omniauth / omniauth_openid_connect Goto Github PK
View Code? Open in Web Editor NEWLicense: MIT License
License: MIT License
I think it is safer to support OmniAuth2.0 for this gem as well like omniauth/omniauth-openid#44 .
See Also:
https://github.com/omniauth/omniauth/releases
heartcombo/devise#5326 (comment)
I have some trouble configuring my settings, I have a different URL for the token endpoint, can I enter a different URL (different than the value used at host) in token_endpoint
setting?
Hi, I'm not a Ruby dev but I stumbled on this when trying to configure for OpenID Connect integration a Gitlab server instance. In my scenario, I have a Gitlab server which internally uses Omniauth and Omniauth_openid_connect (v. 0.3.3) to talk to an OpenAM server (both of those are the latest available versions as of today, i.e. Gitlab CE 12.7.6 and OpenAM 14.4.3, open source editions).
I have opened an issue on the Gitlab tracker and the support redirected me here.
After setting up the required parameters, the login process fails with the following error:
Could not authenticate you from OpenIDConnect because "Invalid request :: scope parameter is not supported on an authorization code access token exchange request. scope parameter should be supplied to the authorize request."
Indeed, according to the relevant section of the OpenID Specifications (https://tools.ietf.org/html/rfc6749#section-4.1.3, https://openid.net/specs/openid-connect-basic-1_0.html#TokenRequest), the scope attribute is not allowed in token requests, but it seems like it is always populated by this library.
The authentication process via OpenID Connect using code flow relies on three http calls:
Gitlab(Browser) -> OpenID(Server): GET to authorization endpoint
OpenID(Server) -> Browser(Gitlab): browser redirect to OpenID Connect callback
Gitlab(Server) -> OpenID(Server): POST to token endpoint
The first two calls complete successfully, but the third POST has an extra scope parameter that should not be there when grant_type is authorization_code.
To reproduce: configure a local instance of OpenAM (https://github.com/OpenIdentityPlatform/OpenAM/) or other local standards-compliant OpenID Connect implementation (the main online social login platforms sometimes have quirks or accept non-standard requests), try to login.
This issue is currently breaking the code flow.
Congrats of release v0.4.0!
#106 (comment)
Could you create a git tag (or github release) of v0.4.0?
In lib/omniauth/strategies/openid_connect.rb option response_mode
is defined but not used anywhere. And it should be used (if defined) in the authorize_uri
method:
module OmniAuth
module Strategies
class OpenIDConnect
include OmniAuth::Strategy
# ...
option :state
option :response_mode
def authorize_uri
client.redirect_uri = redirect_uri
opts = {
response_type: options.response_type,
+ response_mode: options.response_mode,
scope: options.scope,
# ...
}
client.authorization_uri(opts.reject { |_k, v| v.nil? })
end
This allows using this gem with servers/flows which use response_mode=form_post for example.
Currently, we are using GitLab version 13.1.3 which ships the omniauth_openid_connect gem in version 0.3.5
. In GitLab 13.1.0 the omniauth_openid_connect package was upgraded from 0.3.3
to 0.3.5
. (https://gitlab.com/gitlab-org/gitlab/-/merge_requests/34030)
The previously working OpenID configuration now results in an Internal Server Error during the callback phase. Manually downgrading the package to the version 0.3.3 used in GitLab 13.1 fixes the issue temporarily for us.
JSON::JWK::Set::KidNotFound: JSON::JWK::Set::KidNotFound
from json/jose.rb:29:in `with_jwk_support'
from json/jws.rb:131:in `valid?'
from json/jws.rb:26:in `verify!'
from json/jws.rb:195:in `decode_compact_serialized'
from json/jwt.rb:104:in `decode_compact_serialized'
from json/jose.rb:63:in `decode'
from openid_connect/response_object/id_token.rb:70:in `decode'
from omniauth/strategies/openid_connect.rb:229:in `decode_id_token'
from omniauth/strategies/openid_connect.rb:343:in `verify_id_token!'
from omniauth/strategies/openid_connect.rb:223:in `access_token'
from omniauth/strategies/openid_connect.rb:125:in `callback_phase'
from omniauth/strategy.rb:238:in `callback_call'
from omniauth/strategy.rb:189:in `call!'
from omniauth/strategy.rb:169:in `call'
from omniauth/strategy.rb:192:in `call!'
from omniauth/strategy.rb:169:in `call'
from omniauth/strategy.rb:192:in `call!'
from omniauth/strategy.rb:169:in `call'
from omniauth/strategy.rb:192:in `call!'
from omniauth/strategy.rb:169:in `call'
from omniauth/strategy.rb:192:in `call!'
from omniauth/strategy.rb:169:in `call'
from omniauth/strategy.rb:192:in `call!'
from omniauth/strategy.rb:169:in `call'
from gitlab/metrics/elasticsearch_rack_middleware.rb:24:in `call'
from gitlab/metrics/redis_rack_middleware.rb:22:in `call'
from gitlab/middleware/rails_queue_duration.rb:29:in `call'
from gitlab/metrics/rack_middleware.rb:17:in `block in call'
from gitlab/metrics/transaction.rb:54:in `run'
from gitlab/metrics/rack_middleware.rb:17:in `call'
from gitlab/request_profiler/middleware.rb:17:in `call'
from labkit/middleware/rack.rb:19:in `block in call'
from labkit/context.rb:32:in `with_context'
from labkit/middleware/rack.rb:18:in `call'
from gitlab/middleware/go.rb:20:in `call'
from gitlab/etag_caching/middleware.rb:13:in `call'
from batch_loader/middleware.rb:11:in `call'
from rack/attack.rb:97:in `call'
from apollo_upload_server/middleware.rb:20:in `call'
from gitlab/middleware/multipart.rb:125:in `call'
from rack/attack.rb:111:in `call'
from warden/manager.rb:36:in `block in call'
from warden/manager.rb:34:in `catch'
from warden/manager.rb:34:in `call'
from rack/cors.rb:98:in `call'
from rack/tempfile_reaper.rb:15:in `call'
from rack/etag.rb:25:in `call'
from rack/conditional_get.rb:25:in `call'
from rack/head.rb:12:in `call'
from action_dispatch/http/content_security_policy.rb:18:in `call'
from gitlab/middleware/read_only/controller.rb:51:in `call'
from gitlab/middleware/read_only.rb:18:in `call'
from rack/session/abstract/id.rb:259:in `context'
from rack/session/abstract/id.rb:253:in `call'
from action_dispatch/middleware/cookies.rb:648:in `call'
from gitlab/middleware/same_site_cookies.rb:27:in `call'
from action_dispatch/middleware/callbacks.rb:27:in `block in call'
from active_support/callbacks.rb:101:in `run_callbacks'
from action_dispatch/middleware/callbacks.rb:26:in `call'
from action_dispatch/middleware/actionable_exceptions.rb:17:in `call'
from action_dispatch/middleware/debug_exceptions.rb:32:in `call'
from action_dispatch/middleware/show_exceptions.rb:33:in `call'
from gitlab/middleware/basic_health_check.rb:25:in `call'
from rails/rack/logger.rb:37:in `call_app'
from rails/rack/logger.rb:26:in `block in call'
from active_support/tagged_logging.rb:80:in `block in tagged'
from active_support/tagged_logging.rb:28:in `tagged'
from active_support/tagged_logging.rb:80:in `tagged'
from rails/rack/logger.rb:26:in `call'
from action_dispatch/middleware/remote_ip.rb:81:in `call'
from gitlab/middleware/handle_ip_spoof_attack_error.rb:25:in `call'
from gitlab/middleware/request_context.rb:23:in `call'
from request_store/middleware.rb:19:in `call'
from action_dispatch/middleware/request_id.rb:27:in `call'
from rack/method_override.rb:22:in `call'
from rack/runtime.rb:22:in `call'
from rack/timeout/core.rb:123:in `block in call'
from rack/timeout/support/timeout.rb:19:in `timeout'
from rack/timeout/core.rb:122:in `call'
from /opt/gitlab/embedded/service/gitlab-rails/config/initializers/fix_local_cache_middleware.rb:9:in `call'
from action_dispatch/middleware/executor.rb:14:in `call'
from rack/sendfile.rb:111:in `call'
from action_dispatch/middleware/host_authorization.rb:76:in `call'
from gitlab/metrics/requests_rack_middleware.rb:60:in `call'
from raven/integrations/rack.rb:51:in `call'
from rails/engine.rb:527:in `call'
from rails/railtie.rb:190:in `public_send'
from rails/railtie.rb:190:in `method_missing'
from gitlab/middleware/release_env.rb:12:in `call'
from rack/urlmap.rb:68:in `block in call'
from rack/urlmap.rb:53:in `each'
from rack/urlmap.rb:53:in `call'
from puma/configuration.rb:228:in `call'
from puma/server.rb:691:in `handle_request'
from puma/server.rb:481:in `process_client'
from puma/server.rb:335:in `block in run'
from puma/thread_pool.rb:138:in `block in spawn_thread'
{
'name' => 'openid_connect',
'label' => 'Helmholtz AAI',
'icon' => 'helmholtz.png',
'args' => {
'name' => 'openid_connect',
'scope' => ['openid', 'profile', 'email', 'eduperson_principal_name'],
'response_type' => 'code',
'issuer' => 'https://login.helmholtz-data-federation.de/oauth2',
'discovery' => true,
'client_auth_method' => 'basic',
'uid_field' => 'eduperson_principal_name',
'send_scope_to_token_endpoint' => 'true',
'client_options' => {
'identifier' => '...',
'secret' => '...',
'redirect_uri' => 'https://gitlab.hzdr.de/users/auth/openid_connect/callback'
}
}
}
I also experimented with other configuration options. Setting discovery
to false
and specifying all information manually. I also tried to set the JSON web set keys manually as well https://github.com/m0n9oose/omniauth_openid_connect/blob/ef2942047c866993d8323115c419371d75f05a60/lib/omniauth/strategies/openid_connect.rb#L270-L273. Unfortunately, none of the measures changed anything.
