Use the same code to configure OIDC for all tenants

We were following the same pattern as we used for other providers like twitter or facebook, but for OIDC we aren't passing the key and the secret as separate attributes but only a hash of options. This means we don't need to duplicate the same logic in the devise initializer and the `OmniauthTenantSetup` class. Thanks to these changes, we'll be able to introduce dynamic redirect URLs for both the default tenant and the other tenants (see next commit). Note that we could probably apply similar changes for the SAML provider. We might do so in the future. For other providers, removing the references to `Rails.application.secrets` broke their configuration when we tested it back in 2022 as part of the multitenancy feature. We might check whether that's no longer the case (or whether we made a mistake during our tests in 2022) in the future.
2025-09-09 16:50:23 +02:00
parent d9a0887dc9
commit c3b5232907
2 changed files with 6 additions and 14 deletions
--- a/app/lib/omniauth_tenant_setup.rb
+++ b/app/lib/omniauth_tenant_setup.rb
@@ -61,7 +61,6 @@ module OmniauthTenantSetup
      end

      def oidc_auth(env, client_id, client_secret, issuer, redirect_uri)
-        unless Tenant.default?
        strategy = env["omniauth.strategy"]

        strategy.options[:issuer] = issuer if issuer.present?
@@ -70,7 +69,6 @@ module OmniauthTenantSetup
        strategy.options[:client_options][:secret] = client_secret if client_secret.present?
        strategy.options[:client_options][:redirect_uri] = redirect_uri if redirect_uri.present?
      end
-      end

      def secrets
        Tenant.current_secrets
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -300,14 +300,8 @@ Devise.setup do |config|
                  name: :oidc,
                  scope: [:openid, :email, :profile],
                  response_type: :code,
-                  issuer: Rails.application.secrets.oidc_issuer,
                  discovery: true,
                  client_auth_method: :basic,
-                  client_options: {
-                    identifier: Rails.application.secrets.oidc_client_id,
-                    secret: Rails.application.secrets.oidc_client_secret,
-                    redirect_uri: Rails.application.secrets.oidc_redirect_uri
-                  },
                  setup: ->(env) { OmniauthTenantSetup.oidc(env) }

  # ==> Warden configuration