omniauth / omniauth_openid_connect Goto Github PK

View Code? Open in Web Editor NEW

152.0 10.0 180.0 230 KB

License: MIT License

Ruby 100.00%

omniauth

omniauth_openid_connect's Introduction

OmniAuth::OpenIDConnect

Originally was omniauth-openid-connect

I've forked this repository and launch as separate gem because maintaining of original was dropped.

Installation

Add this line to your application's Gemfile:

gem 'omniauth_openid_connect'

And then execute:

$ bundle

Or install it yourself as:

$ gem install omniauth_openid_connect

Supported Ruby Versions

OmniAuth::OpenIDConnect is tested under 2.7, 3.0, 3.1, 3.2

Usage

Example configuration

Rails.application.config.middleware.use OmniAuth::Builder do
  provider :openid_connect, {
    name: :my_provider,
    scope: [:openid, :email, :profile, :address],
    response_type: :code,
    uid_field: "preferred_username",
    client_options: {
      port: 443,
      scheme: "https",
      host: "myprovider.com",
      identifier: ENV["OP_CLIENT_ID"],
      secret: ENV["OP_SECRET_KEY"],
      redirect_uri: "http://myapp.com/users/auth/openid_connect/callback",
    },
  }
end

with Devise

Devise.setup do |config|
  config.omniauth :openid_connect, {
    name: :my_provider,
    scope: [:openid, :email, :profile, :address],
    response_type: :code,
    uid_field: "preferred_username",
    client_options: {
      port: 443,
      scheme: "https",
      host: "myprovider.com",
      identifier: ENV["OP_CLIENT_ID"],
      secret: ENV["OP_SECRET_KEY"],
      redirect_uri: "http://myapp.com/users/auth/openid_connect/callback",
    },
  }
end

Options Overview

Field	Description	Required	Default	Example/Options
name	Arbitrary string to identify connection and identify it from other openid_connect providers	no	String: openid_connect	:my_idp
issuer	Root url for the authorization server	yes		https://myprovider.com
discovery	Should OpenID discovery be used. This is recommended if the IDP provides a discovery endpoint. See client config for how to manually enter discovered values.	no	false	one of: true, false
client_auth_method	Which authentication method to use to authenticate your app with the authorization server	no	Sym: basic	"basic", "jwks"
scope	Which OpenID scopes to include (:openid is always required)	no	Array [:openid]	[:openid, :profile, :email]
response_type	Which OAuth2 response type to use with the authorization request	no	String: code	one of: 'code', 'id_token'
state	A value to be used for the OAuth2 state parameter on the authorization request. Can be a proc that generates a string.	no	Random 16 character string	Proc.new { SecureRandom.hex(32) }
require_state	Should state param be verified - this is recommended, not required by the OIDC specification	no	true	false
response_mode	The response mode per spec	no	nil	one of: :query, :fragment, :form_post, :web_message
display	An optional parameter to the authorization request to determine how the authorization and consent page	no	nil	one of: :page, :popup, :touch, :wap
prompt	An optional parameter to the authrization request to determine what pages the user will be shown	no	nil	one of: :none, :login, :consent, :select_account
send_scope_to_token_endpoint	Should the scope parameter be sent to the authorization token endpoint?	no	true	one of: true, false
post_logout_redirect_uri	The logout redirect uri to use per the session management draft	no	empty	https://myapp.com/logout/callback
uid_field	The field of the user info response to be used as a unique id	no	'sub'	"sub", "preferred_username"
extra_authorize_params	A hash of extra fixed parameters that will be merged to the authorization request	no	Hash	{"tenant" => "common"}
allow_authorize_params	A list of allowed dynamic parameters that will be merged to the authorization request	no	Array	[:screen_name]
pkce	Enable PKCE flow	no	false	one of: true, false
pkce_verifier	Specify a custom PKCE verifier code.	no	A random 128-char string	Proc.new { SecureRandom.hex(64) }
pkce_options	Specify a custom implementation of the PKCE code challenge/method.	no	SHA256(code_challenge) in hex	Proc to customise the code challenge generation
client_options	A hash of client options detailed in its own section	yes
jwt_secret_base64	For HMAC with SHA2 (e.g. HS256) signing algorithms, specify the base64-encoded secret used to sign the JWT token. Defaults to the OAuth2 client secret if not specified.	no	client_options.secret	"bXlzZWNyZXQ=\n"
logout_path	The log out is only triggered when the request path ends on this path	no	'/logout'	'/sign_out'
acr_values	Authentication Class Reference(ACR) values to be passed to the authorize_uri to enforce a specific level, see RFC9470	no	nil	"c1 c2"

Client Config Options

These are the configuration options for the client_options hash of the configuration.

Field	Description	Default	Replaced by discovery?
identifier	The OAuth2 client_id
secret	The OAuth2 client secret
redirect_uri	The OAuth2 authorization callback url in your app
scheme	The http scheme to use	https
host	The host of the authorization server	nil
port	The port for the authorization server	443
authorization_endpoint	The authorize endpoint on the authorization server	/authorize	yes
token_endpoint	The token endpoint on the authorization server	/token	yes
userinfo_endpoint	The user info endpoint on the authorization server	/userinfo	yes
jwks_uri	The jwks_uri on the authorization server	/jwk	yes
end_session_endpoint	The url to call to log the user out at the authorization server	nil	yes

Additional Configuration Notes

name is arbitrary, I recommend using the name of your provider. The name configuration exists because you could be using multiple OpenID Connect providers in a single app.

NOTE: if you use this gem with Devise you should use :openid_connect name, or Devise would route to 'users/auth/:provider' rather than 'users/auth/openid_connect'

response_type tells the authorization server which grant type the application wants to use, currently, only :code (Authorization Code grant) and :id_token (Implicit grant) are valid.
If you want to pass state parameter by yourself. You can set Proc Object. e.g. state: Proc.new { SecureRandom.hex(32) }
nonce is optional. If don't want to pass "nonce" parameter to provider, You should specify false to send_nonce option. (default true)
Support for other client authentication methods. If don't specified :client_auth_method option, automatically set :basic.
Use "OpenID Connect Discovery", You should specify true to discovery option. (default false)
In "OpenID Connect Discovery", generally provider should have Webfinger endpoint. If provider does not have Webfinger endpoint, You can specify "Issuer" to option. e.g. issuer: "https://myprovider.com" It means to get configuration from "https://myprovider.com/.well-known/openid-configuration".
The uid is by default using the sub value from the user_info response, which in some applications is not the expected value. To avoid such limitations, the uid label can be configured by providing the omniauth uid_field option to a different label (i.e. preferred_username) that appears in the user_info details.
The issuer property should exactly match the provider's issuer link.
The response_mode option is optional and specifies how the result of the authorization request is formatted.
Some OpenID Connect providers require the scope attribute in requests to the token endpoint, even if this is not in the protocol specifications. In those cases, the send_scope_to_token_endpoint property can be used to add the attribute to the token request. Initial value is true, which means that the scope attribute is included by default.

Additional notes

In some cases, you may want to go straight to the callback phase - e.g. when requested by a stateless client, like a mobile app. In such example, the session is empty, so you have to forward certain parameters received from the client. Currently supported ones are code_verifier and nonce - simply provide them as the /callback request parameters.

For the full low down on OpenID Connect, please check out the spec.

Contributing

Fork it ( http://github.com/omniauth/omniauth_openid_connect/fork )
Create your feature branch (git checkout -b my-new-feature)
Cover your changes with tests and make sure they're green (bundle install && bundle exec rake test)
Commit your changes (git commit -am 'Add some feature')
Push to the branch (git push origin my-new-feature)
Create new Pull Request

omniauth_openid_connect's People

Contributors

Stargazers

Watchers

Forkers

tfluehmann toshikazuhorii vandahm solars pruby cotocisternas alexluke andre-meier masaomitsuge clucas skiyaki mit-csail-tig dxw zetatango jackokcc jobteaser iamadav tmg-emedia ulferts kbolduc gsohoni gregmolnar zero-one-software jemcode iconoeugen internetee nyaago tannakartikey younited ivan05almeida modonnell-ag hey-leon foucist teespring asherangelo thienlam libertrip authorea januszm eric-guo erbridge aperakett anttiviljami iceraluk swapab johncallahan yyuanqi citizenlabdotco naari3 capncavedan hgothilde sutto ramseyinhouse bufferoverflow martinezcoder diadev ignatiusreza scopear health2works cm-studios marcok81 vivokey thetesla hoangchungk53qx1 robplan s-osa arthurmde gcolson modevo ttilberg cannected lusoheart evisit btrd danjay artintellico shmokmt sping boardeaser formigarafa yannvery jthornhill dewski researchbods andrewpbrett moizmb mtgto 17100262 volcanic-uk network-for-good yhirano55 crown-commercial-service 410labs burakakca marcrohloff andrewshadura bpellinen finfo gebhardtr seeclickfix

omniauth_openid_connect's Issues

Not getting correct request.env["omniauth.auth"] when testing with Hydra auth server

Hey! I am facing an issue, which honestly might have more to do more to my own lack of knowledge on OIDC.

I created a client based on doorkeeper-gem/doorkeeper-devise-client, but refactored to make use of omniauth_openid_connect Gem instead of a more generic omniauth-oauth2 startegy.

