.filter(function (g) { return g.userIds.indexOf(user.id) !== -1; }).map(function (g) { return `${g.name}`; })
+        groups: allGroups.filter(function (g) { return g.userIds.indexOf(user.id) !== -1; }).map(function (g) { return `${g.name}`; }),
+        mailclient: {
+            mailboxes,
+        },
    };

    return claims;
@@ -609,7 +625,8 @@ async function start() {
        claims: {
            email: ['email', 'email_verified'],
            profile: [ 'family_name', 'given_name', 'locale', 'name', 'preferred_username', 'picture' ],
-            groups: [ 'groups' ]
+            groups: [ 'groups' ],
+            mailboxes: [ 'mailboxes' ]
        },
        features: {
            rpInitiatedLogout: { enabled: false },