I would be very happy if you could have a look into this issue!
For reference, this is the respective GitLab issue: https://gitlab.com/gitlab-org/gitlab/-/issues/225850
Currently, response_type can be either code or id_token.
Does this gem have support for multiple-valued response types, such as id_token token?
If so, what is the correct format for specifying them in the config? If not, can this functionality be added?
See the following for references:
https://openid.net/specs/openid-connect-core-1_0.html#Authentication
Hi,
I've been trying to use this gem as the basis for LTI 1.3 integration https://www.imsglobal.org/activity/learning-tools-interoperability (which runs on top of OIDC and OAuth2) and I'm having a very hard time making it work. I'm wondering if anybody here has had any luck with a similar project, or if there's a different gem to use for such.
Thanks.
Hello,
I think i found a problem with this line:
https://github.com/m0n9oose/omniauth_openid_connect/blob/af1e49b6d9268c8041d4b653b0172ec407d878d4/lib/omniauth/strategies/openid_connect.rb#L111
i'm not familar enough to decide if its the correct way, but i patched it for our application with this:
invalid_state = session['omniauth.state'] && (params['state'].to_s.empty? || params['state'] != stored_state)
Greets
Marcel
I've found some behaviours in the Implicit Flow that should be improved. I would like to report them.
Regarding verification, how to use key needs to be improved.
Regards,
Hisashi.
Hi,
After upgrading Gem to 0.3.4, we started getting the following error:
NoMethodError: undefined method `count' for nil:NilClass
File "/app/vendor/bundle/ruby/2.7.0/gems/json-jwt-1.11.0/lib/json/jwt.rb", line 102, in decode_compact_serialized
File "/app/vendor/bundle/ruby/2.7.0/gems/json-jwt-1.11.0/lib/json/jose.rb", line 63, in decode
File "/app/vendor/bundle/ruby/2.7.0/gems/openid_connect-1.2.0/lib/openid_connect/response_object/id_token.rb", line 70, in decode
File "/app/vendor/bundle/ruby/2.7.0/gems/omniauth_openid_connect-0.3.4/lib/omniauth/strategies/openid_connect.rb", line 221, in decode_id_token
File "/app/vendor/bundle/ruby/2.7.0/gems/omniauth_openid_connect-0.3.4/lib/omniauth/strategies/openid_connect.rb", line 215, in access_token
File "/app/vendor/bundle/ruby/2.7.0/gems/omniauth_openid_connect-0.3.4/lib/omniauth/strategies/openid_connect.rb", line 125, in callback_phase
File "/app/vendor/bundle/ruby/2.7.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb", line 238, in callback_call
File "/app/vendor/bundle/ruby/2.7.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb", line 189, in call!
File "/app/vendor/bundle/ruby/2.7.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb", line 169, in call
File "/app/vendor/bundle/ruby/2.7.0/gems/rack-attack-6.3.1/lib/rack/attack.rb", line 97, in call
File "/app/vendor/bundle/ruby/2.7.0/gems/rack-attack-6.3.1/lib/rack/attack.rb", line 111, in call
File "/app/vendor/bundle/ruby/2.7.0/gems/warden-1.2.8/lib/warden/manager.rb", line 36, in block in call
File "/app/vendor/bundle/ruby/2.7.0/gems/warden-1.2.8/lib/warden/manager.rb", line 34, in catch
File "/app/vendor/bundle/ruby/2.7.0/gems/warden-1.2.8/lib/warden/manager.rb", line 34, in call
File "/app/vendor/bundle/ruby/2.7.0/gems/rack-2.2.2/lib/rack/tempfile_reaper.rb", line 15, in call
File "/app/vendor/bundle/ruby/2.7.0/gems/rack-2.2.2/lib/rack/etag.rb", line 27, in call
File "/app/vendor/bundle/ruby/2.7.0/gems/rack-2.2.2/lib/rack/conditional_get.rb", line 27, in call
File "/app/vendor/bundle/ruby/2.7.0/gems/rack-2.2.2/lib/rack/head.rb", line 12, in call
File "/app/vendor/bundle/ruby/2.7.0/gems/actionpack-6.0.3.1/lib/action_dispatch/http/content_security_policy.rb", line 18, in call
File "/app/vendor/bundle/ruby/2.7.0/gems/rack-2.2.2/lib/rack/session/abstract/id.rb", line 266, in context
File "/app/vendor/bundle/ruby/2.7.0/gems/rack-2.2.2/lib/rack/session/abstract/id.rb", line 260, in call
File "/app/vendor/bundle/ruby/2.7.0/gems/actionpack-6.0.3.1/lib/action_dispatch/middleware/cookies.rb", line 648, in call
File "/app/vendor/bundle/ruby/2.7.0/gems/actionpack-6.0.3.1/lib/action_dispatch/middleware/callbacks.rb", line 27, in block in call
File "/app/vendor/bundle/ruby/2.7.0/gems/activesupport-6.0.3.1/lib/active_support/callbacks.rb", line 101, in run_callbacks
File "/app/vendor/bundle/ruby/2.7.0/gems/actionpack-6.0.3.1/lib/action_dispatch/middleware/callbacks.rb", line 26, in call
File "/app/vendor/bundle/ruby/2.7.0/gems/actionpack-6.0.3.1/lib/action_dispatch/middleware/actionable_exceptions.rb", line 17, in call
File "/app/vendor/bundle/ruby/2.7.0/gems/rollbar-2.25.0/lib/rollbar/middleware/rails/rollbar.rb", line 25, in block in call
File "/app/vendor/bundle/ruby/2.7.0/gems/rollbar-2.25.0/lib/rollbar.rb", line 145, in scoped
File "/app/vendor/bundle/ruby/2.7.0/gems/rollbar-2.25.0/lib/rollbar/middleware/rails/rollbar.rb", line 22, in call
File "/app/vendor/bundle/ruby/2.7.0/gems/actionpack-6.0.3.1/lib/action_dispatch/middleware/debug_exceptions.rb", line 32, in call
File "/app/vendor/bundle/ruby/2.7.0/gems/rollbar-2.25.0/lib/rollbar/middleware/rails/show_exceptions.rb", line 22, in call_with_rollbar
File "/app/vendor/bundle/ruby/2.7.0/gems/actionpack-6.0.3.1/lib/action_dispatch/middleware/show_exceptions.rb", line 33, in call
File "/app/vendor/bundle/ruby/2.7.0/gems/railties-6.0.3.1/lib/rails/rack/logger.rb", line 37, in call_app
File "/app/vendor/bundle/ruby/2.7.0/gems/railties-6.0.3.1/lib/rails/rack/logger.rb", line 26, in block in call
File "/app/vendor/bundle/ruby/2.7.0/gems/activesupport-6.0.3.1/lib/active_support/tagged_logging.rb", line 80, in block in tagged
File "/app/vendor/bundle/ruby/2.7.0/gems/activesupport-6.0.3.1/lib/active_support/tagged_logging.rb", line 28, in tagged
File "/app/vendor/bundle/ruby/2.7.0/gems/activesupport-6.0.3.1/lib/active_support/tagged_logging.rb", line 80, in tagged
File "/app/vendor/bundle/ruby/2.7.0/gems/railties-6.0.3.1/lib/rails/rack/logger.rb", line 26, in call
File "/app/vendor/bundle/ruby/2.7.0/gems/actionpack-6.0.3.1/lib/action_dispatch/middleware/remote_ip.rb", line 81, in call
File "/app/vendor/bundle/ruby/2.7.0/gems/request_store-1.5.0/lib/request_store/middleware.rb", line 19, in call
File "/app/vendor/bundle/ruby/2.7.0/gems/actionpack-6.0.3.1/lib/action_dispatch/middleware/request_id.rb", line 27, in call
File "/app/vendor/bundle/ruby/2.7.0/gems/rack-2.2.2/lib/rack/method_override.rb", line 24, in call
File "/app/vendor/bundle/ruby/2.7.0/gems/rack-2.2.2/lib/rack/runtime.rb", line 22, in call
File "/app/vendor/bundle/ruby/2.7.0/gems/activesupport-6.0.3.1/lib/active_support/cache/strategy/local_cache_middleware.rb", line 29, in call
