QT/sure
1
0
Fork 0
mirror of https://github.com/we-promise/sure.git synced 2026-04-08 14:54:49 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
d4ab29ae1bc03f6bae073d9669aa32f434cc94de
sure/config/initializers/omniauth.rb
LPW b23711ae0d Add configurable multi-provider SSO, SSO-only mode, and JIT controls via auth.yml (#441) 
* Add configuration and logic for dynamic SSO provider support and stricter JIT account creation

- Introduced `config/auth.yml` for centralized auth configuration and documentation.
- Added support for multiple SSO providers, including Google, GitHub, and OpenID Connect.
- Implemented stricter JIT SSO account creation modes (`create_and_link` vs `link_only`).
- Enabled optional restriction of JIT creation by allowed email domains.
- Enhanced OmniAuth initializer for dynamic provider setup and better configurability.
- Refined login UI to handle local login disabling and emergency super-admin override.
- Updated account creation flow to respect JIT mode and domain checks.
- Added tests for SSO account creation, login form visibility, and emergency overrides.

# Conflicts:
#	app/controllers/sessions_controller.rb

* remove non-translation

* Refactor authentication views to use translation keys and update locale files

- Extracted hardcoded strings in `oidc_accounts/link.html.erb` and `sessions/new.html.erb` into translation keys for better localization support.
- Added missing translations for English and Spanish in `sessions` and `oidc_accounts` locale files.

* Enhance OmniAuth provider configuration and refine local login override logic

- Updated OmniAuth initializer to support dynamic provider configuration with `name` and scoped parameters for Google and GitHub.
- Improved local login logic to enforce stricter handling of super-admin override when local login is disabled.
- Added test for invalid super-admin override credentials.

* Document Google sign-in configuration for local development and self-hosted environments

---------

Co-authored-by: Josh Waldrep <joshua.waldrep5+github@gmail.com>
2025-12-24 00:15:53 +01:00

77 lines
2.8 KiB
Ruby
Raw Blame History

# frozen_string_literal: true
require "omniauth/rails_csrf_protection"
Rails.configuration.x.auth.oidc_enabled = false
Rails.configuration.x.auth.sso_providers ||= []
Rails.application.config.middleware.use OmniAuth::Builder do
(Rails.configuration.x.auth.providers || []).each do |raw_cfg|
cfg = raw_cfg.deep_symbolize_keys
strategy = cfg[:strategy].to_s
name = (cfg[:name] || cfg[:id]).to_s
case strategy
when "openid_connect"
required_env = %w[OIDC_ISSUER OIDC_CLIENT_ID OIDC_CLIENT_SECRET OIDC_REDIRECT_URI]
enabled = Rails.env.test? || required_env.all? { |k| ENV[k].present? }
next unless enabled
issuer = (ENV["OIDC_ISSUER"].presence || "https://test.example.com").to_s.strip
client_id = ENV["OIDC_CLIENT_ID"].presence || "test_client_id"
client_secret = ENV["OIDC_CLIENT_SECRET"].presence || "test_client_secret"
redirect_uri = ENV["OIDC_REDIRECT_URI"].presence || "http://test.example.com/callback"
provider :openid_connect,
name: name.to_sym,
scope: %i[openid email profile],
response_type: :code,
issuer: issuer,
discovery: true,
pkce: true,
client_options: {
identifier: client_id,
secret: client_secret,
redirect_uri: redirect_uri
}
Rails.configuration.x.auth.oidc_enabled = true
Rails.configuration.x.auth.sso_providers << cfg.merge(name: name)
when "google_oauth2"
client_id = ENV["GOOGLE_OAUTH_CLIENT_ID"].presence || (Rails.env.test? ? "test_client_id" : nil)
client_secret = ENV["GOOGLE_OAUTH_CLIENT_SECRET"].presence || (Rails.env.test? ? "test_client_secret" : nil)
next unless client_id.present? && client_secret.present?
provider :google_oauth2,
client_id,
client_secret,
{
name: name.to_sym,
scope: "userinfo.email,userinfo.profile"
}
Rails.configuration.x.auth.sso_providers << cfg.merge(name: name)
when "github"
client_id = ENV["GITHUB_CLIENT_ID"].presence || (Rails.env.test? ? "test_client_id" : nil)
client_secret = ENV["GITHUB_CLIENT_SECRET"].presence || (Rails.env.test? ? "test_client_secret" : nil)
next unless client_id.present? && client_secret.present?
provider :github,
client_id,
client_secret,
{
name: name.to_sym,
scope: "user:email"
}
Rails.configuration.x.auth.sso_providers << cfg.merge(name: name)
end
end
end
if Rails.configuration.x.auth.sso_providers.empty?
Rails.logger.warn("No SSO providers enabled; check auth.yml / ENV configuration")
end
Reference in New Issue View Git Blame Copy Permalink