Add unconfigured doorkeeper-openid_connect

After executing: rails generate doorkeeper:openid_connect:install rails generate doorkeeper:openid_connect:install Split migration script to 2 to avoid deadlock.
2023-08-30 12:19:00 +00:00 · 2023-08-30 12:19:00 +00:00 · 8a22bfb222
commit 8a22bfb222
parent 85b17a1f2a
8 changed files with 187 additions and 0 deletions
--- a/1
+++ b/1
@ -79,6 +79,7 @@ gem "omniauth-rails_csrf_protection", "~> 1.0"
 # Doorkeeper for OAuth2
 gem "doorkeeper"
 gem "doorkeeper-i18n"
+gem "doorkeeper-openid_connect"

 # Markdown formatting support
 gem "kramdown"
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -166,6 +166,9 @@ GEM
      railties (>= 5)
    doorkeeper-i18n (5.2.6)
      doorkeeper (>= 5.2)
+    doorkeeper-openid_connect (1.8.7)
+      doorkeeper (>= 5.5, < 5.7)
+      jwt (>= 2.5)
    dry-configurable (1.1.0)
      dry-core (~> 1.0, < 2)
      zeitwerk (~> 2.6)
@ -567,6 +570,7 @@ DEPENDENCIES
  delayed_job_active_record
  doorkeeper
  doorkeeper-i18n
+  doorkeeper-openid_connect
  erb_lint
  factory_bot_rails
  faraday
--- a/config/initializers/doorkeeper_openid_connect.rb
+++ b/config/initializers/doorkeeper_openid_connect.rb
@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+Doorkeeper::OpenidConnect.configure do
+  issuer do |_resource_owner, _application|
+    "issuer string"
+  end
+
+  signing_key <<~KEY
+    -----BEGIN RSA PRIVATE KEY-----
+    ....
+    -----END RSA PRIVATE KEY-----
+  KEY
+
+  subject_types_supported [:public]
+
+  resource_owner_from_access_token do |access_token|
+    # Example implementation:
+    # User.find_by(id: access_token.resource_owner_id)
+  end
+
+  auth_time_from_resource_owner do |resource_owner|
+    # Example implementation:
+    # resource_owner.current_sign_in_at
+  end
+
+  reauthenticate_resource_owner do |resource_owner, return_to|
+    # Example implementation:
+    # store_location_for resource_owner, return_to
+    # sign_out resource_owner
+    # redirect_to new_user_session_url
+  end
+
+  # Depending on your configuration, a DoubleRenderError could be raised
+  # if render/redirect_to is called at some point before this callback is executed.
+  # To avoid the DoubleRenderError, you could add these two lines at the beginning
+  #  of this callback: (Reference: https://github.com/rails/rails/issues/25106)
+  #   self.response_body = nil
+  #   @_response_body = nil
+  select_account_for_resource_owner do |resource_owner, return_to|
+    # Example implementation:
+    # store_location_for resource_owner, return_to
+    # redirect_to account_select_url
+  end
+
+  subject do |resource_owner, application|
+    # Example implementation:
+    # resource_owner.id
+
+    # or if you need pairwise subject identifier, implement like below:
+    # Digest::SHA256.hexdigest("#{resource_owner.id}#{URI.parse(application.redirect_uri).host}#{'your_secret_salt'}")
+  end
+
+  # Protocol to use when generating URIs for the discovery endpoint,
+  # for example if you also use HTTPS in development
+  # protocol do
+  #   :https
+  # end
+
+  # Expiration time on or after which the ID Token MUST NOT be accepted for processing. (default 120 seconds).
+  # expiration 600
+
+  # Example claims:
+  # claims do
+  #   normal_claim :_foo_ do |resource_owner|
+  #     resource_owner.foo
+  #   end
+
+  #   normal_claim :_bar_ do |resource_owner|
+  #     resource_owner.bar
+  #   end
+  # end
+end
--- a/config/locales/doorkeeper_openid_connect.en.yml
+++ b/config/locales/doorkeeper_openid_connect.en.yml
@ -0,0 +1,23 @@
+en:
+  doorkeeper:
+    scopes:
+      openid: 'Authenticate your account'
+      profile: 'View your profile information'
+      email: 'View your email address'
+      address: 'View your physical address'
+      phone: 'View your phone number'
+    errors:
+      messages:
+        login_required: 'The authorization server requires end-user authentication'
+        consent_required: 'The authorization server requires end-user consent'
+        interaction_required: 'The authorization server requires end-user interaction'
+        account_selection_required: 'The authorization server requires end-user account selection'
+    openid_connect:
+      errors:
+        messages:
+          # Configuration error messages
+          resource_owner_from_access_token_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.resource_owner_from_access_token missing configuration.'
+          auth_time_from_resource_owner_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.auth_time_from_resource_owner missing configuration.'
+          reauthenticate_resource_owner_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.reauthenticate_resource_owner missing configuration.'
+          select_account_for_resource_owner_not_configured: 'Failure due to Doorkeeper::OpenidConnect.configure.select_account_for_resource_owner missing configuration.'
+          subject_not_configured: 'ID Token generation failed due to Doorkeeper::OpenidConnect.configure.subject missing configuration.'
--- a/config/routes.rb
+++ b/config/routes.rb
@ -1,4 +1,5 @@
 OpenStreetMap::Application.routes.draw do
+  use_doorkeeper_openid_connect
  use_doorkeeper :scope => "oauth2" do
    controllers :authorizations => "oauth2_authorizations",
                :applications => "oauth2_applications",
--- a/db/migrate/20230830115219_create_doorkeeper_openid_connect_tables.rb
+++ b/db/migrate/20230830115219_create_doorkeeper_openid_connect_tables.rb
@ -0,0 +1,18 @@
+class CreateDoorkeeperOpenidConnectTables < ActiveRecord::Migration[7.0]
+  def change
+    create_table :oauth_openid_requests do |t|
+      t.references :access_grant, :null => false, :index => true
+      t.string :nonce, :null => false
+    end
+
+    # Avoid validating foreign keys doe to possible deadlock
+    # create a separate migration instead, as suggested by db:migrate
+
+    add_foreign_key(
+      :oauth_openid_requests,
+      :oauth_access_grants,
+      :column => :access_grant_id,
+      :on_delete => :cascade, :validate => false
+    )
+  end
+end
--- a/db/migrate/20230830115220_validate_create_doorkeeper_openid_connect_tables.rb
+++ b/db/migrate/20230830115220_validate_create_doorkeeper_openid_connect_tables.rb
@ -0,0 +1,6 @@
+class ValidateCreateDoorkeeperOpenidConnectTables < ActiveRecord::Migration[7.0]
+  # Validate foreign key created by CreateDoorkeeperOpenidConnectTables
+  def change
+    validate_foreign_key :oauth_openid_requests, :oauth_access_grants
+  end
+end
--- a/db/structure.sql
+++ b/db/structure.sql
@ -1152,6 +1152,36 @@ CREATE SEQUENCE public.oauth_nonces_id_seq
 ALTER SEQUENCE public.oauth_nonces_id_seq OWNED BY public.oauth_nonces.id;


