langgenius
diff --git a/‎api/.env.example‎
Lines changed: 25 additions & 0 deletions b/‎api/.env.example‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎api/configs/feature/__init__.py‎
Lines changed: 35 additions & 0 deletions b/‎api/configs/feature/__init__.py‎
Lines changed: 35 additions & 0 deletions
diff --git a/‎api/controllers/console/auth/oauth.py‎
Lines changed: 47 additions & 11 deletions b/‎api/controllers/console/auth/oauth.py‎
Lines changed: 47 additions & 11 deletions
diff --git a/‎api/libs/oauth.py‎
Lines changed: 158 additions & 0 deletions b/‎api/libs/oauth.py‎
Lines changed: 158 additions & 0 deletions
diff --git a/‎api/services/feature_service.py‎
Lines changed: 7 additions & 0 deletions b/‎api/services/feature_service.py‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎docker/.env.example‎
Lines changed: 25 additions & 0 deletions b/‎docker/.env.example‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎docker/docker-compose.yaml‎
Lines changed: 11 additions & 0 deletions b/‎docker/docker-compose.yaml‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎web/app/signin/assets/canvas.svg‎
Lines changed: 1 addition & 0 deletions b/‎web/app/signin/assets/canvas.svg‎
Lines changed: 1 addition & 0 deletions
@@ -384,6 +384,31 @@ SENDGRID_API_KEY=
 # Sentry configuration
 SENTRY_DSN=
 
+# ------------------------------
+# OAuth and Authentication Configuration
+# ------------------------------
+
+# GitHub OAuth configuration
+GITHUB_CLIENT_ID=
+GITHUB_CLIENT_SECRET=
+
+# Google OAuth configuration
+GOOGLE_CLIENT_ID=
+GOOGLE_CLIENT_SECRET=
+
+# DingTalk OAuth configuration
+DINGTALK_CLIENT_ID=
+DINGTALK_CLIENT_SECRET=
+
+# Microsoft OAuth configuration
+MICROSOFT_CLIENT_ID=
+MICROSOFT_CLIENT_SECRET=
+
+# Canvas LMS OAuth configuration
+CANVAS_CLIENT_ID=
+CANVAS_CLIENT_SECRET=
+CANVAS_INSTALL_URL=
+
 # DEBUG
 DEBUG=false
 ENABLE_REQUEST_LOGGING=False
 
@@ -684,6 +684,41 @@ class AuthConfig(BaseSettings):
         default=None,
     )
 
+    DINGTALK_CLIENT_ID: str | None = Field(
+        description="DingTalk OAuth client ID",
+        default=None,
+    )
+
+    DINGTALK_CLIENT_SECRET: str | None = Field(
+        description="DingTalk OAuth client secret",
+        default=None,
+    )
+
+    MICROSOFT_CLIENT_ID: str | None = Field(
+        description="Microsoft OAuth client ID",
+        default=None,
+    )
+
+    MICROSOFT_CLIENT_SECRET: str | None = Field(
+        description="Microsoft OAuth client secret",
+        default=None,
+    )
+
+    CANVAS_CLIENT_ID: str | None = Field(
+        description="Canvas OAuth client ID",
+        default=None,
+    )
+
+    CANVAS_CLIENT_SECRET: str | None = Field(
+        description="Canvas OAuth client secret",
+        default=None,
+    )
+
+    CANVAS_INSTALL_URL: str | None = Field(
+        description="Canvas installation URL (e.g., https://canvas.instructure.com)",
+        default=None,
+    )
+
     ACCESS_TOKEN_EXPIRE_MINUTES: PositiveInt = Field(
         description="Expiration time for access tokens in minutes",
         default=60,
 
@@ -13,7 +13,14 @@
 from extensions.ext_database import db
 from libs.datetime_utils import naive_utc_now
 from libs.helper import extract_remote_ip
-from libs.oauth import GitHubOAuth, GoogleOAuth, OAuthUserInfo
+from libs.oauth import (
+    CanvasOAuth,
+    DingTalkOAuth,
+    GitHubOAuth,
+    GoogleOAuth,
+    MicrosoftOAuth,
+    OAuthUserInfo,
+)
 from models import Account
 from models.account import AccountStatus
 from services.account_service import AccountService, RegisterService, TenantService
@@ -29,25 +36,54 @@
 
