Add OIDC section for sign in and sign up page

- name: :oidc → Identifier for this login provider in the app. - scope: [:openid, :email, :profile] → Tells the provider we want the user’s ID (openid), their email, and basic profile info (name, picture, etc.). - response_type: :code → Uses Authorization Code Flow, which is more secure because tokens are not exposed in the URL. - issuer: Rails.application.secrets.oidc_issuer → The base URL of the OIDC provider (e.g., Auth0). Used to find its config. - discovery: true → Automatically fetches the provider’s endpoints from its discovery document instead of manually setting them. - client_auth_method: :basic → Sends client ID and secret using HTTP Basic Auth when exchanging the code for tokens. Add system tests for OIDC Auth Edit the oauth docs to support OIDC auth
2025-08-07 05:31:13 +00:00
parent eab5f52e19
commit 5e263baed2
17 changed files with 390 additions and 6 deletions
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -296,6 +296,20 @@ Devise.setup do |config|
  end
  config.omniauth :saml, saml_settings.merge(setup: ->(env) { OmniauthTenantSetup.saml(env) })

+  config.omniauth :openid_connect,
+                  name: :oidc,
+                  scope: [:openid, :email, :profile],
+                  response_type: :code,
+                  issuer: Rails.application.secrets.oidc_issuer,
+                  discovery: true,
+                  client_auth_method: :basic,
+                  client_options: {
+                    identifier: Rails.application.secrets.oidc_client_id,
+                    secret: Rails.application.secrets.oidc_client_secret,
+                    redirect_uri: Rails.application.secrets.oidc_redirect_uri
+                  },
+                  setup: ->(env) { OmniauthTenantSetup.oidc(env) }
+
  # ==> Warden configuration
  # If you want to use other strategies, that are not supported by Devise, or
  # change the failure app, you can configure them inside the config.warden block.
--- a/config/locales/en/general.yml
+++ b/config/locales/en/general.yml
@@ -282,6 +282,10 @@ en:
      sign_in: Sign in with SAML
      sign_up: Sign up with SAML
      name: SAML
+    oidc:
+      sign_in: Sign in with OIDC
+      sign_up: Sign up with OIDC
+      name: OIDC
    or_fill: "Or fill the following form:"
  proposals:
    create:
--- a/config/locales/en/settings.yml
+++ b/config/locales/en/settings.yml
@@ -91,6 +91,8 @@ en:
      google_login_description: "Allow users to sign up with their Google Account"
      wordpress_login: "Wordpress login"
      wordpress_login_description: "Allow users to sign up with their Wordpress Account"
+      oidc_login: "OpenID Connect login"
+      oidc_login_description: "Allow users to sign up with OpenID Connect (OIDC)"
      saml_login: "SAML login"
      saml_login_description: "Allow users to sign up with SAML"
      featured_proposals: "Featured proposals"
--- a/config/locales/es/general.yml
+++ b/config/locales/es/general.yml
@@ -279,6 +279,10 @@ es:
      sign_in: Entra con SAML
      sign_up: Regístrate con SAML
      name: SAML
+    oidc:
+      sign_in: Entra con OIDC
+      sign_up: Regístrate con OIDC
+      name: OIDC
    info:
      sign_in: "Entra con:"
      sign_up: "Regístrate con:"
--- a/config/locales/es/settings.yml
+++ b/config/locales/es/settings.yml
@@ -91,6 +91,8 @@ es:
      google_login_description: "Permitir que los usuarios se registren con su cuenta de Google"
      wordpress_login: "Registro con Wordpress"
      wordpress_login_description: "Permitir que los usuarios se registren con su cuenta de Wordpress"
+      oidc_login: "Registro con OpenID Connect"
+      oidc_login_description: "Permitir que los usuarios se registren usando OpenID Connect (OIDC)"
      saml_login: "Registro con SAML"
      saml_login_description: "Permitir que los usuarios se registren usando SAML"
      featured_proposals: "Propuestas destacadas"
--- a/config/secrets.yml.example
+++ b/config/secrets.yml.example
@@ -94,6 +94,10 @@ staging:
  saml_sp_entity_id: ""
  saml_idp_metadata_url: ""
  saml_idp_sso_service_url: ""
+  oidc_client_id: ""
+  oidc_client_secret: ""
+  oidc_issuer: ""
+  oidc_redirect_uri: ""
  <<: *maps
  <<: *apis

@@ -153,6 +157,10 @@ preproduction:
  saml_sp_entity_id: ""
  saml_idp_metadata_url: ""
  saml_idp_sso_service_url: ""
+  oidc_client_id: ""
+  oidc_client_secret: ""
+  oidc_issuer: ""
+  oidc_redirect_uri: ""
  <<: *maps
  <<: *apis

@@ -211,5 +219,9 @@ production:
  saml_sp_entity_id: ""
  saml_idp_metadata_url: ""
  saml_idp_sso_service_url: ""
+  oidc_client_id: ""
+  oidc_client_secret: ""
+  oidc_issuer: ""
+  oidc_redirect_uri: ""
  <<: *maps
  <<: *apis