The issue is I can't get the User persisted:

app/controllers/users/omniauth_callbacks_controller.rb#L3-L5

Since request.env["omniauth.auth"] doesn't have the right info values (specifically email is nil):

#<OmniAuth::AuthHash credentials=#<OmniAuth::AuthHash expires_in=3600 id_token="eyJhbGciOiJSUzI1NiIsImtpZCI6InB1YmxpYzo2YTFhZmY1OS04ZTcxLTQ2M2UtYjAxMy1kYjFjMWZmNDIxNzgiLCJ0eXAiOiJKV1QifQ.eyJhdF9oYXNoIjoiQW9aYzAtZWh4cm5US2Z5d1VKV0RUUSIsImF1ZCI6WyJhdXRoLWNvZGUtY2xpZW50LTUiXSwiYXV0aF90aW1lIjoxNTg4NjEyMzA5LCJleHAiOjE1ODg2MTU5MTEsImlhdCI6MTU4ODYxMjMxMSwiaXNzIjoiaHR0cDovLzEyNy4wLjAuMTo0NDQ0LyIsImp0aSI6ImQ0M2I4ZTZjLTI4MzEtNDk3ZC04ODk0LWExYzRkYTg5MjliNyIsIm5vbmNlIjoiYmI0M2I2MzFkZDg4YzBkMDg3MWM5OTljOTU1M2NmYjYiLCJyYXQiOjE1ODg2MTIzMDQsInNpZCI6IjBiYWVhMTdjLTJiNDgtNDMwYy1hNmQ0LThlOTg2ZmY2NWZhZCIsInN1YiI6ImZvb0BiYXIuY29tIn0.jmQFF7hzx-a_Gm0TXmDb3sMizdZFUijbcANSo96yz704Ajw2F29cwiJqIgw09fiLVLdiL3uEMTpiqAryRo7Ke9iZwe8WoLXtGm8s7j3r-XL41Lo7mZH7k9w0gpx0sWhKib8dxvFE92BNXX0w5rw-JWdQ5V7SICKnT723TJwImVwj3XyS1YH0K_xz6jIMMr6tto7YUROKv65CQ0QlPSUonlDxq0dsmT9_3GyA8K1cfdpFDafDdT-fGhalbyykIiPviN-R4KAc_78LAAoYRgGEgF_sTBtw1WepRLbYnihmyx8p67S0UWqhdQqSIjIXa1qZNsK71b8cv6BVCkXcGZVe7u5yxheqQh3xRuMxX2J9UUzoH3CyjkJ1tsV5JiwsgTtBAUSy-ZfE88YAEwBrC_9zXhZPIjLospASLegPnBzhxb3atZGcxxeeqw9IJ6NbiUYE6O4WRhcyBJIiNfM52MIXJXCaxQb6MztKTFXla62FeOQV_z2RFnzsBbbwITL7sUccfUCOWifefbSJCG6U52ZcFXR2CVuPFEEv_P3Iwod7Xa-MkhpZxJ-HKJH2GUX3gzv4kVfJP0F_vRlo3uY67iQA702XnDajBPYfInkgraIiKMfOSAMfDlf_R5N4r6j5UQOKNSFik3_D3ognYpSG45eb3P0gTCCaMDfAc24hQa12HW4" refresh_token=nil scope="openid email profile" token="dO4HD_dSpfXE8sHA7nU-LY3LfEkeuzIuF5U81S_s7O4.W0sPbnCaDIBGE97MmyCMa-hPgUFst31j3KvP789BqQ8"> extra=#<OmniAuth::AuthHash raw_info=#<OmniAuth::AuthHash sid="0baea17c-2b48-430c-a6d4-8e986ff65fad" sub="[email protected]">> info=#<OmniAuth::AuthHash::InfoHash email=nil first_name=nil gender=nil image=nil last_name=nil name=nil nickname=nil phone=nil urls=#<OmniAuth::AuthHash website=nil>> provider=:hydra_oidc uid="[email protected]">

app/models/user.rb#L12

I get persistence validation errors:

{"email":["can't be blank"]}

This is the Omniauth config I am using:

  config.omniauth :openid_connect, {
    name: :hydra_oidc,
    scope: [:openid, :email, :profile],
    response_type: :code,
    issuer: ENV['HYDRA_OIDC_URL'],
    client_options: {
      scheme: ENV['HYDRA_OIDC_SCHEME'],
      host: ENV['HYDRA_OIDC_HOST'],
      port: ENV['HYDRA_OIDC_PORT'],
      identifier: ENV['HYDRA_OIDC_CLIENT_ID'],
      secret: ENV['HYDRA_OIDC_CLIENT_SECRET'],
      authorization_endpoint: "/oauth2/auth",
      token_endpoint: "/oauth2/token",
      userinfo_endpoint: "/userinfo"
    }

I am using Hydra's example auth server to spin off an OpenID Connect server:

docker-compose -f quickstart.yml exec hydra \
    hydra clients create \
    --endpoint http://127.0.0.1:4445 \
    --id my_rails_client \
    --secret secret \
    --grant-types authorization_code,refresh_token \
    --response-types code \
    --scope openid,email,profile,offline \
    --callbacks http://localhost:5600/users/auth/hydra_oidc/callback \
    --token-endpoint-auth-method client_secret_basic

Any hint would be very helpful, thanks!

Controlling the signing algorithm for response type code

Hello,
We are trying to use this gem to build a client for a provider who requires the RS512 signing algorithm for the JWT, response type code. The problem is that the signing algorithm defaults to RS256. There is a client_signing_algorithm option but it is only used in response type id_token. Are we missing something in the config?
Thanks.

Scope parameter is not supported on auth code access token exchange request

Hi, I'm not a Ruby dev but I stumbled on this when trying to configure for OpenID Connect integration a Gitlab server instance. In my scenario, I have a Gitlab server which internally uses Omniauth and Omniauth_openid_connect (v. 0.3.3) to talk to an OpenAM server (both of those are the latest available versions as of today, i.e. Gitlab CE 12.7.6 and OpenAM 14.4.3, open source editions).
I have opened an issue on the Gitlab tracker and the support redirected me here.

After setting up the required parameters, the login process fails with the following error:

Could not authenticate you from OpenIDConnect because "Invalid request :: scope parameter is not supported on an authorization code access token exchange request. scope parameter should be supplied to the authorize request."

Indeed, according to the relevant section of the OpenID Specifications (https://tools.ietf.org/html/rfc6749#section-4.1.3, https://openid.net/specs/openid-connect-basic-1_0.html#TokenRequest), the scope attribute is not allowed in token requests, but it seems like it is always populated by this library.

The authentication process via OpenID Connect using code flow relies on three http calls:

Gitlab(Browser) -> OpenID(Server): GET to authorization endpoint
OpenID(Server) -> Browser(Gitlab): browser redirect to OpenID Connect callback
Gitlab(Server) -> OpenID(Server): POST to token endpoint

The first two calls complete successfully, but the third POST has an extra scope parameter that should not be there when grant_type is authorization_code.

To reproduce: configure a local instance of OpenAM (https://github.com/OpenIdentityPlatform/OpenAM/) or other local standards-compliant OpenID Connect implementation (the main online social login platforms sometimes have quirks or accept non-standard requests), try to login.

Logout/sign_out/end_session flow

I'm using this gem with the Devise integration and I have trouble understanding how to use the end_session_endpoint and post_logout_redirect_uri parameters.

By default Devise only clean the session and doesn't use the two parameters, therefore I'm not calling the provider sign_out endpoint.

If it helps the PR I'm currently working on Bureau-Systeme-d-Information-BSI/civilsdeladefense#782

Confused on how to use this gem

Trying to hit /auth/openid_connect URL to invoke this strategy, but just get a 404. Is this supposed to work or is there some other way to invoke this strategy?

OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)):

Hello!

We are trying to integrate keycloak with Gitlab using OmniAuth without SSL applied(mandatory requirement). The configuration of the gitlab.rb file is as follows,

prometheus_monitoring['enable'] = false
gitlab_rails['ldap_enabled'] = false;
nginx['listen_port'] = 10200
nginx['listen_http'] = false
registry_nginx['enable'] = true
gitlab_rails['registry_path'] = "/mnt/docker_registry"
registry['enable'] = true
registry_external_url 'http://localhost:8123'
external_url 'http:///gitlab/'
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_providers'] = [
{ 'name' => 'Keycloak',
'label' => 'Login',
'args' => {
'name' => 'openid_connect',
'scope' => ['openid','profile',''],
'response_type' => 'code',
#'issuer' => 'http:///auth/realms/',
'discovery' => true,
'client_auth_method' => 'query',
'send_scope_to_token_endpoint' => 'false',
'client_options' => {
'port' => 80,
'scheme' => 'http',
'host' => '/auth',
'identifier' => '<CLIENT_ID>',
'secret' => '<CLIENT_SECRET>',
'redirect_uri' => 'http:///gitlab/users/auth/openid_connect/callback',
}
}
}
]
gitlab_rails['omniauth_sync_profile_from_provider'] = 'Keycloak'
#gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'openid_connect'
gitlab_rails['omniauth_allow_single_sign_on'] = ['Keycloak']
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_block_auto_created_users'] = false

We are getting the following error when we login to the UI -> go to user settings ->
Account -> click on Connect OpenID Connect option,

OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)):

Can someone help us fix this?

Thanks in advance :)

Groups/Roles support

Currently this OmniAuth provider does not read the groups or roles claims provided. It is also not possible to restrict login for users to a specific group. This causes all users for a domain to login to the application with OmniAuth using this provider.

It would be a nice improvement to this provider, if the name of the groups claim could be specified using a config property. If groups can be read via the groups claim it should also be possible to specify a required_groups in the provider configuration, causing the login to fail if the user is not in the specified groups or a successful login if the user is in the specified groups.

The latter required_groups is a pretty common requirement to restrict the login to various applications by groups, otherwise everyone can log in.

the openid_connect gem is restricted to version 0.12.0

If we want to use a more recent version of the openid_connect gem (1.1.5 is the current latest), we need to update the gem dependency for openid_connect.
I created a pool request to address it: #2

register url?

How would I redirect a new user to the registration end point? If I use user_openid_connect_omniauth_authorize_url, it redirects the user to the login page.

Add support for OmniAuth 2.0

I think it is safer to support OmniAuth2.0 for this gem as well like omniauth/omniauth-openid#44 .

Having problem to debug connection issue

Maybe everybody else knows this, but I tried to use OIDC with gitlab and keycloak and I cannot find a single log entry showing that something is happening even if I click the sso button on the gitlab ui.

I looked at the code base of this project and I also see now line about outputting log.

I wonder how people approach this, and if that would make sense that the README.md have some words about debugging the thing.

Using this gem for LTI 1.3

Hi,

I've been trying to use this gem as the basis for LTI 1.3 integration https://www.imsglobal.org/activity/learning-tools-interoperability (which runs on top of OIDC and OAuth2) and I'm having a very hard time making it work. I'm wondering if anybody here has had any luck with a similar project, or if there's a different gem to use for such.

