@@ -7,6 +7,7 @@ import { serverDBEnv } from '@/config/db';
77import { UserModel } from '@/database/models/user' ;
88import { appEnv } from '@/envs/app' ;
99import { getJWKS } from '@/libs/oidc-provider/jwt' ;
10+ import { normalizeLocale } from '@/locales/resources' ;
1011
1112import { DrizzleAdapter } from './adapter' ;
1213import { defaultClaims , defaultClients , defaultScopes } from './config' ;
@@ -76,6 +77,9 @@ export const createOIDCProvider = async (db: LobeChatDatabase): Promise<Provider
7677 // 1. 客户端配置
7778 clients : defaultClients ,
7879
80+ // 新增:确保 ID Token 包含所有 scope 对应的 claims,而不仅仅是 openid scope
81+ conformIdTokenClaims : false ,
82+
7983 // 7. Cookie 配置
8084 cookies : {
8185 keys : cookieKeys ,
@@ -93,6 +97,7 @@ export const createOIDCProvider = async (db: LobeChatDatabase): Promise<Provider
9397 resourceIndicators : {
9498 defaultResource : ( ) => API_AUDIENCE ,
9599 enabled : true ,
100+
96101 getResourceServerInfo : ( ctx , resourceIndicator ) => {
97102 logProvider ( 'getResourceServerInfo called with indicator: %s' , resourceIndicator ) ; // <-- 添加这行日志
98103 if ( resourceIndicator === API_AUDIENCE ) {
@@ -107,6 +112,8 @@ export const createOIDCProvider = async (db: LobeChatDatabase): Promise<Provider
107112 logProvider ( 'Indicator does not match API_AUDIENCE, throwing InvalidTarget.' ) ; // <-- 添加这行日志
108113 throw new errors . InvalidTarget ( ) ;
109114 } ,
115+ // 当客户端使用刷新令牌请求新的访问令牌但没有指定资源时,授权服务器会检查原始授权中包含的所有资源,并将这些资源用于新的访问令牌。这提供了一种便捷的方式来维持授权一致性,而不需要客户端在每次刷新时重新指定所有资源
116+ useGrantedResource : ( ) => true ,
110117 } ,
111118 revocation : { enabled : true } ,
112119 rpInitiatedLogout : { enabled : true } ,
@@ -195,7 +202,25 @@ export const createOIDCProvider = async (db: LobeChatDatabase): Promise<Provider
195202 // ---> 添加日志 <---
196203 logProvider ( 'interactions.url function called' ) ;
197204 logProvider ( 'Interaction details: %O' , interaction ) ;
198- const interactionUrl = `/oauth/consent/${ interaction . uid } ` ;
205+
206+ // 读取 OIDC 请求中的 ui_locales 参数(空格分隔的语言优先级)
207+ // https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
208+ const uiLocalesRaw = ( interaction . params ?. ui_locales || ctx . oidc ?. params ?. ui_locales ) as
209+ | string
210+ | undefined ;
211+
212+ let query = '' ;
213+ if ( uiLocalesRaw ) {
214+ // 取第一个优先语言,规范化到站点支持的标签
215+ const first = uiLocalesRaw . split ( / [ \s , ] + / ) . find ( Boolean ) ;
216+ const hl = normalizeLocale ( first ) ;
217+ query = `?hl=${ encodeURIComponent ( hl ) } ` ;
218+ logProvider ( 'Detected ui_locales=%s -> using hl=%s' , uiLocalesRaw , hl ) ;
219+ } else {
220+ logProvider ( 'No ui_locales provided in authorization request' ) ;
221+ }
222+
223+ const interactionUrl = `/oauth/consent/${ interaction . uid } ${ query } ` ;
199224 logProvider ( 'Generated interaction URL: %s' , interactionUrl ) ;
200225 // ---> 添加日志结束 <---
201226 return interactionUrl ;
0 commit comments