chore(passport): change user organizations to roles

duanhongyi · duanhongyi · commit 75ea4d7f4e2c · 2025-06-09T21:33:33.000+08:00
diff --git a/rootfs/api/models.py b/rootfs/api/models.py
@@ -9,14 +9,14 @@ class User(AbstractUser):
     email = models.EmailField(_('email address'), unique=True)
 
     @property
-    def organizations(self) -> list[str]:
+    def roles(self) -> list[str]:
         results = []
         if self.is_superuser:
             results.append("admin")
         if self.is_staff:
             results.append("staff")
         if self.is_active:
-            results.append(self.username)
+            results.append("users")
         return results
 
 
diff --git a/rootfs/api/oauth2_validators.py b/rootfs/api/oauth2_validators.py
@@ -3,18 +3,32 @@
 
 class CustomOAuth2Validator(OAuth2Validator):
 
-    oidc_claim_scope = None
+    oidc_claim_scope = OAuth2Validator.oidc_claim_scope
+    oidc_claim_scope.update({
+        "id": "profile",
+        "name": "profile",
+        "username": "profile",
+        "email": "email",
+        "roles": "profile",
+        "first_name": "profile",
+        "last_name": "profile",
+        "is_staff": "profile",
+        "is_active": "profile",
+        "is_superuser": "profile",
+        "preferred_username": "profile",
+    })
 
     def get_additional_claims(self, request):
         claims = super().get_additional_claims(request)
         claims["id"] = request.user.id
         claims["name"] = request.user.username
         claims["username"] = request.user.username
         claims["email"] = request.user.email
+        claims["roles"] = request.user.roles
         claims["first_name"] = request.user.first_name
         claims["last_name"] = request.user.last_name
         claims["is_staff"] = request.user.is_staff
         claims["is_active"] = request.user.is_active
         claims["is_superuser"] = request.user.is_superuser
-        claims["organizations"] = request.user.organizations
+        claims["preferred_username"] = request.user.username
         return claims
diff --git a/rootfs/api/serializers.py b/rootfs/api/serializers.py
@@ -17,10 +17,10 @@
 class UserSerializer(serializers.ModelSerializer):
     class Meta:
         model = User
-        fields = ('id', 'username', 'email', 'first_name', 'last_name',
-                  'is_staff', 'is_active', 'is_superuser', "organizations")
-        read_only_fields = ('id', 'username', 'is_staff', 'is_active',
-                            'is_superuser', "organizations")
+        fields = ('id', 'username', 'email', 'roles', 'first_name', 'last_name',
+                  'is_staff', 'is_active', 'is_superuser')
+        read_only_fields = ('id', 'username', 'roles', 'is_staff', 'is_active',
+                            'is_superuser')
 
 
 class UserEmailSerializer(serializers.ModelSerializer):
diff --git a/rootfs/api/settings/production.py b/rootfs/api/settings/production.py
@@ -317,10 +317,11 @@
     "REFRESH_TOKEN_EXPIRE_SECONDS": int(os.environ.get('REFRESH_TOKEN_EXPIRE_SECONDS', 60 * 86400)),  # noqa
     "ROTATE_REFRESH_TOKEN": True,
     "SCOPES": {
+        "email": "Email",
         "profile": "Profile",
         "openid": "OpenID Connect scope",
     },
-    "DEFAULT_SCOPES": ['openid', ],
+    "DEFAULT_SCOPES": ['openid', 'email', 'profile'],
     "DEFAULT_CODE_CHALLENGE_METHOD": 'S256',
 }
 OAUTH2_PROVIDER_APPLICATION_MODEL = 'api.Application'