Thanks.

Implicit Flow problems

I've found some behaviours in the Implicit Flow that should be improved. I would like to report them.

response_type = 'id_token' is able to be used limited to definitely trusted OPs (Self-Issued OpenID Providers). Normally it should not be used. Instead, you have to specify ['id_token', 'token'] for the Implicit Flow.
The nonce is required. Therefore, the 'send_nonce' option value should be ignored on the Implicit Flow.
-Both of id_token and access token must be properly verified. One is not enough.

Regarding verification, how to use key needs to be improved.

On the Authorization Code Flow, you can use OP's public key or client secret that is specified by the response code's header.
The other hand, you have to use the exact public key for validation on the Implicit Flow.
So, calling key_or_secret() from public_key() is not good.

Regards,
Hisashi.

OpenIDConnect::Discovery::DiscoveryFailed when discovery is not enabled

Hi there,

thanks for providing this gem, we at CitizenLab use it for two identity providers that we integrate with.

The authentication process of both providers started to fail with the error described in in #97 some time ago. We tried to fix this by upgrading to omniauth_openid_connect 0.4.0, but after the upgrade we now see the following exception being thrown:

OpenIDConnect::Discovery::DiscoveryFailed

We don't know exactly yet why this is happening, but the interesting part is that this error happens on two completely separate OpenID providers.
I don't know the OpenID protocol very well, but we do not have Discovery enabled in any of the two providers, so why is this error being thrown then?

For reference, this is what the configurations of the providers look like:

# Configuration for identity provider 1
options = env['omniauth.strategy'].options
options[:scope] = %i[openid profile egovnrn]
options[:response_type] = :code
options[:state] = true
options[:nonce] = true
options[:issuer] = "https://#{host}"
options[:acr_values] = 'urn:be:fedict:iam:fas:Level450'
options[:send_scope_to_token_endpoint] = false
options[:client_options] = {
  identifier: config[:identifier],
  secret: config[:secret],
  port: 443,
  scheme: 'https',
  host: host,
  authorization_endpoint: '/fas/oauth2/authorize',
  token_endpoint: '/fas/oauth2/access_token',
  userinfo_endpoint: '/fas/oauth2/userinfo',
  redirect_uri: "#{configuration.base_backend_uri}/auth/bosa_fas/callback"
}

https://github.com/citizenlabdotco/citizenlab/blob/master/back/engines/commercial/id_bosa_fas/app/lib/id_bosa_fas/bosa_fas_omniauth.rb#L18-L36

# Configuration for identiy provider 2
options = env['omniauth.strategy'].options
options[:scope] = %i[openid run name]
options[:response_type] = :code
options[:state] = true
options[:nonce] = true
options[:issuer] = issuer
options[:send_scope_to_token_endpoint] = false
options[:client_options] = {
  identifier: config[:client_id],
  secret: config[:client_secret],
  port: 443,
  scheme: 'https',
  host: host,
  authorization_endpoint: '/openid/authorize',
  token_endpoint: '/openid/token',
  userinfo_endpoint: '/openid/userinfo',
  redirect_uri: "#{configuration.base_backend_uri}/auth/clave_unica/callback"
}

https://github.com/citizenlabdotco/citizenlab/blob/master/back/engines/commercial/id_clave_unica/app/lib/id_clave_unica/clave_unica_omniauth.rb#L21-L42

An exemplary stack trace from config 2:

