Add OpenID Connect login support (#77)

* Add OpenID Connect login support * Add docs for OIDC config with Google Auth * Use Google styles for log in - Add support for linking existing account - Force users to sign-in with passoword first, when linking existing accounts - Add support to create new user when using OIDC - Add identities to user to prevent account take-ver - Make tests mocking instead of being integration tests - Manage session handling correctly - use OmniAuth.config.mock_auth instead of passing auth data via request env * Conditionally render Oauth button - Set a config item `configuration.x.auth.oidc_enabled` - Hide button if disabled --------- Signed-off-by: Juan José Mata <juanjo.mata@gmail.com> Signed-off-by: soky srm <sokysrm@gmail.com> Co-authored-by: sokie <sokysrm@gmail.com>
2026-04-20 04:24:06 +00:00 · 2025-10-24 16:07:45 +02:00
parent d51ba515c9
commit 768e85ce08
29 changed files with 997 additions and 25 deletions
--- a/config/initializers/omniauth.rb
+++ b/config/initializers/omniauth.rb
@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+require "omniauth/rails_csrf_protection"
+
+# Configure OmniAuth for production or test environments
+# In test mode, OmniAuth will use mock data instead of real provider configuration
+required_env = %w[OIDC_ISSUER OIDC_CLIENT_ID OIDC_CLIENT_SECRET OIDC_REDIRECT_URI]
+missing = required_env.select { |k| ENV[k].blank? }
+if missing.empty? || Rails.env.test?
+  Rails.application.config.middleware.use OmniAuth::Builder do
+    provider :openid_connect,
+             name: :openid_connect,
+             scope: %i[openid email profile],
+             response_type: :code,
+             issuer: ENV["OIDC_ISSUER"].to_s.strip || "https://test.example.com",
+             discovery: true,
+             pkce: true,
+             client_options: {
+               identifier: ENV["OIDC_CLIENT_ID"] || "test_client_id",
+               secret: ENV["OIDC_CLIENT_SECRET"] || "test_client_secret",
+               redirect_uri: ENV["OIDC_REDIRECT_URI"] || "http://test.example.com/callback"
+             }
+  end
+  Rails.configuration.x.auth.oidc_enabled = true
+else
+  Rails.logger.warn("OIDC not enabled: missing env vars: #{missing.join(', ')}")
+  raise "Missing required OIDC env vars: #{missing.join(', ')}" if Rails.env.production?
+  Rails.configuration.x.auth.oidc_enabled = false
+end