 def get_oauth_providers():
     with current_app.app_context():
-        if not dify_config.GITHUB_CLIENT_ID or not dify_config.GITHUB_CLIENT_SECRET:
-            github_oauth = None
-        else:
-            github_oauth = GitHubOAuth(
+        providers = {}
+
+        # GitHub
+        if dify_config.GITHUB_CLIENT_ID and dify_config.GITHUB_CLIENT_SECRET:
+            providers["github"] = GitHubOAuth(
                 client_id=dify_config.GITHUB_CLIENT_ID,
                 client_secret=dify_config.GITHUB_CLIENT_SECRET,
                 redirect_uri=dify_config.CONSOLE_API_URL + "/console/api/oauth/authorize/github",
             )
-        if not dify_config.GOOGLE_CLIENT_ID or not dify_config.GOOGLE_CLIENT_SECRET:
-            google_oauth = None
-        else:
-            google_oauth = GoogleOAuth(
+
+        # Google
+        if dify_config.GOOGLE_CLIENT_ID and dify_config.GOOGLE_CLIENT_SECRET:
+            providers["google"] = GoogleOAuth(
                 client_id=dify_config.GOOGLE_CLIENT_ID,
                 client_secret=dify_config.GOOGLE_CLIENT_SECRET,
                 redirect_uri=dify_config.CONSOLE_API_URL + "/console/api/oauth/authorize/google",
             )
 
-        OAUTH_PROVIDERS = {"github": github_oauth, "google": google_oauth}
-        return OAUTH_PROVIDERS
+        # DingTalk
+        if dify_config.DINGTALK_CLIENT_ID and dify_config.DINGTALK_CLIENT_SECRET:
+            providers["dingtalk"] = DingTalkOAuth(
+                client_id=dify_config.DINGTALK_CLIENT_ID,
+                client_secret=dify_config.DINGTALK_CLIENT_SECRET,
+                redirect_uri=dify_config.CONSOLE_API_URL + "/console/api/oauth/authorize/dingtalk",
+            )
+
+        # Microsoft
+        if dify_config.MICROSOFT_CLIENT_ID and dify_config.MICROSOFT_CLIENT_SECRET:
+            providers["microsoft"] = MicrosoftOAuth(
+                client_id=dify_config.MICROSOFT_CLIENT_ID,
+                client_secret=dify_config.MICROSOFT_CLIENT_SECRET,
+                redirect_uri=dify_config.CONSOLE_API_URL + "/console/api/oauth/authorize/microsoft",
+            )
+
+        # Canvas
+        if (
+            dify_config.CANVAS_CLIENT_ID
+            and dify_config.CANVAS_CLIENT_SECRET
+            and dify_config.CANVAS_INSTALL_URL
+        ):
+            providers["canvas"] = CanvasOAuth(
+                client_id=dify_config.CANVAS_CLIENT_ID,
+                client_secret=dify_config.CANVAS_CLIENT_SECRET,
+                redirect_uri=dify_config.CONSOLE_API_URL + "/console/api/oauth/authorize/canvas",
+                install_url=dify_config.CANVAS_INSTALL_URL,
+            )
+
+        return providers
 
 
 @console_ns.route("/oauth/login/<provider>")
 
@@ -130,3 +130,161 @@ def get_raw_user_info(self, token: str):
 
