class AgentConnectService include OpenIDConnect def self.enabled? ENV.fetch("AGENT_CONNECT_ENABLED", "enabled") == "enabled" end def self.authorization_uri client = AgentConnectClient.new state = SecureRandom.hex(16) nonce = SecureRandom.hex(16) uri = client.authorization_uri( scope: [:openid, :email], state: state, nonce: nonce, acr_values: 'eidas1' ) [uri, state, nonce] end def self.user_info(code, nonce) client = AgentConnectClient.new(code) access_token = client.access_token!(client_auth_method: :secret) discover = find_discover id_token = ResponseObject::IdToken.decode(access_token.id_token, discover.jwks) id_token.verify!( client_id: Rails.application.secrets.agent_connect[:identifier], issuer: discover.issuer, nonce: nonce ) access_token .userinfo! .raw_attributes end private def self.find_discover Discovery::Provider::Config.discover!("#{ENV.fetch('AGENT_CONNECT_BASE_URL')}/api/v2") end end