JSON::ParserError: 859: unexpected token at '<!doctype html>
<html data-n-head-ssr>
  <head >
    <title>Portal ciudadano ClaveÚnica</title><meta data-n-head="ssr" charset="utf-8"><meta data-n-head="ssr" name="viewport" content="width=device-width, initial-scale=1"><meta data-n-head="ssr" data-hid="Portal ciudadano ClaveÚnica" name="Portal ciudadano ClaveÚnica" content="Portal ciudadano ClaveÚnica"><link data-n-head="ssr" rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto+Slab&amp;display=swap"><link data-n-head="ssr" rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto&amp;display=swap"><link data-n-head="ssr" rel="icon" type="image/x-icon" href="/favicon.ico"><script data-n-head="ssr" data-hid="stripe" src="https://unpkg.com/vue-recaptcha@latest/dist/vue-recaptcha.min.js" defer></script><script data-n-head="ssr" data-hid="stripe" src="https://www.google.com/recaptcha/api.js?onload=vueRecaptchaApiLoaded&amp;render=explicit" defer></script><link rel="preload" href="/_nuxt/b57117b.js" as="script"><link rel="preload" href="/_nuxt/31c1e4d.js" as="script"><link rel="preload" href="/_nuxt/e78a47a.js" as="script"><link rel="preload" href="/_nuxt/a257210.js" as="script"><link rel="preload" href="/_nuxt/136ec92.js" as="script"><style data-vue-ssr-id="71f83a6d:0 32df6d42:0 a07579c2:0 a07579c2:1 432fb0d6:0 a5041f02:0 0667d9c0:0 b2d1e312:0 3191d5ad:0">/*!
 * Bootstrap v4.6.1 (https://getbootstrap.com/)
 * Copyright 2011-2021 The Bootstrap Authors
 * Copyright 2011-2021 Twitter, Inc.
 * Licensed under MIT (https://github.com/twbs/bootstrap/blob/main/LICENSE)
 */:root{--blue:#007bff;--indigo:#6610f2;--purple:#6f42c1;--pink:#e83e8c;--red:#dc3545;--orange:#fd7e14;--yellow:#ffc107;--green:#28a745;--teal:#20c997;--cyan:#17a2b8;--white:#fff;--gray:#6c757d;--gray-dark:#343a40;--primary:#007bff;--secondary:#6c757d;--success:#28a745;--info:#17a2b8;--warning:#ffc107;--danger:#dc3545;--light:#f8f9fa;--dark:#343a40;--breakpoint-xs:0;--breakpoint-sm:576px;--breakpoint-md:768px;--breakpoint-lg:992px;--breakpoint-xl:1200px;--font-family-sans-serif:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Helvetica Neue",Arial,"Noto Sans","Liberation Sans",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";--font-family-monospace:SFMono-Regular,Menlo,Monaco,Consolas,"Liberation Mono","Courier New",monospace}*,:after,:before{box-sizing:border-box}html{font-family:sans-serif;line-height:1.15;-webkit-text-size-adjust:100%;-webkit-tap-highlight-color:rgba(0,0,0,0)}article,aside,figcaption,figure,footer,header,hgroup,main,nav,section{display:block}body{margin:0;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Helvetica Neue",Arial,"Noto Sans","Liberation Sans",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";font-size:1rem;font-weight:400;line-height:1.5;color:#212529;text-align:left;background-color:#fff}[tabindex="-1"]:focus:not(.focus-visible),[tabindex="-1"]:focus:not(:focus-visible){outline:0!important}hr{box-sizing:content-box;height:0;overflow:visible}h1,h2,h3,h4,h5,h6{margin-top:0;margin-bottom:.5rem}p{margin-top:0;margin-bottom:1rem}abbr[data-original-title],abbr[title]{text-decoration:underline;-webkit-text-decoration:underline dotted;text-decoration:underline dotted;cursor:help;border-bottom:0;-webkit-text-decoration-skip-ink:none;text-decoration-skip-ink:none}address{font-style:normal;line-height:inherit}address,dl,ol,ul{margin-bottom:1rem}dl,ol,ul{margin-top:0}ol ol,ol ul,ul ol,ul ul{margin-bottom:0}dt{font-weight:700}dd{margin-bottom:.5rem;margin-left:0}blockquote{margin:0 0 1rem}b,strong{font-weight:bolder}small{font-size:80%}sub,sup{position:relative;font-size:75%;line-height:0;vertical-align:baseline}sub{bottom:-.25em}sup{top:-.5em}a{color:#007bff;text-decoration:none;background-color:transparent}a:hover{color:#0056b3;text-decoration:underline}a:not([href]):not([class]),a:not([href]):not([class]):hover{color:inherit;text-decoration:none}code,kbd,pre,samp{font-family:SFMono-Regular,Menlo,Monaco,Consolas,"Liberation Mono","Courier New",monospace;font-size:1em}pre{margin-top:0;margin-bottom:1rem;overflow:auto;-ms-overflow-style:scrollbar}figure{margin:0 0 1rem}img{border-style:none}img,svg{vertical-align:middle}svg{overflow:hidden}table{border-collapse:collapse}caption{padding-top:.75rem;padding-bottom:.75rem;color:#6c757d;text-align:left;caption-side:bottom}th{text-align:inherit;text-align:-webkit-match-parent}label{display:inline-block;margin-bottom:.5rem}button{border-radius:0}button:focus:not(.focus-visible),button:focus:not(:focus-visible){outline:0}button,input,optgroup,select,textarea{margin:0;font-family:inherit;font-size:inherit;line-height:inherit}button,input{overflow:visible}button,select{text-transform:none}[role=button]{cursor:pointer}select{word-wrap:normal}[type=button],[type=reset],[type=submit],button{-webkit-appearance:button}[type=button]:not(:disabled),[type=reset]:not(:disabled),[type=submit]:not(:disabled),button:not(:disabled){cursor:pointer}[type=button]::-moz-focus-inner,[type=reset]::-moz-focus-inner,[type=submit]::-moz-focus-inner,button::-moz-focus-inner{padding:0;border-style:none}input[type=checkbox],input[type=radio]{box-sizing:border-box;padding:0}textarea{overflow:auto;resize:vertical}fieldset{min-width:0;padding:0;margin:0;border:0}legend{display:block;width:100%;max-width:100%;padding:0;margin-bottom:.5rem;font-size:1.5rem;line-height:inherit;color:inherit;white-space:normal}progress{vertical-align:baseline}[type=number]::-webkit-inner-spin-button,[type=number]::-webkit-outer-spin-button{height:auto}[type=search]{outline-offset:-2px;-webkit-appearance:none}[type=search]::-webkit-search-decoration{-webkit-appearance:none}::-webkit-file-upload-button{font:inherit;-webkit-appearance:button}output{display:inline-block}summary{display:list-item;cursor:pointer}template{display:none}[hidden]{display:none!important}.h1,.h2,.h3,.h4,.h5,.h6,h1,h2,h3,h4,h5,h6{margin-bottom:.5rem;font-weight:500;line-height:1.2}.h1,h1{font-size:2.5rem}.h2,h2{font-size:2rem}.h3,h3{font-size:1.75rem}.h4,h4{font-size:1.5rem}.h5,h5{font-size:1.25rem}.h6,h6{font-size:1rem}.lead{font-size:1.25rem;font-weight:300}.display-1{font-size:6rem}.display-1,.display-2{font-weight:300;line-height:1.2}.display-2{font-size:5.5rem}.display-3{font-size:4.5rem}.display-3,.display-4{font-weight:300;line-height:1.2}.display-4{font-size:3.5rem}hr{margin-top:1rem;margin-bottom:1rem;border:0;border-top:1px solid rgba(0,0,0,.1)}.small,small{font-size:80%;font-weight:400}.mark,mark{padding:.2em;background-color:#fcf8e3}.list-inline,.list-unstyled{padding-left:0;list-style:none}.list-inline-item{display:inline-block}.list-inline-item:not(:last-child){margin-right:.5rem}.initialism{font-size:90%;text-transform:uppercase}.blockquote{margin-bottom:1rem;font-size:1.25rem}.blockquote-footer{display:block;font-size:80%;color:#6c757d}.blockquote-footer:before{content:"\2014\00A0"}.img-fluid,.img-thumbnail{max-width:100%;height:auto}.img-thumbnail{padding:.25rem;background-color:#fff;border:1px solid #dee2e6;border-radius:.25rem}.figure{display:inline-block}.figure-img{margin-bottom:.5rem;line-height:1}.figure-caption{font-size:90%;color:#6c757d}code{font-size:87.5%;color:#e83e8c;word-wrap:break-word}a>code{color:inherit}kbd{padding:.2rem .4rem;font-size:87.5%;color:#fff;background-color:#212529;border-radius:.2rem}kbd kbd{padding:0;font-size:100%;font-weight:700}pre{display:block;font-size:87.5%;color:#212529}pre code{font-size:inherit;color:inherit;word-break:normal}.pre-scrollable{max-height:340px;overflow-y:scroll}.container,.container-fluid,.container-lg,.container-md,.container-sm,.container-xl{width:100%;padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}@media (min-width:576px){.container,.container-sm{max-width:540px}}@media (min-width:768px){.container,.container-md,.container-sm{max-width:720px}}@media (min-width:992px){.container,.container-lg,.container-md,.container-sm{max-width:960px}}@media (min-width:1200px){.container,.container-lg,.container-md,.container-sm,.container-xl{max-width:1140px}}.row{display:flex;flex-wrap:wrap;margin-right:-15px;margin-
  from json (2.6.1) lib/json/common.rb:216:in `parse'
  from json (2.6.1) lib/json/common.rb:216:in `parse'
  from swd (1.3.0) lib/swd/resource.rb:37:in `handle_response'
  from swd (1.3.0) lib/swd/resource.rb:19:in `block in discover!'
  from swd (1.3.0) lib/swd/cache.rb:4:in `fetch'
  from swd (1.3.0) lib/swd/resource.rb:18:in `discover!'
  from openid_connect (7e5136cb3712) lib/openid_connect/discovery/provider/config.rb:7:in `discover!'
  from omniauth_openid_connect (0.4.0) lib/omniauth/strategies/openid_connect.rb:98:in `config'
  from omniauth_openid_connect (0.4.0) lib/omniauth/strategies/openid_connect.rb:187:in `public_key'
  from omniauth_openid_connect (0.4.0) lib/omniauth/strategies/openid_connect.rb:234:in `decode_id_token'
  from omniauth_openid_connect (0.4.0) lib/omniauth/strategies/openid_connect.rb:354:in `verify_id_token!'
  from omniauth_openid_connect (0.4.0) lib/omniauth/strategies/openid_connect.rb:228:in `access_token'
  from omniauth_openid_connect (0.4.0) lib/omniauth/strategies/openid_connect.rb:126:in `callback_phase'
  from omniauth (1.9.1) lib/omniauth/strategy.rb:238:in `callback_call'
  from omniauth (1.9.1) lib/omniauth/strategy.rb:189:in `call!'
  from omniauth (1.9.1) lib/omniauth/strategy.rb:169:in `call'
  from omniauth (1.9.1) lib/omniauth/builder.rb:45:in `call'
  from omniauth (1.9.1) lib/omniauth/strategy.rb:420:in `call_app!'
  from omniauth_openid_connect (0.4.0) lib/omniauth/strategies/openid_connect.rb:144:in `other_phase'
  from omniauth (1.9.1) lib/omniauth/strategy.rb:190:in `call!'
  from omniauth (1.9.1) lib/omniauth/strategy.rb:169:in `call'
  from omniauth (1.9.1) lib/omniauth/builder.rb:45:in `call'
  from omniauth (1.9.1) lib/omniauth/strategy.rb:192:in `call!'
  from omniauth (1.9.1) lib/omniauth/strategy.rb:169:in `call'
  from omniauth (1.9.1) lib/omniauth/builder.rb:45:in `call'
  from rack-attack (6.6.1) lib/rack/attack.rb:127:in `call'
  from engines/ee/multi_tenancy/config/initializers/apartment.rb:92:in `block in call'
  from ros-apartment (2.11.0) lib/apartment/adapters/abstract_adapter.rb:89:in `switch'
  from forwardable.rb:235:in `switch'
  from engines/ee/multi_tenancy/config/initializers/apartment.rb:92:in `call'
  from rack (2.2.3.1) lib/rack/session/abstract/id.rb:266:in `context'
  from rack (2.2.3.1) lib/rack/session/abstract/id.rb:260:in `call'
  from actionpack (6.1.6) lib/action_dispatch/middleware/cookies.rb:689:in `call'
  from rack (2.2.3.1) lib/rack/etag.rb:27:in `call'
  from rack (2.2.3.1) lib/rack/conditional_get.rb:27:in `call'
  from rack (2.2.3.1) lib/rack/head.rb:12:in `call'
  from actionpack (6.1.6) lib/action_dispatch/middleware/callbacks.rb:27:in `block in call'
  from activesupport (6.1.6) lib/active_support/callbacks.rb:98:in `run_callbacks'
  from actionpack (6.1.6) lib/action_dispatch/middleware/callbacks.rb:26:in `call'
  from actionpack (6.1.6) lib/action_dispatch/middleware/actionable_exceptions.rb:18:in `call'
  from sentry-rails (5.3.1) lib/sentry/rails/rescued_exception_interceptor.rb:12:in `call'
  from actionpack (6.1.6) lib/action_dispatch/middleware/debug_exceptions.rb:29:in `call'
  from sentry-ruby-core (5.3.1) lib/sentry/rack/capture_exceptions.rb:26:in `block (2 levels) in call'
  from sentry-ruby-core (5.3.1) lib/sentry/hub.rb:199:in `with_session_tracking'
  from sentry-ruby-core (5.3.1) lib/sentry-ruby.rb:351:in `with_session_tracking'
  from sentry-ruby-core (5.3.1) lib/sentry/rack/capture_exceptions.rb:17:in `block in call'
  from sentry-ruby-core (5.3.1) lib/sentry/hub.rb:59:in `with_scope'
  from sentry-ruby-core (5.3.1) lib/sentry-ruby.rb:331:in `with_scope'
  from sentry-ruby-core (5.3.1) lib/sentry/rack/capture_exceptions.rb:16:in `call'
  from actionpack (6.1.6) lib/action_dispatch/middleware/show_exceptions.rb:33:in `call'
  from rails_semantic_logger (4.10.0) lib/rails_semantic_logger/rack/logger.rb:43:in `call_app'
  from rails_semantic_logger (4.10.0) lib/rails_semantic_logger/rack/logger.rb:28:in `call'
  from actionpack (6.1.6) lib/action_dispatch/middleware/remote_ip.rb:81:in `call'
  from actionpack (6.1.6) lib/action_dispatch/middleware/request_id.rb:26:in `call'
  from rack (2.2.3.1) lib/rack/runtime.rb:22:in `call'
  from activesupport (6.1.6) lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'
  from actionpack (6.1.6) lib/action_dispatch/middleware/executor.rb:14:in `call'
  from rack (2.2.3.1) lib/rack/sendfile.rb:110:in `call'
  from actionpack (6.1.6) lib/action_dispatch/middleware/host_authorization.rb:142:in `call'
  from rack-cors (1.1.1) lib/rack/cors.rb:100:in `call'
  from railties (6.1.6) lib/rails/engine.rb:539:in `call'
  from puma (5.6.4) lib/puma/configuration.rb:252:in `call'
  from puma (5.6.4) lib/puma/request.rb:77:in `block in handle_request'
  from puma (5.6.4) lib/puma/thread_pool.rb:340:in `with_force_shutdown'
  from puma (5.6.4) lib/puma/request.rb:76:in `handle_request'
  from puma (5.6.4) lib/puma/server.rb:441:in `process_client'
  from puma (5.6.4) lib/puma/thread_pool.rb:147:in `block in spawn_thread'

The stack trace seems to indicate that an HTML page is being parsed where JSON is expected. Is this a configuration issue on our side?

Thanks in advance for any hints. We'll investigate further from our side as well and will update the issue in case of any revelations.

Gitlab client_auth_method basic, secret is url encoded

When i tried to set up the omniauth openid_connect in our gitlab instance with client_auth_method basic, the secret was sent url encoded to the server.

e.g.

...
{
  name: "openid_connect",
  ...
  args: {
    ...
    client_auth_method: "basic",
    ...
    client_options: {
      identifier: "our_id",
      secret: "our_p+a+s/s/w+o+r+d"
      ...
    },
    ...
  }
}
...

would send the following authorization header to the server:
Basic b3VyX2lkOm91cl9wJTJCYSUyQnMlMkZzJTJGdyUyQm8lMkJyJTJCZA==

which gives us our_id:our_p%2Ba%2Bs%2Fs%2Fw%2Bo%2Br%2Bd instead of our_id:our_p+a+s/s/w+o+r+d

New release for 6398ad13dcc7a7543fed17da493dc5b5ad2bb64d

This issue is currently breaking the code flow.

