Using osm.org as identity provider for non-"osm.org production" Rails instances

Gemfile

@@ -83,6 +83,7 @@ gem "omniauth-google-oauth2", ">= 0.6.0"
 gem "omniauth-mediawiki", ">= 0.0.4"
 gem "omniauth-microsoft_graph"
 gem "omniauth-openid"
+gem "omniauth_openid_connect"
 gem "omniauth-rails_csrf_protection", "~> 1.0"
 
 # Doorkeeper for OAuth2

Gemfile.lock

@@ -101,13 +101,15 @@ GEM
       tzinfo (~> 2.0, >= 2.0.5)
     addressable (2.8.7)
       public_suffix (>= 2.0.2, < 7.0)
+    aes_key_wrap (1.1.0)
     annotate (3.2.0)
       activerecord (>= 3.2, < 8.0)
       rake (>= 10.4, < 14.0)
     argon2 (2.3.0)
       ffi (~> 1.15)
       ffi-compiler (~> 1.0)
     ast (2.4.2)
+    attr_required (1.0.2)
     autoprefixer-rails (10.4.19.0)
       execjs (~> 2)
     aws-eventstream (1.3.0)
@@ -139,6 +141,7 @@ GEM
       parser (>= 2.4)
       smart_properties
     bigdecimal (3.1.8)
+    bindata (2.5.0)
     binding_of_caller (1.0.1)
       debug_inspector (>= 1.2.0)
     bootsnap (1.18.4)
@@ -253,6 +256,8 @@ GEM
       dry-initializer (~> 3.0)
       dry-schema (>= 1.12, < 2)
       zeitwerk (~> 2.6)
+    email_validator (2.2.4)
+      activemodel
     erb_lint (0.7.0)
       activesupport
       better_html (>= 2.0.1)
@@ -272,6 +277,8 @@ GEM
       faraday-net_http (>= 2.0, < 3.4)
       json
       logger
+    faraday-follow_redirects (0.3.0)
+      faraday (>= 1, < 3)
     faraday-http-cache (2.5.1)
       faraday (>= 0.8)
     faraday-net_http (3.3.0)
@@ -343,6 +350,13 @@ GEM
       railties (>= 4.2.0)
       thor (>= 0.14, < 2.0)
     json (2.7.2)
+    json-jwt (1.16.7)
+      activesupport (>= 4.2)
+      aes_key_wrap
+      base64
+      bindata
+      faraday (~> 2.0)
+      faraday-follow_redirects
     jwt (2.9.3)
       base64
     kgio (2.11.4)
@@ -450,7 +464,23 @@ GEM
     omniauth-rails_csrf_protection (1.0.2)
       actionpack (>= 4.2)
       omniauth (~> 2.0)
+    omniauth_openid_connect (0.8.0)
+      omniauth (>= 1.9, < 3)
+      openid_connect (~> 2.2)
     open4 (1.3.4)
+    openid_connect (2.3.1)
+      activemodel
+      attr_required (>= 1.0.0)
+      email_validator
+      faraday (~> 2.0)
+      faraday-follow_redirects
+      json-jwt (>= 1.16)
+      mail
+      rack-oauth2 (~> 2.2)
+      swd (~> 2.0)
+      tzinfo
+      validate_url
+      webfinger (~> 2.0)
     openstreetmap-deadlock_retry (1.3.1)
     ostruct (0.6.0)
     overcommit (0.64.0)
@@ -475,6 +505,13 @@ GEM
     rack (2.2.10)
     rack-cors (2.0.2)
       rack (>= 2.0.0)
+    rack-oauth2 (2.2.1)
+      activesupport
+      attr_required
+      faraday (~> 2.0)
+      faraday-follow_redirects
+      json-jwt (>= 1.11.0)
+      rack (>= 2.1.0)
     rack-openid (1.4.2)
       rack (>= 1.1.0)
       ruby-openid (>= 2.1.8)
@@ -623,6 +660,11 @@ GEM
     stringio (3.1.1)
     strong_migrations (1.8.0)
       activerecord (>= 5.2)
+    swd (2.0.3)
+      activesupport (>= 3)
+      attr_required (>= 0.0.5)
+      faraday (~> 2.0)
+      faraday-follow_redirects
     teaspoon (1.4.0)
       railties (>= 5.0)
     teaspoon-mocha (2.3.3)
@@ -642,11 +684,18 @@ GEM
     unicode-display_width (2.6.0)
     uri (0.13.1)
     useragent (0.16.10)
+    validate_url (1.0.15)
+      activemodel (>= 3.0.0)
+      public_suffix
     validates_email_format_of (1.8.2)
       i18n (>= 0.8.0)
       simpleidn
     vendorer (0.2.0)
     version_gem (1.1.4)
+    webfinger (2.1.3)
+      activesupport
+      faraday (~> 2.0)
+      faraday-follow_redirects
     webmock (3.24.0)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
@@ -733,6 +782,7 @@ DEPENDENCIES
   omniauth-microsoft_graph
   omniauth-openid
   omniauth-rails_csrf_protection (~> 1.0)
+  omniauth_openid_connect
   openstreetmap-deadlock_retry (>= 1.3.1)
   overcommit
   pg

