From 87b29057f1b203afde49126ec85603ae9705e7f4 Mon Sep 17 00:00:00 2001
From: Maxim Koltsov <kolmax94@gmail.com>
Date: Wed, 23 Jun 2021 15:27:30 +0300
Subject: [PATCH] version 0.1.3.8: allow service tokens (#27)

---
 CHANGELOG.md                     | 5 +++++
 src/Web/Template/Servant/Auth.hs | 8 +++++++-
 web-template.cabal               | 2 +-
 3 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d7078e9..0639a17 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.1.3.8] - 2021-06-22
+### Added
+- Possibility to accept Service Token in `OIDCAuth`. Token is considered a Service Token if it
+  lacks the `object_guid` claim. `preferred_username` claim is used as user id instead.
+
 ## [0.1.3.7] - 2021-06-10
 ### Added
 - Add a way to describe fields in Swagger schemas.
diff --git a/src/Web/Template/Servant/Auth.hs b/src/Web/Template/Servant/Auth.hs
index 3146767..410c87c 100644
--- a/src/Web/Template/Servant/Auth.hs
+++ b/src/Web/Template/Servant/Auth.hs
@@ -137,6 +137,8 @@ data OIDCConfig
         -- ^ cache - storing validation keys
       , oidcDefaultExpiration :: NominalDiffTime
         -- ^ Default expiration time for discovery document and JWKS
+      , oidcAllowServiceToken :: Bool
+        -- ^ Whether to accept service token (defined as "token without object_guid claim")
       }
 
 defaultOIDCCfg :: MonadIO m => m OIDCConfig
@@ -151,6 +153,7 @@ defaultOIDCCfg = do
     , oidcIssuer = error "discovery uri not set"
     , oidcClientId = error "client id not set"
     , oidcDefaultExpiration = 10 * 60 -- 10 minutes
+    , oidcAllowServiceToken = False
     }
 
 instance ( HasServer api context
@@ -178,10 +181,13 @@ instance ( HasServer api context
 
         claims <- getClaims cfg jwt jwkSet
 
+        let guid = claims ^? unregisteredClaims . ix "object_guid" . _String
+        let username = claims ^? unregisteredClaims . ix "preferred_username" . _String
+
         uid <- maybe
           (die ERROR unauth401 ("No object_guid found" :: Text))
           return
-          $ claims ^? unregisteredClaims . ix "object_guid" . _String
+          (guid <|> (if oidcAllowServiceToken cfg then username else Nothing))
 
         liftIO $ sequence_ $ catMaybes
           [ userIdVaultKey <?> req <&> flip writeIORef (Just uid)
diff --git a/web-template.cabal b/web-template.cabal
index f9e38e5..68d84da 100644
--- a/web-template.cabal
+++ b/web-template.cabal
@@ -1,5 +1,5 @@
 name:                web-template
-version:             0.1.3.7
+version:             0.1.3.8
 synopsis:            Web template
 description:
             Web template includes: