From f7fad5370f47781b12b065173b3f5ef46756bde0 Mon Sep 17 00:00:00 2001
From: Tim <contact@bytim.eu>
Date: Tue, 22 Apr 2025 15:40:01 +0200
Subject: Require scopes for oidc user information endpoint

---
 VPNAuth.Server/Api/Oidc.cs | 31 ++++++++++++++++++++++---------
 1 file changed, 22 insertions(+), 9 deletions(-)

diff --git a/VPNAuth.Server/Api/Oidc.cs b/VPNAuth.Server/Api/Oidc.cs
index 8b984c7..e8ff3c0 100644
--- a/VPNAuth.Server/Api/Oidc.cs
+++ b/VPNAuth.Server/Api/Oidc.cs
@@ -38,6 +38,12 @@ public static class Oidc
             return;
         }
 
+        if (!tokenDbEntry.Scopes.Contains("openid"))
+        {
+            context.Response.StatusCode = StatusCodes.Status403Forbidden;
+            return;
+        }
+
         var userInformation = db.UserInformation
             .Where(entry => entry.Sub == tokenDbEntry.Username)
             .ToList()
@@ -49,15 +55,22 @@ public static class Oidc
             return;
         }
 
-        context.Response.WriteAsJsonAsync(new UserInfo
+        var userInfoResponse = new UserInfo();
+
+        if (tokenDbEntry.Scopes.Contains("profile"))
         {
-            Email = userInformation.Email,
-            GivenName = userInformation.GivenName,
-            FamilyName = userInformation.FamilyName,
-            Name = userInformation.Name,
-            Picture = userInformation.Picture,
-            PreferredUsername = userInformation.PreferredUsername,
-            Sub = userInformation.Sub
-        });
+            userInfoResponse.GivenName = userInformation.GivenName;
+            userInfoResponse.FamilyName = userInformation.FamilyName;
+            userInfoResponse.Name = userInformation.Name;
+            userInfoResponse.Picture = userInformation.Picture;
+            userInfoResponse.PreferredUsername = userInformation.PreferredUsername;
+        }
+
+        if (tokenDbEntry.Scopes.Contains("email"))
+            userInfoResponse.Email = userInformation.Email;
+
+        userInfoResponse.Sub = userInformation.Sub;
+
+        await context.Response.WriteAsJsonAsync(userInfoResponse);
     }
 }
-- 
cgit v1.2.3