Add openid connect support using doorkeeper-openid_connect gem #4226
Conversation
db/migrate/20230830115220_validate_create_doorkeeper_openid_connect_tables.rb
Show resolved
Hide resolved
Thanks for the quick review! I will look into addressing your comments. |
|
I reran the actions as they failed due to some github issue and the rubocop run has now picked up a bunch more things. |
|
I think from https://github.com/doorkeeper-gem/doorkeeper-openid_connect#internationalization-i18n that they will actually be found in the gem - the installer just added a copy of them so they could be customised. That said it may be worth adding them so they can be translated - the main doorkeeper ones don't need to be as the |
milan-cvetkovic
force-pushed
the
openid-connect
branch
from
0c6fa1c to
c5aa754
Compare
There was a problem hiding this comment.
Some more review comments based on my initial reading of the specification and the gem documentation.
I think we need to understand exactly the interaction between claims and scopes and which scopes we need to enable the different claims and I still need to read up on discovery though I'm not sure if that matters to us.
We also need to think about whether we want to make this generally available or whether it should be privileged and just to support internal use cases like the wiki.
milan-cvetkovic
force-pushed
the
openid-connect
branch
4 times, most recently
from
a4653bc to
33e45d0
Compare
|
I added ID_TOKEN and userinfo response now contain Please let me know if I should create separate |
|
The |
|
EDIT: this modification has been reverted. I added a separate ID_TOKEN contains:
Only claims appropriate for the scope are returned:
|
milan-cvetkovic
force-pushed
the
openid-connect
branch
from
6756888 to
33e45d0
Compare
The well-known endpoints (discovery) are required for openid connect to work, at least using doorkeeper-openid_connect plugin. In particular, the openid-configuration endpoint is queried for token_endpoint, jwksuri_endpoint and userinfo_endpont used in later phases. Any 3rd party app using OSM as ID provider would require at least a persistent value correlated to userid, which would be returned as a |
|
Sure I realise we need to provide an ID but I didn't realise discovery was essential since it seemed to be a separate component but if we need it then fine. One thing we do need to think about is how to test this... |
|
I tested most of the flow manually. I did try to write automated tests, but was not successful. The most I got is to verify the existence of discovery endpoints. I am not too familiar with the testing framework, but the problems started when initiating authorization, the test was not able to access the endpoints reported by openid-configuration, as if the routes were not present. |
milan-cvetkovic
force-pushed
the
openid-connect
branch
from
33e45d0 to
b308c5f
Compare
|
@tomhughes I have added an openid connect test to oauth2 integration test. Are there more changes to this PR that you had in mind? |
milan-cvetkovic
force-pushed
the
openid-connect
branch
from
b308c5f to
78854f4
Compare
I've done a new review which is mostly about the test. Other than that it's on the agenda for this weeks operations call to discuss whether we want to make this globally available or keep it for internal use. I had hoped to have that discussion on the last call but we ran out of time. |
milan-cvetkovic
force-pushed
the
openid-connect
branch
5 times, most recently
from
43e03c2 to
c9f0582
Compare
|
@tomhughes Any updates with this PR? |
After executing: rails generate doorkeeper:openid_connect:install rails generate doorkeeper:openid_connect:install Split migration script to 2 to avoid deadlock.
... as discussed in [Issue 507](openstreetmap/operations#507) and described by @mmd-osm. To activate, set the value of `doorkeeper_signing_key` to RSA private key. Allows using openstreetmap as an identity provider. Adds `openid` scope to OAuth2 authorizations, required to login to OSM. Currently, the only claims returned are: - "openid" scope: "sub" and "preferred_username" - "read_email" scope: "email"
tomhughes
force-pushed
the
openid-connect
branch
from
c9f0582 to
408f291
Compare
|
I made a few minor textual cleanups and merged this. As it involves a migration I'm going to wait until the database backup which is currently running completes (which should be tomorrow) before deploying it. |
...as discussed in Issue 507 and described by @mmd-osm.
To activate, set the value of
doorkeeper_signing_keyto pem of the RSA private key.Allows using openstreetmap as an identity provider.
Adds
openidscope to OAuth2 authorizations, required to login to OSM.Currently, the only claims returned are
subandpreferred_username.