File "/app/vendor/bundle/ruby/2.7.0/gems/actionpack-6.0.3.1/lib/action_dispatch/middleware/executor.rb", line 14, in call
File "/app/vendor/bundle/ruby/2.7.0/gems/actionpack-6.0.3.1/lib/action_dispatch/middleware/static.rb", line 126, in call
File "/app/vendor/bundle/ruby/2.7.0/gems/rack-2.2.2/lib/rack/sendfile.rb", line 110, in call
File "/app/vendor/bundle/ruby/2.7.0/gems/actionpack-6.0.3.1/lib/action_dispatch/middleware/ssl.rb", line 74, in call
File "/app/vendor/bundle/ruby/2.7.0/gems/actionpack-6.0.3.1/lib/action_dispatch/middleware/host_authorization.rb", line 76, in call
File "/app/vendor/bundle/ruby/2.7.0/gems/railties-6.0.3.1/lib/rails/engine.rb", line 527, in call
File "/app/vendor/bundle/ruby/2.7.0/gems/puma-4.3.5/lib/puma/configuration.rb", line 228, in call
File "/app/vendor/bundle/ruby/2.7.0/gems/puma-4.3.5/lib/puma/server.rb", line 713, in handle_request
File "/app/vendor/bundle/ruby/2.7.0/gems/puma-4.3.5/lib/puma/server.rb", line 472, in process_client
File "/app/vendor/bundle/ruby/2.7.0/gems/puma-4.3.5/lib/puma/server.rb", line 328, in block in run
File "/app/vendor/bundle/ruby/2.7.0/gems/puma-4.3.5/lib/puma/thread_pool.rb", line 134, in block in spawn_thread
There is no problem when we downgrade the gem version to 0.3.3.
Thanks.
Currently, nonce is verified in access_token
method and it's way too late.
I think nonce should be validated after this line: https://github.com/m0n9oose/omniauth_openid_connect/blob/3913c8fd0518b929d384f27d2cf6e370dd36f853/lib/omniauth/strategies/openid_connect.rb#L112
id_token = decode_id_token(params['id_token'])
id_token.verify!(
issuer: options.issuer,
client_id: client_options.identifier,
nonce: stored_nonce
)
Verifying the response during requesting for a token doesn't make sense.
I've merged the many fixes scattered on many repositories, and I've provided a version that works with the latest environment and specs.
If you agree, please write on the README to direct visitors to the new repository.
https://github.com/netsphere-labs/omniauth-openid-connect/
I'm always looking for developers, contributors. Thanks.
This change suggests that it is possible to customize the redirect_uri by passing a param[:redirect_uri] at some point in the flow:
5ce3b55#diff-8467ba16957a2513a82eb9fe781131df
I have tried adding this param alongwith with the initial redirect to /auth/openid_connect, for example:
http://tenant1.localhost:5000/users/auth/openid_connect?redirect_uri=tenant1.localhost
However, this results in 2 redirect_uri parameters being sent in the redirect to the auth service, the URI in the query string above, plus the URI specified in config.
The end goal is to support multi-tenant sub-domains, using a single auth endpoint.
Given the commit above, should it be possible to specify a request_uri at request time rather than in fixed config?
I'm using this gem with the Devise integration and I have trouble understanding how to use the end_session_endpoint
and post_logout_redirect_uri
parameters.
By default Devise only clean the session and doesn't use the two parameters, therefore I'm not calling the provider sign_out endpoint.
If it helps the PR I'm currently working on Bureau-Systeme-d-Information-BSI/civilsdeladefense#782
Could you cut a new release and push it to RubyGems?
We can see from the commit history that the gem has already been updated for OmniAuth 2.x compatibility but the 0.3.5
version at RubyGems is not compatible with OmniAuth 2.x.
https://rubygems.org/gems/omniauth_openid_connect/versions/0.3.5
Test sample application: https://gitlab.com/netsphere/rails-omniauth-oidc-rp-sample/
Ruby 3.0, Rails 6.1, OmniAuth 2.0
The Code Flow is OK. But the Implicit Flow does not seem to work.
I'll investigate the cause.
undefined method `[]' for nil:NilClass fail!(error_attrs[:key], error_attrs[:exception_class].new(params['error'])) omniauth_openid_connect (0.4.0.pre) lib/omniauth/strategies/openid_connect.rb:337:in `valid_response_type?' omniauth_openid_connect (0.4.0.pre) lib/omniauth/strategies/openid_connect.rb:114:in `callback_phase' omniauth (2.0.4) lib/omniauth/strategy.rb:272:in `callback_call' omniauth (2.0.4) lib/omniauth/strategy.rb:194:in `call!' omniauth (2.0.4) lib/omniauth/strategy.rb:169:in `call' omniauth (2.0.4) lib/omniauth/strategy.rb:470:in `call_app!' omniauth_openid_connect (0.4.0.pre) lib/omniauth/strategies/openid_connect.rb:143:in `other_phase' omniauth (2.0.4) lib/omniauth/strategy.rb:195:in `call!' omniauth (2.0.4) lib/omniauth/strategy.rb:169:in `call' omniauth (2.0.4) lib/omniauth/strategy.rb:470:in `call_app!' omniauth_openid_connect (0.4.0.pre) lib/omniauth/strategies/openid_connect.rb:143:in `other_phase' omniauth (2.0.4) lib/omniauth/strategy.rb:195:in `call!' omniauth (2.0.4) lib/omniauth/strategy.rb:169:in `call' omniauth (2.0.4) lib/omniauth/strategy.rb:470:in `call_app!' omniauth_openid_connect (0.4.0.pre) lib/omniauth/strategies/openid_connect.rb:143:in `other_phase' omniauth (2.0.4) lib/omniauth/strategy.rb:195:in `call!' omniauth (2.0.4) lib/omniauth/strategy.rb:169:in `call' omniauth (2.0.4) lib/omniauth/strategy.rb:470:in `call_app!' omniauth_openid_connect (0.4.0.pre) lib/omniauth/strategies/openid_connect.rb:143:in `other_phase' omniauth (2.0.4) lib/omniauth/strategy.rb:195:in `call!' omniauth (2.0.4) lib/omniauth/strategy.rb:169:in `call' omniauth (2.0.4) lib/omniauth/builder.rb:45:in `call' rack (2.2.3) lib/rack/tempfile_reaper.rb:15:in `call' rack (2.2.3) lib/rack/etag.rb:27:in `call' rack (2.2.3) lib/rack/conditional_get.rb:40:in `call' rack (2.2.3) lib/rack/head.rb:12:in `call' actionpack (6.1.4.1) lib/action_dispatch/http/permissions_policy.rb:22:in `call' actionpack (6.1.4.1) lib/action_dispatch/http/content_security_policy.rb:18:in `call' rack (2.2.3) lib/rack/session/abstract/id.rb:266:in `context' rack (2.2.3) lib/rack/session/abstract/id.rb:260:in `call' actionpack (6.1.4.1) lib/action_dispatch/middleware/cookies.rb:689:in `call' activerecord (6.1.4.1) lib/active_record/migration.rb:601:in `call' actionpack (6.1.4.1) lib/action_dispatch/middleware/callbacks.rb:27:in `block in call' activesupport (6.1.4.1) lib/active_support/callbacks.rb:98:in `run_callbacks' actionpack (6.1.4.1) lib/action_dispatch/middleware/callbacks.rb:26:in `call' actionpack (6.1.4.1) lib/action_dispatch/middleware/executor.rb:14:in `call' actionpack (6.1.4.1) lib/action_dispatch/middleware/actionable_exceptions.rb:18:in `call' actionpack (6.1.4.1) lib/action_dispatch/middleware/debug_exceptions.rb:29:in `call' web-console (4.2.0) lib/web_console/middleware.rb:132:in `call_app'
Hello,Any suggestions what to do ?
