Home

Awesome

OmniAuth::OpenIDConnect

Originally was omniauth-openid-connect

I've forked this repository and launch as separate gem because maintaining of original was dropped.

Build Status Coverage Status

Installation

Add this line to your application's Gemfile:

gem 'omniauth_openid_connect'

And then execute:

$ bundle

Or install it yourself as:

$ gem install omniauth_openid_connect

Supported Ruby Versions

OmniAuth::OpenIDConnect is tested under 2.7, 3.0, 3.1, 3.2

Usage

Example configuration

Rails.application.config.middleware.use OmniAuth::Builder do
  provider :openid_connect, {
    name: :my_provider,
    scope: [:openid, :email, :profile, :address],
    response_type: :code,
    uid_field: "preferred_username",
    client_options: {
      port: 443,
      scheme: "https",
      host: "myprovider.com",
      identifier: ENV["OP_CLIENT_ID"],
      secret: ENV["OP_SECRET_KEY"],
      redirect_uri: "http://myapp.com/users/auth/openid_connect/callback",
    },
  }
end

with Devise

Devise.setup do |config|
  config.omniauth :openid_connect, {
    name: :my_provider,
    scope: [:openid, :email, :profile, :address],
    response_type: :code,
    uid_field: "preferred_username",
    client_options: {
      port: 443,
      scheme: "https",
      host: "myprovider.com",
      identifier: ENV["OP_CLIENT_ID"],
      secret: ENV["OP_SECRET_KEY"],
      redirect_uri: "http://myapp.com/users/auth/openid_connect/callback",
    },
  }
end

Options Overview

FieldDescriptionRequiredDefaultExample/Options
nameArbitrary string to identify connection and identify it from other openid_connect providersnoString: openid_connect:my_idp
issuerRoot url for the authorization serveryeshttps://myprovider.com
discoveryShould OpenID discovery be used. This is recommended if the IDP provides a discovery endpoint. See client config for how to manually enter discovered values.nofalseone of: true, false
client_auth_methodWhich authentication method to use to authenticate your app with the authorization servernoSym: basic"basic", "jwks"
scopeWhich OpenID scopes to include (:openid is always required)noArray<sym> [:openid][:openid, :profile, :email]
response_typeWhich OAuth2 response type to use with the authorization requestnoString: codeone of: 'code', 'id_token'
stateA value to be used for the OAuth2 state parameter on the authorization request. Can be a proc that generates a string.noRandom 16 character stringProc.new { SecureRandom.hex(32) }
require_stateShould the callback phase require that a state is present. If send_state is true, then the callback state must match the authorize state. This is recommended, not required by the OIDC specification.notruefalse
send_stateShould the authorize phase send a state parameter - this is recommended, not required by the OIDC specificationnotruefalse
response_modeThe response mode per specnonilone of: :query, :fragment, :form_post, :web_message
displayAn optional parameter to the authorization request to determine how the authorization and consent pagenonilone of: :page, :popup, :touch, :wap
promptAn optional parameter to the authorization request to determine what pages the user will be shownnonilone of: :none, :login, :consent, :select_account
send_scope_to_token_endpointShould the scope parameter be sent to the authorization token endpoint?notrueone of: true, false
post_logout_redirect_uriThe logout redirect uri to use per the session management draftnoemptyhttps://myapp.com/logout/callback
uid_fieldThe field of the user info response to be used as a unique idno'sub'"sub", "preferred_username"
extra_authorize_paramsA hash of extra fixed parameters that will be merged to the authorization requestnoHash{"tenant" => "common"}
allow_authorize_paramsA list of allowed dynamic parameters that will be merged to the authorization requestnoArray[:screen_name]
pkceEnable PKCE flownofalseone of: true, false
pkce_verifierSpecify a custom PKCE verifier code.noA random 128-char stringProc.new { SecureRandom.hex(64) }
pkce_optionsSpecify a custom implementation of the PKCE code challenge/method.noSHA256(code_challenge) in hexProc to customise the code challenge generation
client_optionsA hash of client options detailed in its own sectionyes
jwt_secret_base64For HMAC with SHA2 (e.g. HS256) signing algorithms, specify the base64-encoded secret used to sign the JWT token. Defaults to the OAuth2 client secret if not specified.noclient_options.secret"bXlzZWNyZXQ=\n"
logout_pathThe log out is only triggered when the request path ends on this pathno'/logout''/sign_out'
acr_valuesAuthentication Class Reference (ACR) values to be passed to the authorize_uri to enforce a specific level, see RFC9470nonil"c1 c2"

Client Config Options

These are the configuration options for the client_options hash of the configuration.

FieldDescriptionDefaultReplaced by discovery?
identifierThe OAuth2 client_id
secretThe OAuth2 client secret
redirect_uriThe OAuth2 authorization callback url in your app
schemeThe http scheme to usehttps
hostThe host of the authorization servernil
portThe port for the authorization server443
audienceThe intended consumer (aud field) of the id_tokennil
authorization_endpointThe authorize endpoint on the authorization server/authorizeyes
token_endpointThe token endpoint on the authorization server/tokenyes
userinfo_endpointThe user info endpoint on the authorization server/userinfoyes
jwks_uriThe jwks_uri on the authorization server/jwkyes
end_session_endpointThe url to call to log the user out at the authorization servernilyes

Additional Configuration Notes

NOTE: if you use this gem with Devise you should use :openid_connect name, or Devise would route to 'users/auth/:provider' rather than 'users/auth/openid_connect'

Additional notes

For the full low down on OpenID Connect, please check out the spec.

Contributing

  1. Fork it ( http://github.com/omniauth/omniauth_openid_connect/fork )
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Cover your changes with tests and make sure they're green (bundle install && bundle exec rake test)
  4. Commit your changes (git commit -am 'Add some feature')
  5. Push to the branch (git push origin my-new-feature)
  6. Create new Pull Request