app/controllers/users_controller.rb

@@ -201,7 +201,7 @@ def auth_success
                      when "openid"
                        uid.match(%r{https://www.google.com/accounts/o8/id?(.*)}) ||
                        uid.match(%r{https://me.yahoo.com/(.*)})
-                     when "google", "facebook", "microsoft", "github", "wikipedia"
+                     when "google", "facebook", "microsoft", "github", "wikipedia", "openstreetmap"
                        true
                      else
                        false

config/initializers/omniauth.rb

@@ -27,11 +27,26 @@
 microsoft_options = { :name => "microsoft", :scope => "openid User.Read" }
 github_options = { :name => "github", :scope => "user:email" }
 wikipedia_options = { :name => "wikipedia", :client_options => { :site => "https://meta.wikimedia.org" } }
+osm_oidc_options = { :name => :openstreetmap,
+                     :scope => [Settings.openstreetmap_auth_scopes, :openid].flatten.compact.uniq.map(&:to_sym),
+                     :issuer => "https://www.openstreetmap.org",
+                     :discovery => true,
+                     :response_type => :code,
+                     :uid_field => "preferred_username",
+                     :client_options => {
+                       :port => 443,
+                       :scheme => "https",
+                       :host => "www.openstreetmap.org",
+                       :identifier => Settings.openstreetmap_auth_id,
+                       :secret => Settings.openstreetmap_auth_secret,
+                       :redirect_uri => format("%<protocol>s://%<server_url>s/auth/openstreetmap/callback", :protocol => Settings.server_protocol, :server_url => Settings.server_url)
+                     } }
 
 google_options[:openid_realm] = Settings.google_openid_realm if Settings.key?(:google_openid_realm)
 
 Rails.application.config.middleware.use OmniAuth::Builder do
   provider :openid, openid_options
+  provider :openid_connect, osm_oidc_options
   provider :google_oauth2, Settings.google_auth_id, Settings.google_auth_secret, google_options if Settings.key?(:google_auth_id)
   provider :facebook, Settings.facebook_auth_id, Settings.facebook_auth_secret, facebook_options if Settings.key?(:facebook_auth_id)
   provider :microsoft_graph, Settings.microsoft_auth_id, Settings.microsoft_auth_secret, microsoft_options if Settings.key?(:microsoft_auth_id)

config/locales/en.yml

@@ -221,6 +221,7 @@ en:
       microsoft: Microsoft
       github: GitHub
       wikipedia: Wikipedia
+      openstreetmap: OpenStreetMap
   api:
     notes:
       comment:
@@ -2594,6 +2595,9 @@ en:
       wikipedia:
         title: Log in with Wikipedia
         alt: Wikipedia logo
+      openstreetmap:
+        title: Log in with OpenStreetMap
+        alt: OpenStreetMap logo
   oauth:
     permissions:
       missing: "You have not permitted the application access to this facility"

config/settings.yml

@@ -135,6 +135,15 @@ fossgis_valhalla_url: "https://valhalla1.openstreetmap.de/route"
 #microsoft_auth_secret: ""
 #wikipedia_auth_id: ""
 #wikipedia_auth_secret: ""
+
+# Settings to use osm.org production as identity provider
+# Requires confidential OAuth2 app on osm.org with scope "openid"
+# and callback http(s)://{other site}/auth/openstreetmap/callback
+#openstreetmap_auth_id: ""
+#openstreetmap_auth_secret: ""
+# Define additional scopes (openid scope is included by default)
+#openstreetmap_auth_scopes: ["read_email", "skip_authorization"]
+
 # Thunderforest authentication details
 #thunderforest_key: ""
 # Tracestrack authentication details

lib/auth.rb

@@ -10,6 +10,7 @@ def self.providers
       providers[I18n.t("auth.providers.microsoft")] = "microsoft" if Settings.key?(:microsoft_auth_id)
       providers[I18n.t("auth.providers.github")] = "github" if Settings.key?(:github_auth_id)
       providers[I18n.t("auth.providers.wikipedia")] = "wikipedia" if Settings.key?(:wikipedia_auth_id)
+      providers[I18n.t("auth.providers.openstreetmap")] = "openstreetmap" if Settings.key?(:openstreetmap_auth_id)
     end.freeze
   end
 end