my idp is identityServer4
/var/log/gitlab/gitlab-rails/production.log: Started GET "/users/auth/openid_connect/callback?code=[FILTERED]&state=9b059526e54e3a126b99a3ef7e4815b0" for 192.168.31.56 at 2019-06-10 10:57:20 +0800 Processing by OmniauthCallbacksController#failure as HTML Parameters: {"code"=>"[FILTERED]", "state"=>"9b059526e54e3a126b99a3ef7e4815b0"} Redirected to http://192.168.31.72:8091/users/sign_in
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect']
gitlab_rails['omniauth_sync_email_from_provider'] = 'openid_connect'
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'openid_connect'
gitlab_rails['omniauth_sync_profile_from_provider'] = ['openid_connect']
gitlab_rails['omniauth_sync_profile_attributes'] = ['name', 'email']
gitlab_rails['omniauth_auto_link_ldap_user'] = false
gitlab_rails['omniauth_auto_link_saml_user'] = false
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_providers'] = [
{
'name' => 'openid_connect',
'label' => 'OIDC',
'args' => {
'name' => 'openid_connect',
'scope' => ['openid','profile'],
'response_type' => 'code',
'issuer' => 'https://XXX.XX.XX',
'discovery' => true,
'client_auth_method' => 'query',
'client_options' => {
'identifier' => 'gitlab_openid',
'secret' => 'oeRiYj8_UG0sUXI_P08_Nyk_fCErP24yVD8_ci5nZw==',
'redirect_uri' => 'http://192.168.31.72:8091/users/auth/openid_connect/callback'
}
}
}
]
I would like to configure my callback URI with your gem, but I can't figure out how (or if I can). I can't seem to properly setup callback_path
with the openid_connect
strategy when using Devise. (see omniauth/omniauth#593)
I'd be open to make a fork and open a PR if this not possible right now and you could give me some pointers ?
Thank you,
How would I redirect a new user to the registration end point? If I use user_openid_connect_omniauth_authorize_url, it redirects the user to the login page.
The doc says:
NOTE: if you use this gem with Devise you should use :openid_connect name, or Devise would route to 'users/auth/:provider' rather than 'users/auth/openid_connect'
this means that I cannot use more openid providers when using Devise?
thank you
Hi thank you for this library super helpful!
So i'm trying to setup sign in with slack per their doc: https://api.slack.com/authentication/sign-in-with-slack
Rails.application.config.middleware.use OmniAuth::Strategies::OpenIDConnect, {
name: :sign_in_slack,
issuer: 'https://slack.com',
discovery: true,
scope: [:openid, :email, :profile],
response_type: :code,
client_options: {
port: 443,
scheme: "https",
host: "slack.com",
identifier: "redacted",
secret: "redacted",
redirect_uri: "#{ENV['BASE_URL']}/auth/slack/callback/sign_in",
},
}
But my callback controller is seeing request.env['omniauth.auth']
nil.
The callback_phase
method is never called.
What am i doing wrong ?
Regards
I've traced the code and the PRs for the claims but they're last edited 6 years ago at least. I'm not sure how the specification changed over time but there are many more attributes as listed in the latest specs, and I would like to add some other attributes than the specs (are they allowed?), as you can see from doorkeeper gem that we can customize the claims to return to clients.
Suggesting maybe we can have another configuration block for the claims mapping.
Hi I'm trying to integrate my app with an openid provider. I'm getting this:
(openid_connect) Callback phase initiated.
OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)):
httpclient (2.8.3) lib/httpclient/ssl_socket.rb:103:in `connect'
The app is behind a Traefik proxy with a certificate from LetsEncrypt. I've tryied disabling https on my app but still getting the same error.
Any ideas? Thank you.
Hello,
We are trying to use this gem to build a client for a provider who requires the RS512
signing algorithm for the JWT, response type code
. The problem is that the signing algorithm defaults to RS256
. There is a client_signing_algorithm
option but it is only used in response type id_token
. Are we missing something in the config?
Thanks.
I have two endpoints one for Authorization and another for token:
Authorization endpoint: https://oauth.provider.com/authorize
Token endpoint: https://oauth-secured.provider.com/token
as you can see each one has a different host, but are the same provider, I'm not sure how to configure this in the gem as you can only specify one host:
config.omniauth :openid_connect,
{
name: :openid_connect,
scope: [:openid],
issuer: "oauth.provider.com"
response_type: :code,
discovery: :true,
client_options:
{
port: 443,
scheme: "https",
host: "oauth.provider.com",
authorization_endpoint: "/authorize",
token_endpoint: "/token", #How to specify here correctly https://oauth-secured.provider.com/token
identifier: 'CLIENT_ID',
secret: 'CLIENT_SECRET',
redirect_uri: "https://myapp.com/users/auth/openid_connect/callback",
},
}
There's a line of code in the callback phase which raises an error:
return fail!(
:missing_code,
OmniAuth::OpenIDConnect::MissingCodeError.new(params['error'])
) unless params['code']
It looks like it should be executed only if option :response_type
is set to code (default).
How about:
return fail!(
:missing_code,
OmniAuth::OpenIDConnect::MissingCodeError.new(params['error'])
) unless (options.response_type == 'code' && params['code'])
Which could be (apart from extracting the condition to a method) be simplified to:
return fail!(
:missing_FIXME,
OmniAuth::OpenIDConnect::MissingFIXMEError.new(params['error'])
) unless (params[options.response_type]) # e.g. params['id_token'] is present if response_type == 'id_token'
Github is reporting a venerability in versions of omniauth before 1.9.0, this gem appears to be tied to v1.3. Can this dependancy be bumped?
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9284
Say there are two OpenID IdPs, and they return the same uid for a user from each.
We'd like to be able to differentiate based on the info/extra hash which IdP sent the user to know which to login.
Suggest adding the issuer to "extra"
Maybe everybody else knows this, but I tried to use OIDC with gitlab and keycloak and I cannot find a single log entry showing that something is happening even if I click the sso button on the gitlab ui.
I looked at the code base of this project and I also see now line about outputting log.
I wonder how people approach this, and if that would make sense that the README.md have some words about debugging the thing.
Hello,
When I raised the version from 0.3.3 to 0.3.5, I'm getting this error.
OpenSSL::PKey::EC::Point::Error (EC_POINT_bn2point: invalid encoding):
Any ideas? Thank you.
Currently this OmniAuth provider does not read the groups
or roles
claims provided. It is also not possible to restrict login for users to a specific group. This causes all users for a domain to login to the application with OmniAuth using this provider.
It would be a nice improvement to this provider, if the name of the groups
claim could be specified using a config property. If groups can be read via the groups
claim it should also be possible to specify a required_groups
in the provider configuration, causing the login to fail if the user is not in the specified groups or a successful login if the user is in the specified groups.
The latter required_groups
is a pretty common requirement to restrict the login to various applications by groups, otherwise everyone can log in.
When i tried to set up the omniauth openid_connect in our gitlab instance with client_auth_method basic
, the secret was sent url encoded to the server.
e.g.
...
{
name: "openid_connect",
...
args: {
...
client_auth_method: "basic",
...
client_options: {
identifier: "our_id",
secret: "our_p+a+s/s/w+o+r+d"
...
},
...
}
}
...
would send the following authorization header to the server:
Basic b3VyX2lkOm91cl9wJTJCYSUyQnMlMkZzJTJGdyUyQm8lMkJyJTJCZA==
which gives us our_id:our_p%2Ba%2Bs%2Fs%2Fw%2Bo%2Br%2Bd
instead of our_id:our_p+a+s/s/w+o+r+d
Would be great to reach https://openid.net/certification/ on day. Some colleges did that for a go library https://github.com/caos/oidc
Hello!
We are trying to integrate keycloak with Gitlab using OmniAuth without SSL applied(mandatory requirement). The configuration of the gitlab.rb file is as follows,
prometheus_monitoring['enable'] = false
gitlab_rails['ldap_enabled'] = false;
nginx['listen_port'] = 10200
nginx['listen_http'] = false
registry_nginx['enable'] = true
gitlab_rails['registry_path'] = "/mnt/docker_registry"
registry['enable'] = true
registry_external_url 'http://localhost:8123'
external_url 'http:///gitlab/'
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_providers'] = [
{ 'name' => 'Keycloak',
'label' => 'Login',
'args' => {
'name' => 'openid_connect',
'scope' => ['openid','profile',''],
'response_type' => 'code',
#'issuer' => 'http:///auth/realms/',
'discovery' => true,
'client_auth_method' => 'query',
'send_scope_to_token_endpoint' => 'false',
'client_options' => {
'port' => 80,
'scheme' => 'http',
'host' => '/auth',
'identifier' => '<CLIENT_ID>',
'secret' => '<CLIENT_SECRET>',
'redirect_uri' => 'http:///gitlab/users/auth/openid_connect/callback',
}
}
}
]
gitlab_rails['omniauth_sync_profile_from_provider'] = 'Keycloak'
#gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'openid_connect'
gitlab_rails['omniauth_allow_single_sign_on'] = ['Keycloak']
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_block_auto_created_users'] = false
We are getting the following error when we login to the UI -> go to user settings ->
Account -> click on Connect OpenID Connect option,
OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)):
Can someone help us fix this?