Maintenance and forks

Hello!

Glad to see that there have been some updates for this gem.

When investigatint the pcke-feature (#80) I have found a few forks that seems to be active:

Would it make sense to merge ranks with anyone of them?

Internal Server Error: JSON::JWK::Set::KidNotFound

Currently, we are using GitLab version 13.1.3 which ships the omniauth_openid_connect gem in version 0.3.5. In GitLab 13.1.0 the omniauth_openid_connect package was upgraded from 0.3.3 to 0.3.5. (https://gitlab.com/gitlab-org/gitlab/-/merge_requests/34030)

The previously working OpenID configuration now results in an Internal Server Error during the callback phase. Manually downgrading the package to the version 0.3.3 used in GitLab 13.1 fixes the issue temporarily for us.

Relevent stacktrace

JSON::JWK::Set::KidNotFound: JSON::JWK::Set::KidNotFound
  from json/jose.rb:29:in `with_jwk_support'
  from json/jws.rb:131:in `valid?'
  from json/jws.rb:26:in `verify!'
  from json/jws.rb:195:in `decode_compact_serialized'
  from json/jwt.rb:104:in `decode_compact_serialized'
  from json/jose.rb:63:in `decode'
  from openid_connect/response_object/id_token.rb:70:in `decode'
  from omniauth/strategies/openid_connect.rb:229:in `decode_id_token'
  from omniauth/strategies/openid_connect.rb:343:in `verify_id_token!'
  from omniauth/strategies/openid_connect.rb:223:in `access_token'
  from omniauth/strategies/openid_connect.rb:125:in `callback_phase'
  from omniauth/strategy.rb:238:in `callback_call'
  from omniauth/strategy.rb:189:in `call!'
  from omniauth/strategy.rb:169:in `call'
  from omniauth/strategy.rb:192:in `call!'
  from omniauth/strategy.rb:169:in `call'
  from omniauth/strategy.rb:192:in `call!'
  from omniauth/strategy.rb:169:in `call'
  from omniauth/strategy.rb:192:in `call!'
  from omniauth/strategy.rb:169:in `call'
  from omniauth/strategy.rb:192:in `call!'
  from omniauth/strategy.rb:169:in `call'
  from omniauth/strategy.rb:192:in `call!'
  from omniauth/strategy.rb:169:in `call'
  from gitlab/metrics/elasticsearch_rack_middleware.rb:24:in `call'
  from gitlab/metrics/redis_rack_middleware.rb:22:in `call'
  from gitlab/middleware/rails_queue_duration.rb:29:in `call'
  from gitlab/metrics/rack_middleware.rb:17:in `block in call'
  from gitlab/metrics/transaction.rb:54:in `run'
  from gitlab/metrics/rack_middleware.rb:17:in `call'
  from gitlab/request_profiler/middleware.rb:17:in `call'
  from labkit/middleware/rack.rb:19:in `block in call'
  from labkit/context.rb:32:in `with_context'
  from labkit/middleware/rack.rb:18:in `call'
  from gitlab/middleware/go.rb:20:in `call'
  from gitlab/etag_caching/middleware.rb:13:in `call'
  from batch_loader/middleware.rb:11:in `call'
  from rack/attack.rb:97:in `call'
  from apollo_upload_server/middleware.rb:20:in `call'
  from gitlab/middleware/multipart.rb:125:in `call'
  from rack/attack.rb:111:in `call'
  from warden/manager.rb:36:in `block in call'
  from warden/manager.rb:34:in `catch'
  from warden/manager.rb:34:in `call'
  from rack/cors.rb:98:in `call'
  from rack/tempfile_reaper.rb:15:in `call'
  from rack/etag.rb:25:in `call'
  from rack/conditional_get.rb:25:in `call'
  from rack/head.rb:12:in `call'
  from action_dispatch/http/content_security_policy.rb:18:in `call'
  from gitlab/middleware/read_only/controller.rb:51:in `call'
  from gitlab/middleware/read_only.rb:18:in `call'
  from rack/session/abstract/id.rb:259:in `context'
  from rack/session/abstract/id.rb:253:in `call'
  from action_dispatch/middleware/cookies.rb:648:in `call'
  from gitlab/middleware/same_site_cookies.rb:27:in `call'
  from action_dispatch/middleware/callbacks.rb:27:in `block in call'
  from active_support/callbacks.rb:101:in `run_callbacks'
  from action_dispatch/middleware/callbacks.rb:26:in `call'
  from action_dispatch/middleware/actionable_exceptions.rb:17:in `call'
  from action_dispatch/middleware/debug_exceptions.rb:32:in `call'
  from action_dispatch/middleware/show_exceptions.rb:33:in `call'
  from gitlab/middleware/basic_health_check.rb:25:in `call'
  from rails/rack/logger.rb:37:in `call_app'
  from rails/rack/logger.rb:26:in `block in call'
  from active_support/tagged_logging.rb:80:in `block in tagged'
  from active_support/tagged_logging.rb:28:in `tagged'
  from active_support/tagged_logging.rb:80:in `tagged'
  from rails/rack/logger.rb:26:in `call'
  from action_dispatch/middleware/remote_ip.rb:81:in `call'
  from gitlab/middleware/handle_ip_spoof_attack_error.rb:25:in `call'
  from gitlab/middleware/request_context.rb:23:in `call'
  from request_store/middleware.rb:19:in `call'
  from action_dispatch/middleware/request_id.rb:27:in `call'
  from rack/method_override.rb:22:in `call'
  from rack/runtime.rb:22:in `call'
  from rack/timeout/core.rb:123:in `block in call'
  from rack/timeout/support/timeout.rb:19:in `timeout'
  from rack/timeout/core.rb:122:in `call'
  from /opt/gitlab/embedded/service/gitlab-rails/config/initializers/fix_local_cache_middleware.rb:9:in `call'
  from action_dispatch/middleware/executor.rb:14:in `call'
  from rack/sendfile.rb:111:in `call'
  from action_dispatch/middleware/host_authorization.rb:76:in `call'
  from gitlab/metrics/requests_rack_middleware.rb:60:in `call'
  from raven/integrations/rack.rb:51:in `call'
  from rails/engine.rb:527:in `call'
  from rails/railtie.rb:190:in `public_send'
  from rails/railtie.rb:190:in `method_missing'
  from gitlab/middleware/release_env.rb:12:in `call'
  from rack/urlmap.rb:68:in `block in call'
  from rack/urlmap.rb:53:in `each'
  from rack/urlmap.rb:53:in `call'
  from puma/configuration.rb:228:in `call'
  from puma/server.rb:691:in `handle_request'
  from puma/server.rb:481:in `process_client'
  from puma/server.rb:335:in `block in run'
  from puma/thread_pool.rb:138:in `block in spawn_thread'

OpenID configuration

  {
    'name' => 'openid_connect',
    'label' => 'Helmholtz AAI',
    'icon' => 'helmholtz.png',
    'args' => {
      'name' => 'openid_connect',
      'scope' => ['openid', 'profile', 'email', 'eduperson_principal_name'],
      'response_type' => 'code',
      'issuer' => 'https://login.helmholtz-data-federation.de/oauth2',
      'discovery' => true,
      'client_auth_method' => 'basic',
      'uid_field' => 'eduperson_principal_name',
      'send_scope_to_token_endpoint' => 'true',
      'client_options' => {
        'identifier' => '...',
        'secret' => '...',
        'redirect_uri' => 'https://gitlab.hzdr.de/users/auth/openid_connect/callback'
      }
    }
  }

I also experimented with other configuration options. Setting discovery to false and specifying all information manually. I also tried to set the JSON web set keys manually as well https://github.com/m0n9oose/omniauth_openid_connect/blob/ef2942047c866993d8323115c419371d75f05a60/lib/omniauth/strategies/openid_connect.rb#L270-L273. Unfortunately, none of the measures changed anything.

Possible fixes

I somehow expect this issue to arise from this change. I have this PR under suspicion: #44
The additional verification introduced here might be a reason: https://github.com/m0n9oose/omniauth_openid_connect/blob/ef2942047c866993d8323115c419371d75f05a60/lib/omniauth/strategies/openid_connect.rb#L223
Might this issue be related to jjbohn/omniauth-openid-connect#56?

I would be very happy if you could have a look into this issue!

For reference, this is the respective GitLab issue: https://gitlab.com/gitlab-org/gitlab/-/issues/225850

Param code should only be required when response_type is code

There's a line of code in the callback phase which raises an error:

return fail!(
  :missing_code,
  OmniAuth::OpenIDConnect::MissingCodeError.new(params['error'])
) unless params['code']

It looks like it should be executed only if option :response_type is set to code (default).

How about:

return fail!(
  :missing_code,
  OmniAuth::OpenIDConnect::MissingCodeError.new(params['error'])
) unless (options.response_type == 'code' && params['code'])

Which could be (apart from extracting the condition to a method) be simplified to:

return fail!(
  :missing_FIXME,
  OmniAuth::OpenIDConnect::MissingFIXMEError.new(params['error'])
) unless (params[options.response_type]) # e.g. params['id_token'] is present if response_type == 'id_token'

Please refer to the upgraded repository

I've merged the many fixes scattered on many repositories, and I've provided a version that works with the latest environment and specs.

OmniAuth2
Ruby 3
Supports the following: OpenID Connect Core 1.0 the Authorization Code Flow and the Implicit Flow. OpenID Connect RP-Initiated Logout 1.0.

If you agree, please write on the README to direct visitors to the new repository.
https://github.com/netsphere-labs/omniauth-openid-connect/

I'm always looking for developers, contributors. Thanks.

New release compatible with OmniAuth 2.x?

Could you cut a new release and push it to RubyGems?

