diff --git a/Gemfile b/Gemfile
index b83011542a..f74f8478c9 100644
--- a/Gemfile
+++ b/Gemfile
@@ -83,6 +83,7 @@ gem "omniauth-google-oauth2", ">= 0.6.0"
gem "omniauth-mediawiki", ">= 0.0.4"
gem "omniauth-microsoft_graph"
gem "omniauth-openid"
+gem "omniauth_openid_connect"
gem "omniauth-rails_csrf_protection", "~> 1.0"
# Doorkeeper for OAuth2
diff --git a/Gemfile.lock b/Gemfile.lock
index 8cf541e220..ba07965f75 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -101,6 +101,7 @@ GEM
tzinfo (~> 2.0, >= 2.0.5)
addressable (2.8.7)
public_suffix (>= 2.0.2, < 7.0)
+ aes_key_wrap (1.1.0)
annotate (3.2.0)
activerecord (>= 3.2, < 8.0)
rake (>= 10.4, < 14.0)
@@ -108,6 +109,7 @@ GEM
ffi (~> 1.15)
ffi-compiler (~> 1.0)
ast (2.4.2)
+ attr_required (1.0.2)
autoprefixer-rails (10.4.19.0)
execjs (~> 2)
aws-eventstream (1.3.0)
@@ -139,6 +141,7 @@ GEM
parser (>= 2.4)
smart_properties
bigdecimal (3.1.8)
+ bindata (2.5.0)
binding_of_caller (1.0.1)
debug_inspector (>= 1.2.0)
bootsnap (1.18.4)
@@ -253,6 +256,8 @@ GEM
dry-initializer (~> 3.0)
dry-schema (>= 1.12, < 2)
zeitwerk (~> 2.6)
+ email_validator (2.2.4)
+ activemodel
erb_lint (0.7.0)
activesupport
better_html (>= 2.0.1)
@@ -272,6 +277,8 @@ GEM
faraday-net_http (>= 2.0, < 3.4)
json
logger
+ faraday-follow_redirects (0.3.0)
+ faraday (>= 1, < 3)
faraday-http-cache (2.5.1)
faraday (>= 0.8)
faraday-net_http (3.3.0)
@@ -343,6 +350,13 @@ GEM
railties (>= 4.2.0)
thor (>= 0.14, < 2.0)
json (2.7.2)
+ json-jwt (1.16.7)
+ activesupport (>= 4.2)
+ aes_key_wrap
+ base64
+ bindata
+ faraday (~> 2.0)
+ faraday-follow_redirects
jwt (2.9.3)
base64
kgio (2.11.4)
@@ -450,7 +464,23 @@ GEM
omniauth-rails_csrf_protection (1.0.2)
actionpack (>= 4.2)
omniauth (~> 2.0)
+ omniauth_openid_connect (0.8.0)
+ omniauth (>= 1.9, < 3)
+ openid_connect (~> 2.2)
open4 (1.3.4)
+ openid_connect (2.3.1)
+ activemodel
+ attr_required (>= 1.0.0)
+ email_validator
+ faraday (~> 2.0)
+ faraday-follow_redirects
+ json-jwt (>= 1.16)
+ mail
+ rack-oauth2 (~> 2.2)
+ swd (~> 2.0)
+ tzinfo
+ validate_url
+ webfinger (~> 2.0)
openstreetmap-deadlock_retry (1.3.1)
ostruct (0.6.0)
overcommit (0.64.0)
@@ -475,6 +505,13 @@ GEM
rack (2.2.10)
rack-cors (2.0.2)
rack (>= 2.0.0)
+ rack-oauth2 (2.2.1)
+ activesupport
+ attr_required
+ faraday (~> 2.0)
+ faraday-follow_redirects
+ json-jwt (>= 1.11.0)
+ rack (>= 2.1.0)
rack-openid (1.4.2)
rack (>= 1.1.0)
ruby-openid (>= 2.1.8)
@@ -623,6 +660,11 @@ GEM
stringio (3.1.1)
strong_migrations (1.8.0)
activerecord (>= 5.2)
+ swd (2.0.3)
+ activesupport (>= 3)
+ attr_required (>= 0.0.5)
+ faraday (~> 2.0)
+ faraday-follow_redirects
teaspoon (1.4.0)
railties (>= 5.0)
teaspoon-mocha (2.3.3)
@@ -642,11 +684,18 @@ GEM
unicode-display_width (2.6.0)
uri (0.13.1)
useragent (0.16.10)
+ validate_url (1.0.15)
+ activemodel (>= 3.0.0)
+ public_suffix
validates_email_format_of (1.8.2)
i18n (>= 0.8.0)
simpleidn
vendorer (0.2.0)
version_gem (1.1.4)
+ webfinger (2.1.3)
+ activesupport
+ faraday (~> 2.0)
+ faraday-follow_redirects
webmock (3.24.0)
addressable (>= 2.8.0)
crack (>= 0.3.2)
@@ -733,6 +782,7 @@ DEPENDENCIES
omniauth-microsoft_graph
omniauth-openid
omniauth-rails_csrf_protection (~> 1.0)
+ omniauth_openid_connect
openstreetmap-deadlock_retry (>= 1.3.1)
overcommit
pg
diff --git a/app/assets/images/auth_providers/openstreetmap.svg b/app/assets/images/auth_providers/openstreetmap.svg
new file mode 100644
index 0000000000..4189d70e7a
--- /dev/null
+++ b/app/assets/images/auth_providers/openstreetmap.svg
@@ -0,0 +1,323 @@
+
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 63a83ad1da..117ea892c6 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -201,7 +201,7 @@ def auth_success
when "openid"
uid.match(%r{https://www.google.com/accounts/o8/id?(.*)}) ||
uid.match(%r{https://me.yahoo.com/(.*)})