Thanks in advance :)
Hi,
sorry if I am missing something very basic but I think I need some help in configuring this gem with devise in my application; I am always getting Not found. Authentication passthru.
error;
The url that devise upon clicking 'Sign In with OpenIdConnect' goes to is: https://myapp.com/users/auth/openid_connect
My config looks like below in config/initializers/devise.rb :
config.omniauth :openid_connect, {
name: :provider,
scope: [:openid],
response_type: :code,
client_options: {
port: 443,
scheme: "https",
host: "staging-oauth.provider.com",
issuer: "https://staging-oauth.provider.com",
authorization_endpoint: "/oauth2/auth",
token_endpoint: "/oauth2/token",
identifier: 'CLIENT_ID',
secret: 'CLIENT_SECRET',
redirect_uri: "https://myapp.com/users/auth/openid_connect/callback",
},
}
I know I have added extra parameters in it but that's because I'm unsure of what exactly is required; I cant see any logs on the server as well so it means I am not hitting the correct endpoint or something
I have the following urls from provider available
issuer endpoint (https://staging-oauth.provider.com)
authorization endpoint (https://staging-oauth.provider.com/oauth2/auth)
token endpoint (https://staging-oauth.provider.com/oauth2/token)
also I have the client id and secret
Can you please help me ?
Currently, response_type
can be either code
or id_token
.
Does this gem have support for multiple-valued response types, such as id_token token
?
If so, what is the correct format for specifying them in the config? If not, can this functionality be added?
See the following for references:
First off, thanks for continuing to maintain this code!
We currently have a 'code' based implementation working with this gem. When upgrading to the latest code we're running into issues with the following lines:
We don't have an 'id_token' param and so decode_id_token
attempts to parse nil which causes an error. A simple conditional check of the response type before calling decode_id_token
fixes the error.
Wanted to raise it here though in case there is something I am missing. Thanks!
Hi there,
thanks for providing this gem, we at CitizenLab use it for two identity providers that we integrate with.
The authentication process of both providers started to fail with the error described in in #97 some time ago. We tried to fix this by upgrading to omniauth_openid_connect 0.4.0, but after the upgrade we now see the following exception being thrown:
OpenIDConnect::Discovery::DiscoveryFailed
We don't know exactly yet why this is happening, but the interesting part is that this error happens on two completely separate OpenID providers.
I don't know the OpenID protocol very well, but we do not have Discovery enabled in any of the two providers, so why is this error being thrown then?
For reference, this is what the configurations of the providers look like:
# Configuration for identity provider 1
options = env['omniauth.strategy'].options
options[:scope] = %i[openid profile egovnrn]
options[:response_type] = :code
options[:state] = true
options[:nonce] = true
options[:issuer] = "https://#{host}"
options[:acr_values] = 'urn:be:fedict:iam:fas:Level450'
options[:send_scope_to_token_endpoint] = false
options[:client_options] = {
identifier: config[:identifier],
secret: config[:secret],
port: 443,
scheme: 'https',
host: host,
authorization_endpoint: '/fas/oauth2/authorize',
token_endpoint: '/fas/oauth2/access_token',
userinfo_endpoint: '/fas/oauth2/userinfo',
redirect_uri: "#{configuration.base_backend_uri}/auth/bosa_fas/callback"
}
# Configuration for identiy provider 2
options = env['omniauth.strategy'].options
options[:scope] = %i[openid run name]
options[:response_type] = :code
options[:state] = true
options[:nonce] = true
options[:issuer] = issuer
options[:send_scope_to_token_endpoint] = false
options[:client_options] = {
identifier: config[:client_id],
secret: config[:client_secret],
port: 443,
scheme: 'https',
host: host,
authorization_endpoint: '/openid/authorize',
token_endpoint: '/openid/token',
userinfo_endpoint: '/openid/userinfo',
redirect_uri: "#{configuration.base_backend_uri}/auth/clave_unica/callback"
}
An exemplary stack trace from config 2:
JSON::ParserError: 859: unexpected token at '<!doctype html>
<html data-n-head-ssr>
<head >
<title>Portal ciudadano ClaveÚnica</title><meta data-n-head="ssr" charset="utf-8"><meta data-n-head="ssr" name="viewport" content="width=device-width, initial-scale=1"><meta data-n-head="ssr" data-hid="Portal ciudadano ClaveÚnica" name="Portal ciudadano ClaveÚnica" content="Portal ciudadano ClaveÚnica"><link data-n-head="ssr" rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto+Slab&display=swap"><link data-n-head="ssr" rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto&display=swap"><link data-n-head="ssr" rel="icon" type="image/x-icon" href="/favicon.ico"><script data-n-head="ssr" data-hid="stripe" src="https://unpkg.com/vue-recaptcha@latest/dist/vue-recaptcha.min.js" defer></script><script data-n-head="ssr" data-hid="stripe" src="https://www.google.com/recaptcha/api.js?onload=vueRecaptchaApiLoaded&render=explicit" defer></script><link rel="preload" href="/_nuxt/b57117b.js" as="script"><link rel="preload" href="/_nuxt/31c1e4d.js" as="script"><link rel="preload" href="/_nuxt/e78a47a.js" as="script"><link rel="preload" href="/_nuxt/a257210.js" as="script"><link rel="preload" href="/_nuxt/136ec92.js" as="script"><style data-vue-ssr-id="71f83a6d:0 32df6d42:0 a07579c2:0 a07579c2:1 432fb0d6:0 a5041f02:0 0667d9c0:0 b2d1e312:0 3191d5ad:0">/*!
* Bootstrap v4.6.1 (https://getbootstrap.com/)
* Copyright 2011-2021 The Bootstrap Authors
* Copyright 2011-2021 Twitter, Inc.