We can see from the commit history that the gem has already been updated for OmniAuth 2.x compatibility but the 0.3.5 version at RubyGems is not compatible with OmniAuth 2.x.

https://rubygems.org/gems/omniauth_openid_connect/versions/0.3.5

Any way to configure callback_path when configuring through devise ?

I would like to configure my callback URI with your gem, but I can't figure out how (or if I can). I can't seem to properly setup callback_path with the openid_connect strategy when using Devise. (see omniauth/omniauth#593)

I'd be open to make a fork and open a PR if this not possible right now and you could give me some pointers ?

Thank you,

Git tag v0.4.0

Congrats of release v0.4.0!
#106 (comment)

Could you create a git tag (or github release) of v0.4.0?

OpenSSL::PKey::EC::Point::Error (EC_POINT_bn2point: invalid encoding):

Hello,

When I raised the version from 0.3.3 to 0.3.5, I'm getting this error.

OpenSSL::PKey::EC::Point::Error (EC_POINT_bn2point: invalid encoding):

Any ideas? Thank you.

multiple open_id providers with devise

The doc says:

NOTE: if you use this gem with Devise you should use :openid_connect name, or Devise would route to 'users/auth/:provider' rather than 'users/auth/openid_connect'

this means that I cannot use more openid providers when using Devise?

thank you

new release?

I like to avoid local patches or fetching from git repo.

@m0n9oose Do you plan to publish a new release with latest changes?

OpenID Certification

Would be great to reach https://openid.net/certification/ on day. Some colleges did that for a go library https://github.com/caos/oidc

Cannot find a way to use redirect_uri param

This change suggests that it is possible to customize the redirect_uri by passing a param[:redirect_uri] at some point in the flow:

5ce3b55#diff-8467ba16957a2513a82eb9fe781131df

I have tried adding this param alongwith with the initial redirect to /auth/openid_connect, for example:

http://tenant1.localhost:5000/users/auth/openid_connect?redirect_uri=tenant1.localhost

However, this results in 2 redirect_uri parameters being sent in the redirect to the auth service, the URI in the query string above, plus the URI specified in config.

The end goal is to support multi-tenant sub-domains, using a single auth endpoint.

Given the commit above, should it be possible to specify a request_uri at request time rather than in fixed config?

Support for multiple response types

Currently, response_type can be either code or id_token.

Does this gem have support for multiple-valued response types, such as id_token token?

If so, what is the correct format for specifying them in the config? If not, can this functionality be added?

See the following for references:

https://openid.net/specs/openid-connect-core-1_0.html#Authentication

how to work with endpoints with different hosts but same provider

I have two endpoints one for Authorization and another for token:

Authorization endpoint: https://oauth.provider.com/authorize

Token endpoint: https://oauth-secured.provider.com/token

as you can see each one has a different host, but are the same provider, I'm not sure how to configure this in the gem as you can only specify one host:

config.omniauth :openid_connect, 
{ 
    name: :openid_connect,
    scope: [:openid],
    issuer: "oauth.provider.com"
    response_type: :code,
    discovery: :true,
    client_options:
    {
    port: 443,
    scheme: "https",
    host: "oauth.provider.com",
    authorization_endpoint: "/authorize", 
    token_endpoint: "/token", #How to specify here correctly https://oauth-secured.provider.com/token
    identifier: 'CLIENT_ID', 
    secret: 'CLIENT_SECRET', 
    redirect_uri: "https://myapp.com/users/auth/openid_connect/callback", 
    }, 
  }

Allow differentiating between IdPs in rails app

Say there are two OpenID IdPs, and they return the same uid for a user from each.

We'd like to be able to differentiate based on the info/extra hash which IdP sent the user to know which to login.

Suggest adding the issuer to "extra"

could not authenticate you from OpenIDConnect becuase Unauthorized

Hello,Any suggestions what to do ?

my idp is identityServer4
/var/log/gitlab/gitlab-rails/production.log: Started GET "/users/auth/openid_connect/callback?code=[FILTERED]&state=9b059526e54e3a126b99a3ef7e4815b0" for 192.168.31.56 at 2019-06-10 10:57:20 +0800 Processing by OmniauthCallbacksController#failure as HTML Parameters: {"code"=>"[FILTERED]", "state"=>"9b059526e54e3a126b99a3ef7e4815b0"} Redirected to http://192.168.31.72:8091/users/sign_in
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect']
gitlab_rails['omniauth_sync_email_from_provider'] = 'openid_connect'
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'openid_connect'
gitlab_rails['omniauth_sync_profile_from_provider'] = ['openid_connect']
gitlab_rails['omniauth_sync_profile_attributes'] = ['name', 'email']
gitlab_rails['omniauth_auto_link_ldap_user'] = false
gitlab_rails['omniauth_auto_link_saml_user'] = false
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_providers'] = [
{
'name' => 'openid_connect',
'label' => 'OIDC',
'args' => {
'name' => 'openid_connect',
'scope' => ['openid','profile'],
'response_type' => 'code',
'issuer' => 'https://XXX.XX.XX',
'discovery' => true,
'client_auth_method' => 'query',
'client_options' => {
'identifier' => 'gitlab_openid',
'secret' => 'oeRiYj8_UG0sUXI_P08_Nyk_fCErP24yVD8_ci5nZw==',
'redirect_uri' => 'http://192.168.31.72:8091/users/auth/openid_connect/callback'
}
}
}
]

Nonce verification

Currently, nonce is verified in access_token method and it's way too late.
I think nonce should be validated after this line: https://github.com/m0n9oose/omniauth_openid_connect/blob/3913c8fd0518b929d384f27d2cf6e370dd36f853/lib/omniauth/strategies/openid_connect.rb#L112

id_token = decode_id_token(params['id_token'])

id_token.verify!(
  issuer: options.issuer,
  client_id: client_options.identifier,
  nonce: stored_nonce
)

Verifying the response during requesting for a token doesn't make sense.

Support for multiple response types

Currently, response_type can be either code or id_token.

Does this gem have support for multiple-valued response types, such as id_token token?

If so, what is the correct format for specifying them in the config? If not, can this functionality be added?

See the following for references:

https://openid.net/specs/openid-connect-core-1_0.html#Authentication

Option response_mode is defined but not used

In lib/omniauth/strategies/openid_connect.rb option response_mode is defined but not used anywhere. And it should be used (if defined) in the authorize_uri method:

module OmniAuth
  module Strategies
    class OpenIDConnect
      include OmniAuth::Strategy
      # ...
      option :state
      option :response_mode

      def authorize_uri
        client.redirect_uri = redirect_uri
        opts = {
          response_type: options.response_type,
+          response_mode: options.response_mode,
          scope: options.scope,
          # ...
        }
        client.authorization_uri(opts.reject { |_k, v| v.nil? })
      end

This allows using this gem with servers/flows which use response_mode=form_post for example.

Problem with bookmarked login page

Hello,

I think i found a problem with this line:
https://github.com/m0n9oose/omniauth_openid_connect/blob/af1e49b6d9268c8041d4b653b0172ec407d878d4/lib/omniauth/strategies/openid_connect.rb#L111
i'm not familar enough to decide if its the correct way, but i patched it for our application with this:
invalid_state = session['omniauth.state'] && (params['state'].to_s.empty? || params['state'] != stored_state)

Greets
Marcel

Implicit Flow does not work

Test sample application: https://gitlab.com/netsphere/rails-omniauth-oidc-rp-sample/
Ruby 3.0, Rails 6.1, OmniAuth 2.0
The Code Flow is OK. But the Implicit Flow does not seem to work.
I'll investigate the cause.

undefined method `[]' for nil:NilClass
fail!(error_attrs[:key], error_attrs[:exception_class].new(params['error']))

omniauth_openid_connect (0.4.0.pre) lib/omniauth/strategies/openid_connect.rb:337:in `valid_response_type?'
omniauth_openid_connect (0.4.0.pre) lib/omniauth/strategies/openid_connect.rb:114:in `callback_phase'
omniauth (2.0.4) lib/omniauth/strategy.rb:272:in `callback_call'
omniauth (2.0.4) lib/omniauth/strategy.rb:194:in `call!'
omniauth (2.0.4) lib/omniauth/strategy.rb:169:in `call'
omniauth (2.0.4) lib/omniauth/strategy.rb:470:in `call_app!'
omniauth_openid_connect (0.4.0.pre) lib/omniauth/strategies/openid_connect.rb:143:in `other_phase'
omniauth (2.0.4) lib/omniauth/strategy.rb:195:in `call!'
omniauth (2.0.4) lib/omniauth/strategy.rb:169:in `call'
omniauth (2.0.4) lib/omniauth/strategy.rb:470:in `call_app!'
omniauth_openid_connect (0.4.0.pre) lib/omniauth/strategies/openid_connect.rb:143:in `other_phase'
omniauth (2.0.4) lib/omniauth/strategy.rb:195:in `call!'
omniauth (2.0.4) lib/omniauth/strategy.rb:169:in `call'
omniauth (2.0.4) lib/omniauth/strategy.rb:470:in `call_app!'
omniauth_openid_connect (0.4.0.pre) lib/omniauth/strategies/openid_connect.rb:143:in `other_phase'
omniauth (2.0.4) lib/omniauth/strategy.rb:195:in `call!'
omniauth (2.0.4) lib/omniauth/strategy.rb:169:in `call'
omniauth (2.0.4) lib/omniauth/strategy.rb:470:in `call_app!'
omniauth_openid_connect (0.4.0.pre) lib/omniauth/strategies/openid_connect.rb:143:in `other_phase'
omniauth (2.0.4) lib/omniauth/strategy.rb:195:in `call!'
omniauth (2.0.4) lib/omniauth/strategy.rb:169:in `call'
omniauth (2.0.4) lib/omniauth/builder.rb:45:in `call'
rack (2.2.3) lib/rack/tempfile_reaper.rb:15:in `call'
rack (2.2.3) lib/rack/etag.rb:27:in `call'
rack (2.2.3) lib/rack/conditional_get.rb:40:in `call'
rack (2.2.3) lib/rack/head.rb:12:in `call'
actionpack (6.1.4.1) lib/action_dispatch/http/permissions_policy.rb:22:in `call'
actionpack (6.1.4.1) lib/action_dispatch/http/content_security_policy.rb:18:in `call'
rack (2.2.3) lib/rack/session/abstract/id.rb:266:in `context'
rack (2.2.3) lib/rack/session/abstract/id.rb:260:in `call'
actionpack (6.1.4.1) lib/action_dispatch/middleware/cookies.rb:689:in `call'
activerecord (6.1.4.1) lib/active_record/migration.rb:601:in `call'
actionpack (6.1.4.1) lib/action_dispatch/middleware/callbacks.rb:27:in `block in call'
activesupport (6.1.4.1) lib/active_support/callbacks.rb:98:in `run_callbacks'
actionpack (6.1.4.1) lib/action_dispatch/middleware/callbacks.rb:26:in `call'
actionpack (6.1.4.1) lib/action_dispatch/middleware/executor.rb:14:in `call'
actionpack (6.1.4.1) lib/action_dispatch/middleware/actionable_exceptions.rb:18:in `call'
actionpack (6.1.4.1) lib/action_dispatch/middleware/debug_exceptions.rb:29:in `call'
web-console (4.2.0) lib/web_console/middleware.rb:132:in `call_app'

JWS Token Verification Failed

Hello, I'm getting this error. Any ideas? Thank you.