     def _transform_user_info(self, raw_info: dict) -> OAuthUserInfo:
         return OAuthUserInfo(id=str(raw_info["sub"]), name="", email=raw_info["email"])
+
+
+class DingTalkOAuth(OAuth):
+    """DingTalk OAuth implementation"""
+
+    _AUTH_URL = "https://login.dingtalk.com/oauth2/auth"
+    _TOKEN_URL = "https://api.dingtalk.com/v1.0/oauth2/userAccessToken"
+    _USER_INFO_URL = "https://api.dingtalk.com/v1.0/contact/users/me"
+
+    def get_authorization_url(self, invite_token: str | None = None):
+        params = {
+            "client_id": self.client_id,
+            "redirect_uri": self.redirect_uri,
+            "scope": "openid",
+            "response_type": "code",
+            "prompt": "consent",
+        }
+        if invite_token:
+            params["state"] = invite_token
+        return f"{self._AUTH_URL}?{urllib.parse.urlencode(params)}"
+
+    def get_access_token(self, code: str):
+        headers = {"Content-Type": "application/json", "Accept": "application/json"}
+        data = {
+            "clientId": self.client_id,
+            "clientSecret": self.client_secret,
+            "code": code,
+            "grantType": "authorization_code",
+        }
+        response = httpx.post(self._TOKEN_URL, json=data, headers=headers)
+        response_json = response.json()
+        access_token = response_json.get("accessToken")
+
+        if not access_token:
+            raise ValueError(f"Error in DingTalk OAuth: {response_json}")
+
+        return access_token
+
+    def get_raw_user_info(self, token: str):
+        headers = {"x-acs-dingtalk-access-token": token}
+        response = httpx.get(self._USER_INFO_URL, headers=headers)
+        response.raise_for_status()
+        return response.json()
+
+    def _transform_user_info(self, raw_info: dict) -> OAuthUserInfo:
+        user_id = raw_info.get("unionId", "")
+        name = raw_info.get("nick", "")
+        email = raw_info.get("email", f"{user_id}@dingtalk.com")
+        return OAuthUserInfo(id=user_id, name=name, email=email)
+
+
+class MicrosoftOAuth(OAuth):
+    """Microsoft OAuth implementation"""
+
+    _AUTH_URL = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"
+    _TOKEN_URL = "https://login.microsoftonline.com/common/oauth2/v2.0/token"
+    _USER_INFO_URL = "https://graph.microsoft.com/v1.0/me"
+
+    def get_authorization_url(self, invite_token: str | None = None):
+        params = {
+            "client_id": self.client_id,
+            "redirect_uri": self.redirect_uri,
+            "response_type": "code",
+            "scope": "user.read",
+            "response_mode": "query",
+        }
+        if invite_token:
+            params["state"] = invite_token
+        return f"{self._AUTH_URL}?{urllib.parse.urlencode(params)}"
+
+    def get_access_token(self, code: str):
+        data = {
+            "client_id": self.client_id,
+            "client_secret": self.client_secret,
+            "code": code,
+            "grant_type": "authorization_code",
+            "redirect_uri": self.redirect_uri,
+        }
+        headers = {"Accept": "application/json"}
+        response = httpx.post(self._TOKEN_URL, data=data, headers=headers)
+        response_json = response.json()
+        access_token = response_json.get("access_token")
+
+        if not access_token:
+            raise ValueError(f"Error in Microsoft OAuth: {response_json}")
+
+        return access_token
+
+    def get_raw_user_info(self, token: str):
+        headers = {"Authorization": f"Bearer {token}"}
+        response = httpx.get(self._USER_INFO_URL, headers=headers)
+        response.raise_for_status()
+        return response.json()
+
+    def _transform_user_info(self, raw_info: dict) -> OAuthUserInfo:
+        user_id = str(raw_info.get("id", ""))
+        name = raw_info.get("displayName", "")
+        email = raw_info.get("mail") or raw_info.get("userPrincipalName", f"{user_id}@microsoft.com")
+        return OAuthUserInfo(id=user_id, name=name, email=email)
+
+
+class CanvasOAuth(OAuth):
+    """Canvas LMS OAuth implementation"""
+
+    def __init__(self, client_id: str, client_secret: str, redirect_uri: str, install_url: str):
+        super().__init__(client_id, client_secret, redirect_uri)
+        self.install_url = install_url.rstrip("/")
+        self._AUTH_URL = f"{self.install_url}/login/oauth2/auth"
+        self._TOKEN_URL = f"{self.install_url}/login/oauth2/token"
+        self._user_cache = None  # Cache user info from token response
+
+    def get_authorization_url(self, invite_token: str | None = None):
+        params = {
+            "client_id": self.client_id,
+            "redirect_uri": self.redirect_uri,
+            "response_type": "code",
+        }
+        if invite_token:
+            params["state"] = invite_token
+        return f"{self._AUTH_URL}?{urllib.parse.urlencode(params)}"
+
+    def get_access_token(self, code: str):
+        data = {
+            "client_id": self.client_id,
+            "client_secret": self.client_secret,
+            "code": code,
+            "grant_type": "authorization_code",
+            "redirect_uri": self.redirect_uri,
+        }
+        headers = {"Accept": "application/json"}
+        response = httpx.post(self._TOKEN_URL, data=data, headers=headers)
+        response_json = response.json()
+        
+        # Canvas returns user info in the token response
+        # Example: {"access_token": "...", "user": {"id": 42, "name": "Jimi Hendrix"}, ...}
+        user_info = response_json.get("user", {})
+        if user_info:
+            self._user_cache = user_info
+        
+        access_token = response_json.get("access_token")
+        if not access_token:
+            raise ValueError(f"Error in Canvas OAuth: {response_json}")
+
+        return access_token
+
+    def get_raw_user_info(self, token: str):
+        # Canvas returns user info in the token response, which we cached
+        if self._user_cache:
+            return self._user_cache
+        
+        raise ValueError("No user info available.")
+
+    def _transform_user_info(self, raw_info: dict) -> OAuthUserInfo:
+        # Canvas uses 'id' as the primary identifier
+        user_id = str(raw_info.get("id", ""))
+        name = raw_info.get("name", "")
+        email = raw_info.get("email", f"{user_id}@canvas.local")
+        return OAuthUserInfo(id=user_id, name=name, email=email)
@@ -160,6 +160,7 @@ class SystemFeatureModel(BaseModel):
     plugin_installation_permission: PluginInstallationPermissionModel = PluginInstallationPermissionModel()
     enable_change_email: bool = True
     plugin_manager: PluginManagerModel = PluginManagerModel()
+    oauth_providers: list[str] = []
 