* Licensed under MIT (https://github.com/twbs/bootstrap/blob/main/LICENSE)
*/:root{--blue:#007bff;--indigo:#6610f2;--purple:#6f42c1;--pink:#e83e8c;--red:#dc3545;--orange:#fd7e14;--yellow:#ffc107;--green:#28a745;--teal:#20c997;--cyan:#17a2b8;--white:#fff;--gray:#6c757d;--gray-dark:#343a40;--primary:#007bff;--secondary:#6c757d;--success:#28a745;--info:#17a2b8;--warning:#ffc107;--danger:#dc3545;--light:#f8f9fa;--dark:#343a40;--breakpoint-xs:0;--breakpoint-sm:576px;--breakpoint-md:768px;--breakpoint-lg:992px;--breakpoint-xl:1200px;--font-family-sans-serif:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Helvetica Neue",Arial,"Noto Sans","Liberation Sans",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";--font-family-monospace:SFMono-Regular,Menlo,Monaco,Consolas,"Liberation Mono","Courier New",monospace}*,:after,:before{box-sizing:border-box}html{font-family:sans-serif;line-height:1.15;-webkit-text-size-adjust:100%;-webkit-tap-highlight-color:rgba(0,0,0,0)}article,aside,figcaption,figure,footer,header,hgroup,main,nav,section{display:block}body{margin:0;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Helvetica Neue",Arial,"Noto Sans","Liberation Sans",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";font-size:1rem;font-weight:400;line-height:1.5;color:#212529;text-align:left;background-color:#fff}[tabindex="-1"]:focus:not(.focus-visible),[tabindex="-1"]:focus:not(:focus-visible){outline:0!important}hr{box-sizing:content-box;height:0;overflow:visible}h1,h2,h3,h4,h5,h6{margin-top:0;margin-bottom:.5rem}p{margin-top:0;margin-bottom:1rem}abbr[data-original-title],abbr[title]{text-decoration:underline;-webkit-text-decoration:underline dotted;text-decoration:underline dotted;cursor:help;border-bottom:0;-webkit-text-decoration-skip-ink:none;text-decoration-skip-ink:none}address{font-style:normal;line-height:inherit}address,dl,ol,ul{margin-bottom:1rem}dl,ol,ul{margin-top:0}ol ol,ol ul,ul ol,ul ul{margin-bottom:0}dt{font-weight:700}dd{margin-bottom:.5rem;margin-left:0}blockquote{margin:0 0 1rem}b,strong{font-weight:bolder}small{font-size:80%}sub,sup{position:relative;font-size:75%;line-height:0;vertical-align:baseline}sub{bottom:-.25em}sup{top:-.5em}a{color:#007bff;text-decoration:none;background-color:transparent}a:hover{color:#0056b3;text-decoration:underline}a:not([href]):not([class]),a:not([href]):not([class]):hover{color:inherit;text-decoration:none}code,kbd,pre,samp{font-family:SFMono-Regular,Menlo,Monaco,Consolas,"Liberation Mono","Courier New",monospace;font-size:1em}pre{margin-top:0;margin-bottom:1rem;overflow:auto;-ms-overflow-style:scrollbar}figure{margin:0 0 1rem}img{border-style:none}img,svg{vertical-align:middle}svg{overflow:hidden}table{border-collapse:collapse}caption{padding-top:.75rem;padding-bottom:.75rem;color:#6c757d;text-align:left;caption-side:bottom}th{text-align:inherit;text-align:-webkit-match-parent}label{display:inline-block;margin-bottom:.5rem}button{border-radius:0}button:focus:not(.focus-visible),button:focus:not(:focus-visible){outline:0}button,input,optgroup,select,textarea{margin:0;font-family:inherit;font-size:inherit;line-height:inherit}button,input{overflow:visible}button,select{text-transform:none}[role=button]{cursor:pointer}select{word-wrap:normal}[type=button],[type=reset],[type=submit],button{-webkit-appearance:button}[type=button]:not(:disabled),[type=reset]:not(:disabled),[type=submit]:not(:disabled),button:not(:disabled){cursor:pointer}[type=button]::-moz-focus-inner,[type=reset]::-moz-focus-inner,[type=submit]::-moz-focus-inner,button::-moz-focus-inner{padding:0;border-style:none}input[type=checkbox],input[type=radio]{box-sizing:border-box;padding:0}textarea{overflow:auto;resize:vertical}fieldset{min-width:0;padding:0;margin:0;border:0}legend{display:block;width:100%;max-width:100%;padding:0;margin-bottom:.5rem;font-size:1.5rem;line-height:inherit;color:inherit;white-space:normal}progress{vertical-align:baseline}[type=number]::-webkit-inner-spin-button,[type=number]::-webkit-outer-spin-button{height:auto}[type=search]{outline-offset:-2px;-webkit-appearance:none}[type=search]::-webkit-search-decoration{-webkit-appearance:none}::-webkit-file-upload-button{font:inherit;-webkit-appearance:button}output{display:inline-block}summary{display:list-item;cursor:pointer}template{display:none}[hidden]{display:none!important}.h1,.h2,.h3,.h4,.h5,.h6,h1,h2,h3,h4,h5,h6{margin-bottom:.5rem;font-weight:500;line-height:1.2}.h1,h1{font-size:2.5rem}.h2,h2{font-size:2rem}.h3,h3{font-size:1.75rem}.h4,h4{font-size:1.5rem}.h5,h5{font-size:1.25rem}.h6,h6{font-size:1rem}.lead{font-size:1.25rem;font-weight:300}.display-1{font-size:6rem}.display-1,.display-2{font-weight:300;line-height:1.2}.display-2{font-size:5.5rem}.display-3{font-size:4.5rem}.display-3,.display-4{font-weight:300;line-height:1.2}.display-4{font-size:3.5rem}hr{margin-top:1rem;margin-bottom:1rem;border:0;border-top:1px solid rgba(0,0,0,.1)}.small,small{font-size:80%;font-weight:400}.mark,mark{padding:.2em;background-color:#fcf8e3}.list-inline,.list-unstyled{padding-left:0;list-style:none}.list-inline-item{display:inline-block}.list-inline-item:not(:last-child){margin-right:.5rem}.initialism{font-size:90%;text-transform:uppercase}.blockquote{margin-bottom:1rem;font-size:1.25rem}.blockquote-footer{display:block;font-size:80%;color:#6c757d}.blockquote-footer:before{content:"\2014\00A0"}.img-fluid,.img-thumbnail{max-width:100%;height:auto}.img-thumbnail{padding:.25rem;background-color:#fff;border:1px solid #dee2e6;border-radius:.25rem}.figure{display:inline-block}.figure-img{margin-bottom:.5rem;line-height:1}.figure-caption{font-size:90%;color:#6c757d}code{font-size:87.5%;color:#e83e8c;word-wrap:break-word}a>code{color:inherit}kbd{padding:.2rem .4rem;font-size:87.5%;color:#fff;background-color:#212529;border-radius:.2rem}kbd kbd{padding:0;font-size:100%;font-weight:700}pre{display:block;font-size:87.5%;color:#212529}pre code{font-size:inherit;color:inherit;word-break:normal}.pre-scrollable{max-height:340px;overflow-y:scroll}.container,.container-fluid,.container-lg,.container-md,.container-sm,.container-xl{width:100%;padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}@media (min-width:576px){.container,.container-sm{max-width:540px}}@media (min-width:768px){.container,.container-md,.container-sm{max-width:720px}}@media (min-width:992px){.container,.container-lg,.container-md,.container-sm{max-width:960px}}@media (min-width:1200px){.container,.container-lg,.container-md,.container-sm,.container-xl{max-width:1140px}}.row{display:flex;flex-wrap:wrap;margin-right:-15px;margin-
from json (2.6.1) lib/json/common.rb:216:in `parse'
from json (2.6.1) lib/json/common.rb:216:in `parse'
from swd (1.3.0) lib/swd/resource.rb:37:in `handle_response'
from swd (1.3.0) lib/swd/resource.rb:19:in `block in discover!'
from swd (1.3.0) lib/swd/cache.rb:4:in `fetch'
from swd (1.3.0) lib/swd/resource.rb:18:in `discover!'
from openid_connect (7e5136cb3712) lib/openid_connect/discovery/provider/config.rb:7:in `discover!'
from omniauth_openid_connect (0.4.0) lib/omniauth/strategies/openid_connect.rb:98:in `config'
from omniauth_openid_connect (0.4.0) lib/omniauth/strategies/openid_connect.rb:187:in `public_key'
from omniauth_openid_connect (0.4.0) lib/omniauth/strategies/openid_connect.rb:234:in `decode_id_token'
from omniauth_openid_connect (0.4.0) lib/omniauth/strategies/openid_connect.rb:354:in `verify_id_token!'
from omniauth_openid_connect (0.4.0) lib/omniauth/strategies/openid_connect.rb:228:in `access_token'
from omniauth_openid_connect (0.4.0) lib/omniauth/strategies/openid_connect.rb:126:in `callback_phase'
from omniauth (1.9.1) lib/omniauth/strategy.rb:238:in `callback_call'
from omniauth (1.9.1) lib/omniauth/strategy.rb:189:in `call!'
from omniauth (1.9.1) lib/omniauth/strategy.rb:169:in `call'
from omniauth (1.9.1) lib/omniauth/builder.rb:45:in `call'
from omniauth (1.9.1) lib/omniauth/strategy.rb:420:in `call_app!'
from omniauth_openid_connect (0.4.0) lib/omniauth/strategies/openid_connect.rb:144:in `other_phase'
from omniauth (1.9.1) lib/omniauth/strategy.rb:190:in `call!'
from omniauth (1.9.1) lib/omniauth/strategy.rb:169:in `call'
from omniauth (1.9.1) lib/omniauth/builder.rb:45:in `call'
from omniauth (1.9.1) lib/omniauth/strategy.rb:192:in `call!'