(openid_connect) Callback phase initiated.
JSON::JWS::VerificationFailed (JSON::JWS::VerificationFailed):
json-jwt (1.13.0) lib/json/jws.rb:27:in verify!' json-jwt (1.13.0) lib/json/jws.rb:193:in decode_compact_serialized'
json-jwt (1.13.0) lib/json/jwt.rb:104:in decode_compact_serialized' json-jwt (1.13.0) lib/json/jose.rb:65:in decode'
openid_connect (1.2.0) lib/openid_connect/response_object/id_token.rb:70:in decode' omniauth_openid_connect (0.3.5) lib/omniauth/strategies/openid_connect.rb:229:in decode_id_token'

Issue with parsing id_token parameter in 'code' response_type use cases

First off, thanks for continuing to maintain this code!

We currently have a 'code' based implementation working with this gem. When upgrading to the latest code we're running into issues with the following lines:

https://github.com/m0n9oose/omniauth_openid_connect/blob/e05e60ddbaa4374d6375eecd441fec46232c59fe/lib/omniauth/strategies/openid_connect.rb#L121-L124

We don't have an 'id_token' param and so decode_id_token attempts to parse nil which causes an error. A simple conditional check of the response type before calling decode_id_token fixes the error.

Wanted to raise it here though in case there is something I am missing. Thanks!

Redirect URI is getting double escaped

for example we redirect to

https://something.url/sso/users/auth/openid_connect?company=testing&redirect_uri=worklink%3A%2F%2F

Then it sends to
https://auth.pingone.com/04e0eb68-abd7-4da4-aaaa-a2d656f1663f/as/authorize?client_id=6741b513-2f20-49e0-a188-ec2074fdb8dc&nonce=3f8ceb96494a50cfa17021b06fd5f9c7&redirect_uri=https%3A%2F%2Fscopear.ngrok.io%2Fsso%2Fusers%2Fauth%2Fopenid_connect%2Fcallback%3Fredirect_uri%3Dworklink%253A%252F%252F&response_type=code&scope=openid%20email%20profile&state=1e5ea82080e4817764a15dc83872ab11

Then in the callback phase the "redirect uris" don't match when requesting the resource in the AccessToken.

Seems like the solve is to not initially uri encode the "redirect_uri" in openid_connect.rb:286, since it gets encoded again when the uri we send the user to gets set.

SSLError certificate verify failed (unable to get local issuer certificate)

Hi I'm trying to integrate my app with an openid provider. I'm getting this:

(openid_connect) Callback phase initiated.
OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)):
httpclient (2.8.3) lib/httpclient/ssl_socket.rb:103:in `connect'

The app is behind a Traefik proxy with a certificate from LetsEncrypt. I've tryied disabling https on my app but still getting the same error.

Any ideas? Thank you.

NoMethodError: undefined method `count' for nil:NilClass

Hi,

After upgrading Gem to 0.3.4, we started getting the following error:

NoMethodError: undefined method `count' for nil:NilClass
  File "/app/vendor/bundle/ruby/2.7.0/gems/json-jwt-1.11.0/lib/json/jwt.rb", line 102, in decode_compact_serialized
  File "/app/vendor/bundle/ruby/2.7.0/gems/json-jwt-1.11.0/lib/json/jose.rb", line 63, in decode
  File "/app/vendor/bundle/ruby/2.7.0/gems/openid_connect-1.2.0/lib/openid_connect/response_object/id_token.rb", line 70, in decode
  File "/app/vendor/bundle/ruby/2.7.0/gems/omniauth_openid_connect-0.3.4/lib/omniauth/strategies/openid_connect.rb", line 221, in decode_id_token
  File "/app/vendor/bundle/ruby/2.7.0/gems/omniauth_openid_connect-0.3.4/lib/omniauth/strategies/openid_connect.rb", line 215, in access_token
  File "/app/vendor/bundle/ruby/2.7.0/gems/omniauth_openid_connect-0.3.4/lib/omniauth/strategies/openid_connect.rb", line 125, in callback_phase
  File "/app/vendor/bundle/ruby/2.7.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb", line 238, in callback_call
  File "/app/vendor/bundle/ruby/2.7.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb", line 189, in call!
  File "/app/vendor/bundle/ruby/2.7.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb", line 169, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/rack-attack-6.3.1/lib/rack/attack.rb", line 97, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/rack-attack-6.3.1/lib/rack/attack.rb", line 111, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/warden-1.2.8/lib/warden/manager.rb", line 36, in block in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/warden-1.2.8/lib/warden/manager.rb", line 34, in catch
  File "/app/vendor/bundle/ruby/2.7.0/gems/warden-1.2.8/lib/warden/manager.rb", line 34, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/rack-2.2.2/lib/rack/tempfile_reaper.rb", line 15, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/rack-2.2.2/lib/rack/etag.rb", line 27, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/rack-2.2.2/lib/rack/conditional_get.rb", line 27, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/rack-2.2.2/lib/rack/head.rb", line 12, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/actionpack-6.0.3.1/lib/action_dispatch/http/content_security_policy.rb", line 18, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/rack-2.2.2/lib/rack/session/abstract/id.rb", line 266, in context
  File "/app/vendor/bundle/ruby/2.7.0/gems/rack-2.2.2/lib/rack/session/abstract/id.rb", line 260, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/actionpack-6.0.3.1/lib/action_dispatch/middleware/cookies.rb", line 648, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/actionpack-6.0.3.1/lib/action_dispatch/middleware/callbacks.rb", line 27, in block in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/activesupport-6.0.3.1/lib/active_support/callbacks.rb", line 101, in run_callbacks
  File "/app/vendor/bundle/ruby/2.7.0/gems/actionpack-6.0.3.1/lib/action_dispatch/middleware/callbacks.rb", line 26, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/actionpack-6.0.3.1/lib/action_dispatch/middleware/actionable_exceptions.rb", line 17, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/rollbar-2.25.0/lib/rollbar/middleware/rails/rollbar.rb", line 25, in block in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/rollbar-2.25.0/lib/rollbar.rb", line 145, in scoped
  File "/app/vendor/bundle/ruby/2.7.0/gems/rollbar-2.25.0/lib/rollbar/middleware/rails/rollbar.rb", line 22, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/actionpack-6.0.3.1/lib/action_dispatch/middleware/debug_exceptions.rb", line 32, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/rollbar-2.25.0/lib/rollbar/middleware/rails/show_exceptions.rb", line 22, in call_with_rollbar
  File "/app/vendor/bundle/ruby/2.7.0/gems/actionpack-6.0.3.1/lib/action_dispatch/middleware/show_exceptions.rb", line 33, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/railties-6.0.3.1/lib/rails/rack/logger.rb", line 37, in call_app
  File "/app/vendor/bundle/ruby/2.7.0/gems/railties-6.0.3.1/lib/rails/rack/logger.rb", line 26, in block in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/activesupport-6.0.3.1/lib/active_support/tagged_logging.rb", line 80, in block in tagged
  File "/app/vendor/bundle/ruby/2.7.0/gems/activesupport-6.0.3.1/lib/active_support/tagged_logging.rb", line 28, in tagged
  File "/app/vendor/bundle/ruby/2.7.0/gems/activesupport-6.0.3.1/lib/active_support/tagged_logging.rb", line 80, in tagged
  File "/app/vendor/bundle/ruby/2.7.0/gems/railties-6.0.3.1/lib/rails/rack/logger.rb", line 26, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/actionpack-6.0.3.1/lib/action_dispatch/middleware/remote_ip.rb", line 81, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/request_store-1.5.0/lib/request_store/middleware.rb", line 19, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/actionpack-6.0.3.1/lib/action_dispatch/middleware/request_id.rb", line 27, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/rack-2.2.2/lib/rack/method_override.rb", line 24, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/rack-2.2.2/lib/rack/runtime.rb", line 22, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/activesupport-6.0.3.1/lib/active_support/cache/strategy/local_cache_middleware.rb", line 29, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/actionpack-6.0.3.1/lib/action_dispatch/middleware/executor.rb", line 14, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/actionpack-6.0.3.1/lib/action_dispatch/middleware/static.rb", line 126, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/rack-2.2.2/lib/rack/sendfile.rb", line 110, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/actionpack-6.0.3.1/lib/action_dispatch/middleware/ssl.rb", line 74, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/actionpack-6.0.3.1/lib/action_dispatch/middleware/host_authorization.rb", line 76, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/railties-6.0.3.1/lib/rails/engine.rb", line 527, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/puma-4.3.5/lib/puma/configuration.rb", line 228, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/puma-4.3.5/lib/puma/server.rb", line 713, in handle_request
  File "/app/vendor/bundle/ruby/2.7.0/gems/puma-4.3.5/lib/puma/server.rb", line 472, in process_client
  File "/app/vendor/bundle/ruby/2.7.0/gems/puma-4.3.5/lib/puma/server.rb", line 328, in block in run
  File "/app/vendor/bundle/ruby/2.7.0/gems/puma-4.3.5/lib/puma/thread_pool.rb", line 134, in block in spawn_thread

There is no problem when we downgrade the gem version to 0.3.3.

