consul/grecia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #6083 from consuldemocracy/oidc_multitenancy

Browse Source 
Fix multitenancy support for OpenID Connect
This commit is contained in:
Javi Martín
2025-10-17 14:00:35 +02:00
committed by GitHub
parent 847d48d478 86bbfcaa0c
commit 700719a66d
6 changed files with 31 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
app/lib/omniauth_tenant_setup.rb
View File

@@ -22,8 +22,7 @@ module OmniauthTenantSetup
end end
def oidc(env) def oidc(env)
oidc_auth(env, secrets.oidc_client_id, oidc_auth(env, secrets.oidc_client_id, secrets.oidc_client_secret, secrets.oidc_issuer)
secrets.oidc_client_secret, secrets.oidc_issuer, secrets.oidc_redirect_uri)
end end
private private
@@ -60,15 +59,18 @@ module OmniauthTenantSetup
end end
end end
def oidc_auth(env, client_id, client_secret, issuer, redirect_uri) def oidc_auth(env, client_id, client_secret, issuer)
unless Tenant.default?
strategy = env["omniauth.strategy"] strategy = env["omniauth.strategy"]
strategy.options[:client_id] = client_id if client_id.present?
strategy.options[:client_secret] = client_secret if client_secret.present?
strategy.options[:issuer] = issuer if issuer.present? strategy.options[:issuer] = issuer if issuer.present?
strategy.options[:redirect_uri] = redirect_uri if redirect_uri.present? strategy.options[:client_options] ||= {}
strategy.options[:client_options][:identifier] = client_id if client_id.present?
strategy.options[:client_options][:secret] = client_secret if client_secret.present?
strategy.options[:client_options][:redirect_uri] = oidc_redirect_uri if oidc_redirect_uri.present?
end end
def oidc_redirect_uri
Rails.application.routes.url_helpers.user_oidc_omniauth_callback_url(Tenant.current_url_options)
end end
def secrets def secrets

6
config/initializers/devise.rb
View File

@@ -300,14 +300,8 @@ Devise.setup do |config|
name: :oidc, name: :oidc,
scope: [:openid, :email, :profile], scope: [:openid, :email, :profile],
response_type: :code, response_type: :code,
issuer: Rails.application.secrets.oidc_issuer,
discovery: true, discovery: true,
client_auth_method: :basic, client_auth_method: :basic,
client_options: {
identifier: Rails.application.secrets.oidc_client_id,
secret: Rails.application.secrets.oidc_client_secret,
redirect_uri: Rails.application.secrets.oidc_redirect_uri
},
setup: ->(env) { OmniauthTenantSetup.oidc(env) } setup: ->(env) { OmniauthTenantSetup.oidc(env) }
# ==> Warden configuration # ==> Warden configuration

3
config/secrets.yml.example
View File

@@ -97,7 +97,6 @@ staging:
oidc_client_id: "" oidc_client_id: ""
oidc_client_secret: "" oidc_client_secret: ""
oidc_issuer: "" oidc_issuer: ""
oidc_redirect_uri: ""
<<: *maps <<: *maps
<<: *apis <<: *apis
@@ -160,7 +159,6 @@ preproduction:
oidc_client_id: "" oidc_client_id: ""
oidc_client_secret: "" oidc_client_secret: ""
oidc_issuer: "" oidc_issuer: ""
oidc_redirect_uri: ""
<<: *maps <<: *maps
<<: *apis <<: *apis
@@ -222,6 +220,5 @@ production:
oidc_client_id: "" oidc_client_id: ""
oidc_client_secret: "" oidc_client_secret: ""
oidc_issuer: "" oidc_issuer: ""
oidc_redirect_uri: ""
<<: *maps <<: *maps
<<: *apis <<: *apis

1
docs/en/features/oauth.md
View File

@@ -47,5 +47,4 @@ When you complete the application registration you'll get a *key* and *secret* v
oidc_client_id: "your-oidc-client-id" oidc_client_id: "your-oidc-client-id"
oidc_client_secret: "your-oidc-client-secret" oidc_client_secret: "your-oidc-client-secret"
oidc_issuer: "https://your-oidc-provider.com" oidc_issuer: "https://your-oidc-provider.com"
oidc_redirect_uri: "https://yourapp.com/users/auth/oidc/callback"
``` ```

1
docs/es/features/oauth.md
View File

@@ -47,5 +47,4 @@ Cuando completes el registro de la aplicación en su plataforma te darán un *ke
oidc_client_id: "tu-id-de-cliente-oidc" oidc_client_id: "tu-id-de-cliente-oidc"
oidc_client_secret: "tu-secreto-de-cliente-oidc" oidc_client_secret: "tu-secreto-de-cliente-oidc"
oidc_issuer: "https://tu-proveedor-oidc.com" oidc_issuer: "https://tu-proveedor-oidc.com"
oidc_redirect_uri: "https://tuaplicacion.com/users/auth/oidc/callback"
``` ```

