Add OpenID Connect login support (#77)

* Add OpenID Connect login support * Add docs for OIDC config with Google Auth * Use Google styles for log in - Add support for linking existing account - Force users to sign-in with passoword first, when linking existing accounts - Add support to create new user when using OIDC - Add identities to user to prevent account take-ver - Make tests mocking instead of being integration tests - Manage session handling correctly - use OmniAuth.config.mock_auth instead of passing auth data via request env * Conditionally render Oauth button - Set a config item `configuration.x.auth.oidc_enabled` - Hide button if disabled --------- Signed-off-by: Juan José Mata <juanjo.mata@gmail.com> Signed-off-by: soky srm <sokysrm@gmail.com> Co-authored-by: sokie <sokysrm@gmail.com>
2026-04-21 13:04:18 +00:00 · 2025-10-24 16:07:45 +02:00
parent d51ba515c9
commit 768e85ce08
29 changed files with 997 additions and 25 deletions
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -85,10 +85,12 @@ GEM
      tzinfo (~> 2.0, >= 2.0.5)
    addressable (2.8.7)
      public_suffix (>= 2.0.2, < 7.0)
+    aes_key_wrap (1.1.0)
    after_commit_everywhere (1.6.0)
      activerecord (>= 4.2)
      activesupport
    ast (2.4.3)
+    attr_required (1.0.2)
    aws-eventstream (1.4.0)
    aws-partitions (1.1113.0)
    aws-sdk-core (3.225.1)
@@ -119,6 +121,7 @@ GEM
      parser (>= 2.4)
      smart_properties
    bigdecimal (3.2.2)
+    bindata (2.5.1)
    bindex (0.8.1)
    bootsnap (1.18.6)
      msgpack (~> 1.2)
@@ -182,6 +185,8 @@ GEM
      dotenv (= 3.1.8)
      railties (>= 6.1)
    drb (2.2.3)
+    email_validator (2.2.4)
+      activemodel
    erb (5.0.1)
    erb_lint (0.9.0)
      activesupport
@@ -200,6 +205,8 @@ GEM
      faraday-net_http (>= 2.0, < 3.5)
      json
      logger
+    faraday-follow_redirects (0.3.0)
+      faraday (>= 1, < 3)
    faraday-multipart (1.1.1)
      multipart-post (~> 2.0)
    faraday-net_http (3.4.1)
@@ -224,6 +231,7 @@ GEM
    globalid (1.2.1)
      activesupport (>= 6.1)
    hashdiff (1.2.0)
+    hashie (5.0.0)
    heapy (0.2.0)
      thor
    highline (3.1.2)
@@ -276,6 +284,13 @@ GEM
      activesupport (>= 5.0.0)
    jmespath (1.6.2)
    json (2.12.2)
+    json-jwt (1.16.7)
+      activesupport (>= 4.2)
+      aes_key_wrap
+      base64
+      bindata
+      faraday (~> 2.0)
+      faraday-follow_redirects
    jwt (2.10.2)
      base64
    langfuse-ruby (0.1.4)
@@ -374,6 +389,29 @@ GEM
    octokit (10.0.0)
      faraday (>= 1, < 3)
      sawyer (~> 0.9)
+    omniauth (2.1.3)
+      hashie (>= 3.4.6)
+      rack (>= 2.2.3)
+      rack-protection
+    omniauth-rails_csrf_protection (1.0.2)
+      actionpack (>= 4.2)
+      omniauth (~> 2.0)
+    omniauth_openid_connect (0.8.0)
+      omniauth (>= 1.9, < 3)
+      openid_connect (~> 2.2)
+    openid_connect (2.3.1)
+      activemodel
+      attr_required (>= 1.0.0)
+      email_validator
+      faraday (~> 2.0)
+      faraday-follow_redirects
+      json-jwt (>= 1.16)
+      mail
+      rack-oauth2 (~> 2.2)
+      swd (~> 2.0)
+      tzinfo
+      validate_url
+      webfinger (~> 2.0)
    ostruct (0.6.2)
    pagy (9.3.5)
    parallel (1.27.0)
@@ -409,6 +447,17 @@ GEM
      rack (>= 1.0, < 4)
    rack-mini-profiler (4.0.0)
      rack (>= 1.2.0)
+    rack-oauth2 (2.2.1)
+      activesupport
+      attr_required
+      faraday (~> 2.0)
+      faraday-follow_redirects
+      json-jwt (>= 1.11.0)
+      rack (>= 2.1.0)
+    rack-protection (4.1.1)
+      base64 (>= 0.1.0)
+      logger (>= 1.6.0)
+      rack (>= 3.0.0, < 4)
    rack-session (2.1.1)
      base64 (>= 0.1.0)
      rack (>= 3.0.0)
@@ -567,6 +616,11 @@ GEM
      railties (>= 6.0.0)
    stringio (3.1.7)
    stripe (15.3.0)
+    swd (2.0.3)
+      activesupport (>= 3)
+      attr_required (>= 0.0.5)
+      faraday (~> 2.0)
+      faraday-follow_redirects
    tailwindcss-rails (4.2.3)
      railties (>= 7.0.0)
      tailwindcss-ruby (~> 4.0)
@@ -593,6 +647,9 @@ GEM
    unicode-emoji (4.0.4)
    uri (1.0.3)
    useragent (0.16.11)
+    validate_url (1.0.15)
+      activemodel (>= 3.0.0)
+      public_suffix
    vcr (6.3.1)
      base64
    vernier (1.8.0)
@@ -605,6 +662,10 @@ GEM
      activemodel (>= 6.0.0)
      bindex (>= 0.4.0)
      railties (>= 6.0.0)
+    webfinger (2.1.3)
+      activesupport
+      faraday (~> 2.0)
+      faraday-follow_redirects
    webmock (3.25.1)
      addressable (>= 2.8.0)
      crack (>= 0.3.2)
@@ -668,6 +729,9 @@ DEPENDENCIES
  lucide-rails!
  mocha
  octokit
+  omniauth (~> 2.1)
+  omniauth-rails_csrf_protection
+  omniauth_openid_connect
  ostruct
  pagy
  pg (~> 1.5)