From c3b5232907ea4592781b700462d4ea368e56c26a Mon Sep 17 00:00:00 2001
From: Anamika Aggarwal <anamikaagg18@gmail.com>
Date: Tue, 9 Sep 2025 16:50:23 +0200
Subject: [PATCH] Use the same code to configure OIDC for all tenants

We were following the same pattern as we used for other providers like
twitter or facebook, but for OIDC we aren't passing the key and the
secret as separate attributes but only a hash of options. This means we
don't need to duplicate the same logic in the devise initializer and the
`OmniauthTenantSetup` class.

Thanks to these changes, we'll be able to introduce dynamic redirect
URLs for both the default tenant and the other tenants (see next commit).

Note that we could probably apply similar changes for the SAML provider.
We might do so in the future. For other providers, removing the
references to `Rails.application.secrets` broke their configuration when
we tested it back in 2022 as part of the multitenancy feature. We might
check whether that's no longer the case (or whether we made a mistake
during our tests in 2022) in the future.
---
 app/lib/omniauth_tenant_setup.rb | 14 ++++++--------
 config/initializers/devise.rb    |  6 ------
 2 files changed, 6 insertions(+), 14 deletions(-)

diff --git a/app/lib/omniauth_tenant_setup.rb b/app/lib/omniauth_tenant_setup.rb
index 4a37ae359..cb5ff3ff7 100644
--- a/app/lib/omniauth_tenant_setup.rb
+++ b/app/lib/omniauth_tenant_setup.rb
@@ -61,15 +61,13 @@ module OmniauthTenantSetup
       end
 
       def oidc_auth(env, client_id, client_secret, issuer, redirect_uri)
-        unless Tenant.default?
-          strategy = env["omniauth.strategy"]
+        strategy = env["omniauth.strategy"]
 
-          strategy.options[:issuer] = issuer if issuer.present?
-          strategy.options[:client_options] ||= {}
-          strategy.options[:client_options][:identifier] = client_id if client_id.present?
-          strategy.options[:client_options][:secret] = client_secret if client_secret.present?
-          strategy.options[:client_options][:redirect_uri] = redirect_uri if redirect_uri.present?
-        end
+        strategy.options[:issuer] = issuer if issuer.present?
+        strategy.options[:client_options] ||= {}
+        strategy.options[:client_options][:identifier] = client_id if client_id.present?
+        strategy.options[:client_options][:secret] = client_secret if client_secret.present?
+        strategy.options[:client_options][:redirect_uri] = redirect_uri if redirect_uri.present?
       end
 
       def secrets
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index 44ff33b03..00de7c52c 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -300,14 +300,8 @@ Devise.setup do |config|
                   name: :oidc,
                   scope: [:openid, :email, :profile],
                   response_type: :code,
-                  issuer: Rails.application.secrets.oidc_issuer,
                   discovery: true,
                   client_auth_method: :basic,
-                  client_options: {
-                    identifier: Rails.application.secrets.oidc_client_id,
-                    secret: Rails.application.secrets.oidc_client_secret,
-                    redirect_uri: Rails.application.secrets.oidc_redirect_uri
-                  },
                   setup: ->(env) { OmniauthTenantSetup.oidc(env) }
 
   # ==> Warden configuration