from omniauth (1.9.1) lib/omniauth/strategy.rb:169:in `call'
from omniauth (1.9.1) lib/omniauth/builder.rb:45:in `call'
from rack-attack (6.6.1) lib/rack/attack.rb:127:in `call'
from engines/ee/multi_tenancy/config/initializers/apartment.rb:92:in `block in call'
from ros-apartment (2.11.0) lib/apartment/adapters/abstract_adapter.rb:89:in `switch'
from forwardable.rb:235:in `switch'
from engines/ee/multi_tenancy/config/initializers/apartment.rb:92:in `call'
from rack (2.2.3.1) lib/rack/session/abstract/id.rb:266:in `context'
from rack (2.2.3.1) lib/rack/session/abstract/id.rb:260:in `call'
from actionpack (6.1.6) lib/action_dispatch/middleware/cookies.rb:689:in `call'
from rack (2.2.3.1) lib/rack/etag.rb:27:in `call'
from rack (2.2.3.1) lib/rack/conditional_get.rb:27:in `call'
from rack (2.2.3.1) lib/rack/head.rb:12:in `call'
from actionpack (6.1.6) lib/action_dispatch/middleware/callbacks.rb:27:in `block in call'
from activesupport (6.1.6) lib/active_support/callbacks.rb:98:in `run_callbacks'
from actionpack (6.1.6) lib/action_dispatch/middleware/callbacks.rb:26:in `call'
from actionpack (6.1.6) lib/action_dispatch/middleware/actionable_exceptions.rb:18:in `call'
from sentry-rails (5.3.1) lib/sentry/rails/rescued_exception_interceptor.rb:12:in `call'
from actionpack (6.1.6) lib/action_dispatch/middleware/debug_exceptions.rb:29:in `call'
from sentry-ruby-core (5.3.1) lib/sentry/rack/capture_exceptions.rb:26:in `block (2 levels) in call'
from sentry-ruby-core (5.3.1) lib/sentry/hub.rb:199:in `with_session_tracking'
from sentry-ruby-core (5.3.1) lib/sentry-ruby.rb:351:in `with_session_tracking'
from sentry-ruby-core (5.3.1) lib/sentry/rack/capture_exceptions.rb:17:in `block in call'
from sentry-ruby-core (5.3.1) lib/sentry/hub.rb:59:in `with_scope'
from sentry-ruby-core (5.3.1) lib/sentry-ruby.rb:331:in `with_scope'
from sentry-ruby-core (5.3.1) lib/sentry/rack/capture_exceptions.rb:16:in `call'
from actionpack (6.1.6) lib/action_dispatch/middleware/show_exceptions.rb:33:in `call'
from rails_semantic_logger (4.10.0) lib/rails_semantic_logger/rack/logger.rb:43:in `call_app'
from rails_semantic_logger (4.10.0) lib/rails_semantic_logger/rack/logger.rb:28:in `call'
from actionpack (6.1.6) lib/action_dispatch/middleware/remote_ip.rb:81:in `call'
from actionpack (6.1.6) lib/action_dispatch/middleware/request_id.rb:26:in `call'
from rack (2.2.3.1) lib/rack/runtime.rb:22:in `call'
from activesupport (6.1.6) lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'
from actionpack (6.1.6) lib/action_dispatch/middleware/executor.rb:14:in `call'
from rack (2.2.3.1) lib/rack/sendfile.rb:110:in `call'
from actionpack (6.1.6) lib/action_dispatch/middleware/host_authorization.rb:142:in `call'
from rack-cors (1.1.1) lib/rack/cors.rb:100:in `call'
from railties (6.1.6) lib/rails/engine.rb:539:in `call'
from puma (5.6.4) lib/puma/configuration.rb:252:in `call'
from puma (5.6.4) lib/puma/request.rb:77:in `block in handle_request'
from puma (5.6.4) lib/puma/thread_pool.rb:340:in `with_force_shutdown'
from puma (5.6.4) lib/puma/request.rb:76:in `handle_request'
from puma (5.6.4) lib/puma/server.rb:441:in `process_client'
from puma (5.6.4) lib/puma/thread_pool.rb:147:in `block in spawn_thread'
The stack trace seems to indicate that an HTML page is being parsed where JSON is expected. Is this a configuration issue on our side?
Thanks in advance for any hints. We'll investigate further from our side as well and will update the issue in case of any revelations.
Hello!
Glad to see that there have been some updates for this gem.
When investigatint the pcke-feature (#80) I have found a few forks that seems to be active:
Would it make sense to merge ranks with anyone of them?
Trying to hit /auth/openid_connect URL to invoke this strategy, but just get a 404. Is this supposed to work or is there some other way to invoke this strategy?
Context: I am setting up Greenlight for use with OpenIDConnect through your library
The initialization happens this way:
provider :openid_connect,
issuer: ENV["OPENID_CONNECT_ISSUER"],
discovery: true,
scope: [:email, :profile],
response_type: :code,
uid_field: ENV["OPENID_CONNECT_UID_FIELD"] || "preferred_username",
client_options: {
identifier: ENV['OPENID_CONNECT_CLIENT_ID'],
secret: ENV['OPENID_CONNECT_CLIENT_SECRET'],
redirect_uri: redirect
},
Unless explicitly configured by the user, redirect
will have a nil
value, which omniauth_openid_connect will handle by constructing the following authorization uri:
redirect_uri is missing, which is not valid per the OIDC spec
Other Omniauth providers I have looked at use Omniauth's callback_url
method to set the redirect_uri to a sensible default value when the user does not explicitely specify it. This makes configuration of OpenID Connect a little easier, by relieving the users from having to try and guess the correct callback URL when configuring an application that uses Omniauth.
I have tried the following change:
diff --git a/lib/omniauth/strategies/openid_connect.rb b/lib/omniauth/strategies/openid_connect.rb
index c7e86f7..ec37c7f 100644
--- a/lib/omniauth/strategies/openid_connect.rb
+++ b/lib/omniauth/strategies/openid_connect.rb
@@ -156,7 +156,7 @@ module OmniAuth
end
def authorize_uri
- client.redirect_uri = redirect_uri
+ client.redirect_uri = redirect_uri || callback_url
opts = {
response_type: options.response_type,
response_mode: options.response_mode,
which works for my use case, but breaks the unit tests in ways I cannot understand as someone not very familiar with Ruby
I like to avoid local patches or fetching from git repo.
@m0n9oose Do you plan to publish a new release with latest changes?
for example we redirect to
https://something.url/sso/users/auth/openid_connect?company=testing&redirect_uri=worklink%3A%2F%2F
Then in the callback phase the "redirect uris" don't match when requesting the resource in the AccessToken.
Seems like the solve is to not initially uri encode the "redirect_uri" in openid_connect.rb:286, since it gets encoded again when the uri we send the user to gets set.
Hello, I'm getting this error. Any ideas? Thank you.
(openid_connect) Callback phase initiated.
JSON::JWS::VerificationFailed (JSON::JWS::VerificationFailed):
json-jwt (1.13.0) lib/json/jws.rb:27:in verify!' json-jwt (1.13.0) lib/json/jws.rb:193:in
decode_compact_serialized'
json-jwt (1.13.0) lib/json/jwt.rb:104:in decode_compact_serialized' json-jwt (1.13.0) lib/json/jose.rb:65:in
decode'
openid_connect (1.2.0) lib/openid_connect/response_object/id_token.rb:70:in decode' omniauth_openid_connect (0.3.5) lib/omniauth/strategies/openid_connect.rb:229:in
decode_id_token'
Hey! I am facing an issue, which honestly might have more to do more to my own lack of knowledge on OIDC.
I created a client based on doorkeeper-gem/doorkeeper-devise-client, but refactored to make use of omniauth_openid_connect
Gem instead of a more generic omniauth-oauth2
startegy.