Thanks.

Always getting `Not found. Authentication passthru.`

Hi,

sorry if I am missing something very basic but I think I need some help in configuring this gem with devise in my application; I am always getting Not found. Authentication passthru. error;

The url that devise upon clicking 'Sign In with OpenIdConnect' goes to is: https://myapp.com/users/auth/openid_connect

My config looks like below in config/initializers/devise.rb :

config.omniauth :openid_connect, { 
name: :provider, 
scope: [:openid], 
response_type: :code, 
client_options: { 
    port: 443, 
    scheme: "https", 
    host: "staging-oauth.provider.com", 
    issuer: "https://staging-oauth.provider.com", 
    authorization_endpoint: "/oauth2/auth", 
    token_endpoint: "/oauth2/token", 
    identifier: 'CLIENT_ID', 
    secret: 'CLIENT_SECRET', 
    redirect_uri: "https://myapp.com/users/auth/openid_connect/callback", 
  }, 
}

I know I have added extra parameters in it but that's because I'm unsure of what exactly is required; I cant see any logs on the server as well so it means I am not hitting the correct endpoint or something

I have the following urls from provider available

issuer endpoint (https://staging-oauth.provider.com)
authorization endpoint (https://staging-oauth.provider.com/oauth2/auth)
token endpoint (https://staging-oauth.provider.com/oauth2/token)
also I have the client id and secret
Can you please help me ?

Sign In With Slack | nil request.env['omniauth.auth']

Hi thank you for this library super helpful!

So i'm trying to setup sign in with slack per their doc: https://api.slack.com/authentication/sign-in-with-slack

  Rails.application.config.middleware.use OmniAuth::Strategies::OpenIDConnect, {
    name: :sign_in_slack,
    issuer: 'https://slack.com',
    discovery: true,
    scope: [:openid, :email, :profile],
    response_type: :code,
    client_options: {
      port: 443,
      scheme: "https",
      host: "slack.com",
      identifier: "redacted",
      secret: "redacted",
      redirect_uri: "#{ENV['BASE_URL']}/auth/slack/callback/sign_in",
    },
  }

But my callback controller is seeing request.env['omniauth.auth'] nil.

The callback_phase method is never called.

What am i doing wrong ?

Regards

Support custom claims?

I've traced the code and the PRs for the claims but they're last edited 6 years ago at least. I'm not sure how the specification changed over time but there are many more attributes as listed in the latest specs, and I would like to add some other attributes than the specs (are they allowed?), as you can see from doorkeeper gem that we can customize the claims to return to clients.

Suggesting maybe we can have another configuration block for the claims mapping.

client_options.redirect_uri should fallback to sensible default when missing

Context: I am setting up Greenlight for use with OpenIDConnect through your library

The initialization happens this way:

      provider :openid_connect,
        issuer: ENV["OPENID_CONNECT_ISSUER"],
        discovery: true,
        scope: [:email, :profile],
        response_type: :code,
        uid_field: ENV["OPENID_CONNECT_UID_FIELD"] || "preferred_username",
        client_options: {
          identifier: ENV['OPENID_CONNECT_CLIENT_ID'],
          secret: ENV['OPENID_CONNECT_CLIENT_SECRET'],
          redirect_uri: redirect
        },

Unless explicitly configured by the user, redirect will have a nil value, which omniauth_openid_connect will handle by constructing the following authorization uri:

http://my.provider/authorize?client_id=1234&nonce=8225bfbd740e8909a54ff97f536c3c18&response_type=code&scope=email%20profile%20openid&state=8f8c4887392f8bcbdcdc195704e53f44

redirect_uri is missing, which is not valid per the OIDC spec

Other Omniauth providers I have looked at use Omniauth's callback_url method to set the redirect_uri to a sensible default value when the user does not explicitely specify it. This makes configuration of OpenID Connect a little easier, by relieving the users from having to try and guess the correct callback URL when configuring an application that uses Omniauth.

I have tried the following change:

diff --git a/lib/omniauth/strategies/openid_connect.rb b/lib/omniauth/strategies/openid_connect.rb
index c7e86f7..ec37c7f 100644
--- a/lib/omniauth/strategies/openid_connect.rb
+++ b/lib/omniauth/strategies/openid_connect.rb
@@ -156,7 +156,7 @@ module OmniAuth
       end
 
       def authorize_uri
-        client.redirect_uri = redirect_uri
+        client.redirect_uri = redirect_uri || callback_url
         opts = {
           response_type: options.response_type,
           response_mode: options.response_mode,

which works for my use case, but breaks the unit tests in ways I cannot understand as someone not very familiar with Ruby

Handle errors when fetching access token at callback phase

At the callback_phase if an error occurs on the fetch of the access_token the strategy is not handling the error.

Error Trace:

Rack::OAuth2::Client::Error (invalid_client :: invalid client credentials):
  rack-oauth2 (1.9.3) lib/rack/oauth2/client.rb:171:in `handle_error_response'
  rack-oauth2 (1.9.3) lib/rack/oauth2/client.rb:148:in `handle_response'
  rack-oauth2 (1.9.3) lib/rack/oauth2/client.rb:122:in `access_token!'
  /Users/coffeebean/Bitbucket/omniauth_openid_connect/lib/omniauth/strategies/openid_connect.rb:189:in `access_token'
  /Users/coffeebean/Bitbucket/omniauth_openid_connect/lib/omniauth/strategies/openid_connect.rb:114:in `callback_phase'
  omniauth (1.9.0) lib/omniauth/strategy.rb:238:in `callback_call'
  omniauth (1.9.0) lib/omniauth/strategy.rb:189:in `call!'
  omniauth (1.9.0) lib/omniauth/strategy.rb:169:in `call'
  exception_notification (4.3.0) lib/exception_notification/rack.rb:41:in `call'
  warden (1.2.7) lib/warden/manager.rb:36:in `block in call'
  warden (1.2.7) lib/warden/manager.rb:35:in `catch'
  warden (1.2.7) lib/warden/manager.rb:35:in `call'
  rack (1.6.11) lib/rack/etag.rb:24:in `call'
  rack (1.6.11) lib/rack/conditionalget.rb:25:in `call'
  rack (1.6.11) lib/rack/head.rb:13:in `call'
  actionpack (4.2.11.1) lib/action_dispatch/middleware/params_parser.rb:27:in `call'
  actionpack (4.2.11.1) lib/action_dispatch/middleware/flash.rb:260:in `call'
  rack (1.6.11) lib/rack/session/abstract/id.rb:225:in `context'
  rack (1.6.11) lib/rack/session/abstract/id.rb:220:in `call'
  actionpack (4.2.11.1) lib/action_dispatch/middleware/cookies.rb:560:in `call'
  activerecord (4.2.11.1) lib/active_record/query_cache.rb:36:in `call'
  activerecord (4.2.11.1) lib/active_record/connection_adapters/abstract/connection_pool.rb:653:in `call'
  activerecord (4.2.11.1) lib/active_record/migration.rb:377:in `call'
  actionpack (4.2.11.1) lib/action_dispatch/middleware/callbacks.rb:29:in `block in call'
  activesupport (4.2.11.1) lib/active_support/callbacks.rb:88:in `__run_callbacks__'
  activesupport (4.2.11.1) lib/active_support/callbacks.rb:778:in `_run_call_callbacks'
  activesupport (4.2.11.1) lib/active_support/callbacks.rb:81:in `run_callbacks'
  actionpack (4.2.11.1) lib/action_dispatch/middleware/callbacks.rb:27:in `call'
  actionpack (4.2.11.1) lib/action_dispatch/middleware/reloader.rb:73:in `call'
  actionpack (4.2.11.1) lib/action_dispatch/middleware/remote_ip.rb:78:in `call'
  actionpack (4.2.11.1) lib/action_dispatch/middleware/debug_exceptions.rb:17:in `call'
  actionpack (4.2.11.1) lib/action_dispatch/middleware/show_exceptions.rb:30:in `call'
  railties (4.2.11.1) lib/rails/rack/logger.rb:38:in `call_app'
  railties (4.2.11.1) lib/rails/rack/logger.rb:20:in `block in call'
  activesupport (4.2.11.1) lib/active_support/tagged_logging.rb:68:in `block in tagged'
  activesupport (4.2.11.1) lib/active_support/tagged_logging.rb:26:in `tagged'
  activesupport (4.2.11.1) lib/active_support/tagged_logging.rb:68:in `tagged'
  railties (4.2.11.1) lib/rails/rack/logger.rb:20:in `call'
  request_store (1.4.1) lib/request_store/middleware.rb:19:in `call'
  actionpack (4.2.11.1) lib/action_dispatch/middleware/request_id.rb:21:in `call'
  rack (1.6.11) lib/rack/methodoverride.rb:22:in `call'
  rack (1.6.11) lib/rack/runtime.rb:18:in `call'
  activesupport (4.2.11.1) lib/active_support/cache/strategy/local_cache_middleware.rb:28:in `call'
  rack (1.6.11) lib/rack/lock.rb:17:in `call'
  actionpack (4.2.11.1) lib/action_dispatch/middleware/static.rb:120:in `call'
  rack (1.6.11) lib/rack/sendfile.rb:113:in `call'
  railties (4.2.11.1) lib/rails/engine.rb:518:in `call'
  railties (4.2.11.1) lib/rails/application.rb:165:in `call'
  rack (1.6.11) lib/rack/content_length.rb:15:in `call'
  puma (3.12.0) lib/puma/configuration.rb:225:in `call'
  puma (3.12.0) lib/puma/server.rb:658:in `handle_request'
  puma (3.12.0) lib/puma/server.rb:472:in `process_client'
  puma (3.12.0) lib/puma/server.rb:332:in `block in run'
  puma (3.12.0) lib/puma/thread_pool.rb:133:in `block in spawn_thread'