+--
+-- Name: oauth_openid_requests; Type: TABLE; Schema: public; Owner: -
+--
+
+CREATE TABLE public.oauth_openid_requests (
+    id bigint NOT NULL,
+    access_grant_id bigint NOT NULL,
+    nonce character varying NOT NULL
+);
+
+
+--
+-- Name: oauth_openid_requests_id_seq; Type: SEQUENCE; Schema: public; Owner: -
+--
+
+CREATE SEQUENCE public.oauth_openid_requests_id_seq
+    START WITH 1
+    INCREMENT BY 1
+    NO MINVALUE
+    NO MAXVALUE
+    CACHE 1;
+
+
+--
+-- Name: oauth_openid_requests_id_seq; Type: SEQUENCE OWNED BY; Schema: public; Owner: -
+--
+
+ALTER SEQUENCE public.oauth_openid_requests_id_seq OWNED BY public.oauth_openid_requests.id;
+
+
 --
 -- Name: oauth_tokens; Type: TABLE; Schema: public; Owner: -
 --
@ -1704,6 +1734,13 @@ ALTER TABLE ONLY public.oauth_applications ALTER COLUMN id SET DEFAULT nextval('
 ALTER TABLE ONLY public.oauth_nonces ALTER COLUMN id SET DEFAULT nextval('public.oauth_nonces_id_seq'::regclass);


+--
+-- Name: oauth_openid_requests id; Type: DEFAULT; Schema: public; Owner: -
+--
+
+ALTER TABLE ONLY public.oauth_openid_requests ALTER COLUMN id SET DEFAULT nextval('public.oauth_openid_requests_id_seq'::regclass);
+
+
 --
 -- Name: oauth_tokens id; Type: DEFAULT; Schema: public; Owner: -
 --
@ -2033,6 +2070,14 @@ ALTER TABLE ONLY public.oauth_nonces
    ADD CONSTRAINT oauth_nonces_pkey PRIMARY KEY (id);


+--
+-- Name: oauth_openid_requests oauth_openid_requests_pkey; Type: CONSTRAINT; Schema: public; Owner: -
+--
+
+ALTER TABLE ONLY public.oauth_openid_requests
+    ADD CONSTRAINT oauth_openid_requests_pkey PRIMARY KEY (id);
+
+
 --
 -- Name: oauth_tokens oauth_tokens_pkey; Type: CONSTRAINT; Schema: public; Owner: -
 --
@ -2573,6 +2618,13 @@ CREATE UNIQUE INDEX index_oauth_applications_on_uid ON public.oauth_applications
 CREATE UNIQUE INDEX index_oauth_nonces_on_nonce_and_timestamp ON public.oauth_nonces USING btree (nonce, "timestamp");


+--
+-- Name: index_oauth_openid_requests_on_access_grant_id; Type: INDEX; Schema: public; Owner: -
+--
+
+CREATE INDEX index_oauth_openid_requests_on_access_grant_id ON public.oauth_openid_requests USING btree (access_grant_id);
+
+
 --
 -- Name: index_oauth_tokens_on_token; Type: INDEX; Schema: public; Owner: -
 --
@ -2989,6 +3041,14 @@ ALTER TABLE ONLY public.oauth_access_tokens
    ADD CONSTRAINT fk_rails_732cb83ab7 FOREIGN KEY (application_id) REFERENCES public.oauth_applications(id) NOT VALID;


+--
+-- Name: oauth_openid_requests fk_rails_77114b3b09; Type: FK CONSTRAINT; Schema: public; Owner: -
+--
+
+ALTER TABLE ONLY public.oauth_openid_requests
+    ADD CONSTRAINT fk_rails_77114b3b09 FOREIGN KEY (access_grant_id) REFERENCES public.oauth_access_grants(id) ON DELETE CASCADE;
+
+
 --
 -- Name: active_storage_variant_records fk_rails_993965df05; Type: FK CONSTRAINT; Schema: public; Owner: -
 --
@ -3404,6 +3464,8 @@ INSERT INTO "schema_migrations" (version) VALUES
 ('20220223140543'),
 ('20230816135800'),
 ('20230825162137'),
+('20230830115219'),
+('20230830115220'),
 ('21'),
 ('22'),
 ('23'),