36
spec/lib/omniauth_tenant_setup_spec.rb
View File

@@ -86,6 +86,10 @@ describe OmniauthTenantSetup do
end end
describe "#oidc" do describe "#oidc" do
before do
allow(Tenant).to receive(:default_url_options).and_return({ host: "consul.dev" })
end
it "uses different secrets for different tenants" do it "uses different secrets for different tenants" do
create(:tenant, schema: "mars") create(:tenant, schema: "mars")
create(:tenant, schema: "venus") create(:tenant, schema: "venus")
@@ -94,19 +98,16 @@ describe OmniauthTenantSetup do
oidc_client_id: "default-client-id", oidc_client_id: "default-client-id",
oidc_client_secret: "default-client-secret", oidc_client_secret: "default-client-secret",
oidc_issuer: "https://default-oidc.example.com", oidc_issuer: "https://default-oidc.example.com",
oidc_redirect_uri: "https://default.consul.dev/auth/oidc/callback",
tenants: { tenants: {
mars: { mars: {
oidc_client_id: "mars-client-id", oidc_client_id: "mars-client-id",
oidc_client_secret: "mars-client-secret", oidc_client_secret: "mars-client-secret",
oidc_issuer: "https://mars-oidc.example.com", oidc_issuer: "https://mars-oidc.example.com"
oidc_redirect_uri: "https://mars.consul.dev/auth/oidc/callback"
}, },
venus: { venus: {
oidc_client_id: "venus-client-id", oidc_client_id: "venus-client-id",
oidc_client_secret: "venus-client-secret", oidc_client_secret: "venus-client-secret",
oidc_issuer: "https://venus-oidc.example.com", oidc_issuer: "https://venus-oidc.example.com"
oidc_redirect_uri: "https://venus.consul.dev/auth/oidc/callback"
} }
} }
) )
@@ -119,11 +120,12 @@ describe OmniauthTenantSetup do
OmniauthTenantSetup.oidc(mars_env) OmniauthTenantSetup.oidc(mars_env)
mars_strategy_options = mars_env["omniauth.strategy"].options mars_strategy_options = mars_env["omniauth.strategy"].options
mars_client_options = mars_strategy_options[:client_options]
expect(mars_strategy_options[:client_id]).to eq "mars-client-id"
expect(mars_strategy_options[:client_secret]).to eq "mars-client-secret"
expect(mars_strategy_options[:issuer]).to eq "https://mars-oidc.example.com" expect(mars_strategy_options[:issuer]).to eq "https://mars-oidc.example.com"
expect(mars_strategy_options[:redirect_uri]).to eq "https://mars.consul.dev/auth/oidc/callback" expect(mars_client_options[:secret]).to eq "mars-client-secret"
expect(mars_client_options[:identifier]).to eq "mars-client-id"
expect(mars_client_options[:redirect_uri]).to eq "http://mars.consul.dev/users/auth/oidc/callback"
end end
Tenant.switch("venus") do Tenant.switch("venus") do
@@ -134,11 +136,12 @@ describe OmniauthTenantSetup do
OmniauthTenantSetup.oidc(venus_env) OmniauthTenantSetup.oidc(venus_env)
venus_strategy_options = venus_env["omniauth.strategy"].options venus_strategy_options = venus_env["omniauth.strategy"].options
venus_client_options = venus_strategy_options[:client_options]
expect(venus_strategy_options[:client_id]).to eq "venus-client-id"
expect(venus_strategy_options[:client_secret]).to eq "venus-client-secret"
expect(venus_strategy_options[:issuer]).to eq "https://venus-oidc.example.com" expect(venus_strategy_options[:issuer]).to eq "https://venus-oidc.example.com"
expect(venus_strategy_options[:redirect_uri]).to eq "https://venus.consul.dev/auth/oidc/callback" expect(venus_client_options[:identifier]).to eq "venus-client-id"
expect(venus_client_options[:secret]).to eq "venus-client-secret"
expect(venus_client_options[:redirect_uri]).to eq "http://venus.consul.dev/users/auth/oidc/callback"
end end
end end
@@ -149,13 +152,11 @@ describe OmniauthTenantSetup do
oidc_client_id: "default-client-id", oidc_client_id: "default-client-id",
oidc_client_secret: "default-client-secret", oidc_client_secret: "default-client-secret",
oidc_issuer: "https://default-oidc.example.com", oidc_issuer: "https://default-oidc.example.com",
oidc_redirect_uri: "https://default.consul.dev/auth/oidc/callback",
tenants: { tenants: {
mars: { mars: {
oidc_client_id: "mars-client-id", oidc_client_id: "mars-client-id",
oidc_client_secret: "mars-client-secret", oidc_client_secret: "mars-client-secret",
oidc_issuer: "https://mars-oidc.example.com", oidc_issuer: "https://mars-oidc.example.com"
oidc_redirect_uri: "https://mars.consul.dev/auth/oidc/callback"
} }
} }
) )
@@ -168,11 +169,12 @@ describe OmniauthTenantSetup do
OmniauthTenantSetup.oidc(earth_env) OmniauthTenantSetup.oidc(earth_env)
earth_strategy_options = earth_env["omniauth.strategy"].options earth_strategy_options = earth_env["omniauth.strategy"].options
earth_client_options = earth_strategy_options[:client_options]
expect(earth_strategy_options[:client_id]).to eq "default-client-id"
expect(earth_strategy_options[:client_secret]).to eq "default-client-secret"
expect(earth_strategy_options[:issuer]).to eq "https://default-oidc.example.com" expect(earth_strategy_options[:issuer]).to eq "https://default-oidc.example.com"
expect(earth_strategy_options[:redirect_uri]).to eq "https://default.consul.dev/auth/oidc/callback" expect(earth_client_options[:identifier]).to eq "default-client-id"
expect(earth_client_options[:secret]).to eq "default-client-secret"
expect(earth_client_options[:redirect_uri]).to eq "http://earth.consul.dev/users/auth/oidc/callback"
end end
end end
end end