X-Git-Url: https://git.openstreetmap.org./rails.git/blobdiff_plain/8a22bfb222b3b063a03efd5e85da834f3d63b5fc..309bd95c571a672bed953ef1e77df6936b2c19f8:/config/initializers/doorkeeper_openid_connect.rb?ds=sidebyside diff --git a/config/initializers/doorkeeper_openid_connect.rb b/config/initializers/doorkeeper_openid_connect.rb index e91a907c2..7f409ecbe 100644 --- a/config/initializers/doorkeeper_openid_connect.rb +++ b/config/initializers/doorkeeper_openid_connect.rb @@ -2,71 +2,37 @@ Doorkeeper::OpenidConnect.configure do issuer do |_resource_owner, _application| - "issuer string" + "#{Settings.server_protocol}://#{Settings.server_url}" end - signing_key <<~KEY - -----BEGIN RSA PRIVATE KEY----- - .... - -----END RSA PRIVATE KEY----- - KEY + signing_key Settings.doorkeeper_signing_key subject_types_supported [:public] resource_owner_from_access_token do |access_token| - # Example implementation: - # User.find_by(id: access_token.resource_owner_id) + User.find_by(:id => access_token.resource_owner_id) end auth_time_from_resource_owner do |resource_owner| - # Example implementation: - # resource_owner.current_sign_in_at + # empty block necessary as a workaround to missing configuration + # when no auth_time claim is provided end - reauthenticate_resource_owner do |resource_owner, return_to| - # Example implementation: - # store_location_for resource_owner, return_to - # sign_out resource_owner - # redirect_to new_user_session_url + subject do |resource_owner, _application| + resource_owner.id end - # Depending on your configuration, a DoubleRenderError could be raised - # if render/redirect_to is called at some point before this callback is executed. - # To avoid the DoubleRenderError, you could add these two lines at the beginning - # of this callback: (Reference: https://github.com/rails/rails/issues/25106) - # self.response_body = nil - # @_response_body = nil - select_account_for_resource_owner do |resource_owner, return_to| - # Example implementation: - # store_location_for resource_owner, return_to - # redirect_to account_select_url + protocol do + Settings.server_protocol.to_sym end - subject do |resource_owner, application| - # Example implementation: - # resource_owner.id + claims do + claim :preferred_username, :scope => :openid do |resource_owner, _scopes, _access_token| + resource_owner.display_name + end - # or if you need pairwise subject identifier, implement like below: - # Digest::SHA256.hexdigest("#{resource_owner.id}#{URI.parse(application.redirect_uri).host}#{'your_secret_salt'}") + claim :email, :scope => :read_email, :response => [:id_token, :user_info] do |resource_owner, _scopes, _access_token| + resource_owner.email + end end - - # Protocol to use when generating URIs for the discovery endpoint, - # for example if you also use HTTPS in development - # protocol do - # :https - # end - - # Expiration time on or after which the ID Token MUST NOT be accepted for processing. (default 120 seconds). - # expiration 600 - - # Example claims: - # claims do - # normal_claim :_foo_ do |resource_owner| - # resource_owner.foo - # end - - # normal_claim :_bar_ do |resource_owner| - # resource_owner.bar - # end - # end end