- when "google", "facebook", "microsoft", "github", "wikipedia"
+ when "google", "facebook", "microsoft", "github", "wikipedia", "openstreetmap"
true
else
false
diff --git a/config/initializers/omniauth.rb b/config/initializers/omniauth.rb
index bce82b3c94..c14f9a612f 100644
--- a/config/initializers/omniauth.rb
+++ b/config/initializers/omniauth.rb
@@ -27,11 +27,26 @@
microsoft_options = { :name => "microsoft", :scope => "openid User.Read" }
github_options = { :name => "github", :scope => "user:email" }
wikipedia_options = { :name => "wikipedia", :client_options => { :site => "https://meta.wikimedia.org" } }
+osm_oidc_options = { :name => :openstreetmap,
+ :scope => [Settings.openstreetmap_auth_scopes, :openid].flatten.compact.uniq.map(&:to_sym),
+ :issuer => "https://www.openstreetmap.org",
+ :discovery => true,
+ :response_type => :code,
+ :uid_field => "preferred_username",
+ :client_options => {
+ :port => 443,
+ :scheme => "https",
+ :host => "www.openstreetmap.org",
+ :identifier => Settings.openstreetmap_auth_id,
+ :secret => Settings.openstreetmap_auth_secret,
+ :redirect_uri => format("%s://%s/auth/openstreetmap/callback", :protocol => Settings.server_protocol, :server_url => Settings.server_url)
+ } }
google_options[:openid_realm] = Settings.google_openid_realm if Settings.key?(:google_openid_realm)
Rails.application.config.middleware.use OmniAuth::Builder do
provider :openid, openid_options
+ provider :openid_connect, osm_oidc_options
provider :google_oauth2, Settings.google_auth_id, Settings.google_auth_secret, google_options if Settings.key?(:google_auth_id)
provider :facebook, Settings.facebook_auth_id, Settings.facebook_auth_secret, facebook_options if Settings.key?(:facebook_auth_id)
provider :microsoft_graph, Settings.microsoft_auth_id, Settings.microsoft_auth_secret, microsoft_options if Settings.key?(:microsoft_auth_id)
diff --git a/config/locales/en.yml b/config/locales/en.yml
index f68488c09c..b2d81debac 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -221,6 +221,7 @@ en:
microsoft: Microsoft
github: GitHub
wikipedia: Wikipedia
+ openstreetmap: OpenStreetMap
api:
notes:
comment:
@@ -2594,6 +2595,9 @@ en:
wikipedia:
title: Log in with Wikipedia
alt: Wikipedia logo
+ openstreetmap:
+ title: Log in with OpenStreetMap
+ alt: OpenStreetMap logo
oauth:
permissions:
missing: "You have not permitted the application access to this facility"
diff --git a/config/settings.yml b/config/settings.yml
index b5a565b133..121fb055b6 100644
--- a/config/settings.yml
+++ b/config/settings.yml
@@ -135,6 +135,15 @@ fossgis_valhalla_url: "https://valhalla1.openstreetmap.de/route"
#microsoft_auth_secret: ""
#wikipedia_auth_id: ""
#wikipedia_auth_secret: ""
+
+# Settings to use osm.org production as identity provider
+# Requires confidential OAuth2 app on osm.org with scope "openid"
+# and callback http(s)://{other site}/auth/openstreetmap/callback
+#openstreetmap_auth_id: ""
+#openstreetmap_auth_secret: ""
+# Define additional scopes (openid scope is included by default)
+#openstreetmap_auth_scopes: ["read_email", "skip_authorization"]
+
# Thunderforest authentication details
#thunderforest_key: ""
# Tracestrack authentication details
diff --git a/lib/auth.rb b/lib/auth.rb
index 7297724777..f89cdf38fb 100644
--- a/lib/auth.rb
+++ b/lib/auth.rb
@@ -10,6 +10,7 @@ def self.providers
providers[I18n.t("auth.providers.microsoft")] = "microsoft" if Settings.key?(:microsoft_auth_id)
providers[I18n.t("auth.providers.github")] = "github" if Settings.key?(:github_auth_id)
providers[I18n.t("auth.providers.wikipedia")] = "wikipedia" if Settings.key?(:wikipedia_auth_id)
+ providers[I18n.t("auth.providers.openstreetmap")] = "openstreetmap" if Settings.key?(:openstreetmap_auth_id)
end.freeze
end
end