 
 class FeatureService:
@@ -208,12 +209,18 @@ def get_system_features(cls) -> SystemFeatureModel:
 
     @classmethod
     def _fulfill_system_params_from_env(cls, system_features: SystemFeatureModel):
+        from controllers.console.auth.oauth import get_oauth_providers
+        
         system_features.enable_email_code_login = dify_config.ENABLE_EMAIL_CODE_LOGIN
         system_features.enable_email_password_login = dify_config.ENABLE_EMAIL_PASSWORD_LOGIN
         system_features.enable_social_oauth_login = dify_config.ENABLE_SOCIAL_OAUTH_LOGIN
         system_features.is_allow_register = dify_config.ALLOW_REGISTER
         system_features.is_allow_create_workspace = dify_config.ALLOW_CREATE_WORKSPACE
         system_features.is_email_setup = dify_config.MAIL_TYPE is not None and dify_config.MAIL_TYPE != ""
+        
+        # Populate oauth_providers using the get_oauth_providers function
+        oauth_providers_dict = get_oauth_providers()
+        system_features.oauth_providers = list(oauth_providers_dict.keys())
 
     @classmethod
     def _fulfill_params_from_env(cls, features: FeatureModel):
 
@@ -812,6 +812,31 @@ NOTION_CLIENT_ID=
 # you need to configure this variable.
 NOTION_INTERNAL_SECRET=
 
+# ------------------------------
+# OAuth and Authentication Configuration
+# ------------------------------
+
+# GitHub OAuth configuration
+GITHUB_CLIENT_ID=
+GITHUB_CLIENT_SECRET=
+
+# Google OAuth configuration
+GOOGLE_CLIENT_ID=
+GOOGLE_CLIENT_SECRET=
+
+# DingTalk OAuth configuration
+DINGTALK_CLIENT_ID=
+DINGTALK_CLIENT_SECRET=
+
+# Microsoft OAuth configuration
+MICROSOFT_CLIENT_ID=
+MICROSOFT_CLIENT_SECRET=
+
+# Canvas LMS OAuth configuration
+CANVAS_CLIENT_ID=
+CANVAS_CLIENT_SECRET=
+CANVAS_INSTALL_URL=
+
 # ------------------------------
 # Mail related configuration
 # ------------------------------
 
@@ -363,6 +363,17 @@ x-shared-env: &shared-api-worker-env
   NOTION_CLIENT_SECRET: ${NOTION_CLIENT_SECRET:-}
   NOTION_CLIENT_ID: ${NOTION_CLIENT_ID:-}
   NOTION_INTERNAL_SECRET: ${NOTION_INTERNAL_SECRET:-}
+  GITHUB_CLIENT_ID: ${GITHUB_CLIENT_ID:-}
+  GITHUB_CLIENT_SECRET: ${GITHUB_CLIENT_SECRET:-}
+  GOOGLE_CLIENT_ID: ${GOOGLE_CLIENT_ID:-}
+  GOOGLE_CLIENT_SECRET: ${GOOGLE_CLIENT_SECRET:-}
+  DINGTALK_CLIENT_ID: ${DINGTALK_CLIENT_ID:-}
+  DINGTALK_CLIENT_SECRET: ${DINGTALK_CLIENT_SECRET:-}
+  MICROSOFT_CLIENT_ID: ${MICROSOFT_CLIENT_ID:-}
+  MICROSOFT_CLIENT_SECRET: ${MICROSOFT_CLIENT_SECRET:-}
+  CANVAS_CLIENT_ID: ${CANVAS_CLIENT_ID:-}
+  CANVAS_CLIENT_SECRET: ${CANVAS_CLIENT_SECRET:-}
+  CANVAS_INSTALL_URL: ${CANVAS_INSTALL_URL:-}
   MAIL_TYPE: ${MAIL_TYPE:-resend}
   MAIL_DEFAULT_SEND_FROM: ${MAIL_DEFAULT_SEND_FROM:-}
   RESEND_API_URL: ${RESEND_API_URL:-https://api.resend.com}