The issue is I can't get the User persisted:
app/controllers/users/omniauth_callbacks_controller.rb#L3-L5
Since request.env["omniauth.auth"]
doesn't have the right info
values (specifically email
is nil
):
#<OmniAuth::AuthHash credentials=#<OmniAuth::AuthHash expires_in=3600 id_token="eyJhbGciOiJSUzI1NiIsImtpZCI6InB1YmxpYzo2YTFhZmY1OS04ZTcxLTQ2M2UtYjAxMy1kYjFjMWZmNDIxNzgiLCJ0eXAiOiJKV1QifQ.eyJhdF9oYXNoIjoiQW9aYzAtZWh4cm5US2Z5d1VKV0RUUSIsImF1ZCI6WyJhdXRoLWNvZGUtY2xpZW50LTUiXSwiYXV0aF90aW1lIjoxNTg4NjEyMzA5LCJleHAiOjE1ODg2MTU5MTEsImlhdCI6MTU4ODYxMjMxMSwiaXNzIjoiaHR0cDovLzEyNy4wLjAuMTo0NDQ0LyIsImp0aSI6ImQ0M2I4ZTZjLTI4MzEtNDk3ZC04ODk0LWExYzRkYTg5MjliNyIsIm5vbmNlIjoiYmI0M2I2MzFkZDg4YzBkMDg3MWM5OTljOTU1M2NmYjYiLCJyYXQiOjE1ODg2MTIzMDQsInNpZCI6IjBiYWVhMTdjLTJiNDgtNDMwYy1hNmQ0LThlOTg2ZmY2NWZhZCIsInN1YiI6ImZvb0BiYXIuY29tIn0.jmQFF7hzx-a_Gm0TXmDb3sMizdZFUijbcANSo96yz704Ajw2F29cwiJqIgw09fiLVLdiL3uEMTpiqAryRo7Ke9iZwe8WoLXtGm8s7j3r-XL41Lo7mZH7k9w0gpx0sWhKib8dxvFE92BNXX0w5rw-JWdQ5V7SICKnT723TJwImVwj3XyS1YH0K_xz6jIMMr6tto7YUROKv65CQ0QlPSUonlDxq0dsmT9_3GyA8K1cfdpFDafDdT-fGhalbyykIiPviN-R4KAc_78LAAoYRgGEgF_sTBtw1WepRLbYnihmyx8p67S0UWqhdQqSIjIXa1qZNsK71b8cv6BVCkXcGZVe7u5yxheqQh3xRuMxX2J9UUzoH3CyjkJ1tsV5JiwsgTtBAUSy-ZfE88YAEwBrC_9zXhZPIjLospASLegPnBzhxb3atZGcxxeeqw9IJ6NbiUYE6O4WRhcyBJIiNfM52MIXJXCaxQb6MztKTFXla62FeOQV_z2RFnzsBbbwITL7sUccfUCOWifefbSJCG6U52ZcFXR2CVuPFEEv_P3Iwod7Xa-MkhpZxJ-HKJH2GUX3gzv4kVfJP0F_vRlo3uY67iQA702XnDajBPYfInkgraIiKMfOSAMfDlf_R5N4r6j5UQOKNSFik3_D3ognYpSG45eb3P0gTCCaMDfAc24hQa12HW4" refresh_token=nil scope="openid email profile" token="dO4HD_dSpfXE8sHA7nU-LY3LfEkeuzIuF5U81S_s7O4.W0sPbnCaDIBGE97MmyCMa-hPgUFst31j3KvP789BqQ8"> extra=#<OmniAuth::AuthHash raw_info=#<OmniAuth::AuthHash sid="0baea17c-2b48-430c-a6d4-8e986ff65fad" sub="[email protected]">> info=#<OmniAuth::AuthHash::InfoHash email=nil first_name=nil gender=nil image=nil last_name=nil name=nil nickname=nil phone=nil urls=#<OmniAuth::AuthHash website=nil>> provider=:hydra_oidc uid="[email protected]">
I get persistence validation errors:
{"email":["can't be blank"]}
This is the Omniauth config I am using:
config.omniauth :openid_connect, {
name: :hydra_oidc,
scope: [:openid, :email, :profile],
response_type: :code,
issuer: ENV['HYDRA_OIDC_URL'],
client_options: {
scheme: ENV['HYDRA_OIDC_SCHEME'],
host: ENV['HYDRA_OIDC_HOST'],
port: ENV['HYDRA_OIDC_PORT'],
identifier: ENV['HYDRA_OIDC_CLIENT_ID'],
secret: ENV['HYDRA_OIDC_CLIENT_SECRET'],
authorization_endpoint: "/oauth2/auth",
token_endpoint: "/oauth2/token",
userinfo_endpoint: "/userinfo"
}
I am using Hydra's example auth server to spin off an OpenID Connect server:
docker-compose -f quickstart.yml exec hydra \
hydra clients create \
--endpoint http://127.0.0.1:4445 \
--id my_rails_client \
--secret secret \
--grant-types authorization_code,refresh_token \
--response-types code \
--scope openid,email,profile,offline \
--callbacks http://localhost:5600/users/auth/hydra_oidc/callback \
--token-endpoint-auth-method client_secret_basic
Any hint would be very helpful, thanks!
At the callback_phase
if an error occurs on the fetch of the access_token
the strategy is not handling the error.
Error Trace:
Rack::OAuth2::Client::Error (invalid_client :: invalid client credentials):
rack-oauth2 (1.9.3) lib/rack/oauth2/client.rb:171:in `handle_error_response'
rack-oauth2 (1.9.3) lib/rack/oauth2/client.rb:148:in `handle_response'
rack-oauth2 (1.9.3) lib/rack/oauth2/client.rb:122:in `access_token!'
/Users/coffeebean/Bitbucket/omniauth_openid_connect/lib/omniauth/strategies/openid_connect.rb:189:in `access_token'
/Users/coffeebean/Bitbucket/omniauth_openid_connect/lib/omniauth/strategies/openid_connect.rb:114:in `callback_phase'
omniauth (1.9.0) lib/omniauth/strategy.rb:238:in `callback_call'
omniauth (1.9.0) lib/omniauth/strategy.rb:189:in `call!'
omniauth (1.9.0) lib/omniauth/strategy.rb:169:in `call'
exception_notification (4.3.0) lib/exception_notification/rack.rb:41:in `call'
warden (1.2.7) lib/warden/manager.rb:36:in `block in call'
warden (1.2.7) lib/warden/manager.rb:35:in `catch'
warden (1.2.7) lib/warden/manager.rb:35:in `call'
rack (1.6.11) lib/rack/etag.rb:24:in `call'
rack (1.6.11) lib/rack/conditionalget.rb:25:in `call'
rack (1.6.11) lib/rack/head.rb:13:in `call'
actionpack (4.2.11.1) lib/action_dispatch/middleware/params_parser.rb:27:in `call'
actionpack (4.2.11.1) lib/action_dispatch/middleware/flash.rb:260:in `call'
rack (1.6.11) lib/rack/session/abstract/id.rb:225:in `context'
rack (1.6.11) lib/rack/session/abstract/id.rb:220:in `call'
actionpack (4.2.11.1) lib/action_dispatch/middleware/cookies.rb:560:in `call'
activerecord (4.2.11.1) lib/active_record/query_cache.rb:36:in `call'
activerecord (4.2.11.1) lib/active_record/connection_adapters/abstract/connection_pool.rb:653:in `call'
activerecord (4.2.11.1) lib/active_record/migration.rb:377:in `call'
actionpack (4.2.11.1) lib/action_dispatch/middleware/callbacks.rb:29:in `block in call'
activesupport (4.2.11.1) lib/active_support/callbacks.rb:88:in `__run_callbacks__'
activesupport (4.2.11.1) lib/active_support/callbacks.rb:778:in `_run_call_callbacks'
activesupport (4.2.11.1) lib/active_support/callbacks.rb:81:in `run_callbacks'
actionpack (4.2.11.1) lib/action_dispatch/middleware/callbacks.rb:27:in `call'
actionpack (4.2.11.1) lib/action_dispatch/middleware/reloader.rb:73:in `call'
actionpack (4.2.11.1) lib/action_dispatch/middleware/remote_ip.rb:78:in `call'
actionpack (4.2.11.1) lib/action_dispatch/middleware/debug_exceptions.rb:17:in `call'
actionpack (4.2.11.1) lib/action_dispatch/middleware/show_exceptions.rb:30:in `call'
railties (4.2.11.1) lib/rails/rack/logger.rb:38:in `call_app'
railties (4.2.11.1) lib/rails/rack/logger.rb:20:in `block in call'
activesupport (4.2.11.1) lib/active_support/tagged_logging.rb:68:in `block in tagged'
activesupport (4.2.11.1) lib/active_support/tagged_logging.rb:26:in `tagged'
activesupport (4.2.11.1) lib/active_support/tagged_logging.rb:68:in `tagged'
railties (4.2.11.1) lib/rails/rack/logger.rb:20:in `call'
request_store (1.4.1) lib/request_store/middleware.rb:19:in `call'
actionpack (4.2.11.1) lib/action_dispatch/middleware/request_id.rb:21:in `call'
rack (1.6.11) lib/rack/methodoverride.rb:22:in `call'
rack (1.6.11) lib/rack/runtime.rb:18:in `call'
activesupport (4.2.11.1) lib/active_support/cache/strategy/local_cache_middleware.rb:28:in `call'
rack (1.6.11) lib/rack/lock.rb:17:in `call'
actionpack (4.2.11.1) lib/action_dispatch/middleware/static.rb:120:in `call'
rack (1.6.11) lib/rack/sendfile.rb:113:in `call'
railties (4.2.11.1) lib/rails/engine.rb:518:in `call'
railties (4.2.11.1) lib/rails/application.rb:165:in `call'
rack (1.6.11) lib/rack/content_length.rb:15:in `call'
puma (3.12.0) lib/puma/configuration.rb:225:in `call'
puma (3.12.0) lib/puma/server.rb:658:in `handle_request'
puma (3.12.0) lib/puma/server.rb:472:in `process_client'
puma (3.12.0) lib/puma/server.rb:332:in `block in run'
puma (3.12.0) lib/puma/thread_pool.rb:133:in `block in spawn_thread'
If we want to use a more recent version of the openid_connect gem (1.1.5 is the current latest), we need to update the gem dependency for openid_connect.
I created a pool request to address it: #2
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.