5e263baed2
- name: :oidc → Identifier for this login provider in the app. - scope: [:openid, :email, :profile] → Tells the provider we want the user’s ID (openid), their email, and basic profile info (name, picture, etc.). - response_type: :code → Uses Authorization Code Flow, which is more secure because tokens are not exposed in the URL. - issuer: Rails.application.secrets.oidc_issuer → The base URL of the OIDC provider (e.g., Auth0). Used to find its config. - discovery: true → Automatically fetches the provider’s endpoints from its discovery document instead of manually setting them. - client_auth_method: :basic → Sends client ID and secret using HTTP Basic Auth when exchanging the code for tokens. Add system tests for OIDC Auth Edit the oauth docs to support OIDC auth
3.0 KiB
Authentication with external services (OAuth)
You can configure authentication services with external OAuth providers. Right now, Twitter, Facebook, Google, Wordpress, SAML and OpenID Connect (OIDC) are supported.
1. Create an App on the platform
For Twitter, Facebook, Google and Wordpress, go to their developers section and follow their guides to create an app. For SAML, you'll have to configure an Identity Provider (IdP). For OIDC, you'll need to register your application with an OpenID Connect provider.
2. Set the authentication URL of your Consul Democracy installation
They'll ask you for the authentication URL of your Consul Democracy installation, and as you can see running rails routes | grep omniauth at your Consul Democracy repo locally:
user_twitter_omniauth_authorize GET|POST /users/auth/twitter(.:format) users/omniauth_callbacks#passthru
user_twitter_omniauth_callback GET|POST /users/auth/twitter/callback(.:format) users/omniauth_callbacks#twitter
user_facebook_omniauth_authorize GET|POST /users/auth/facebook(.:format) users/omniauth_callbacks#passthru
user_facebook_omniauth_callback GET|POST /users/auth/facebook/callback(.:format) users/omniauth_callbacks#facebook
user_google_oauth2_omniauth_authorize GET|POST /users/auth/google_oauth2(.:format) users/omniauth_callbacks#passthru
user_google_oauth2_omniauth_callback GET|POST /users/auth/google_oauth2/callback(.:format) users/omniauth_callbacks#google_oauth2
user_wordpress_oauth2_omniauth_authorize GET|POST /users/auth/wordpress_oauth2(.:format) users/omniauth_callbacks#passthru
user_wordpress_oauth2_omniauth_callback GET|POST /users/auth/wordpress_oauth2/callback(.:format) users/omniauth_callbacks#wordpress_oauth2
user_saml_omniauth_authorize GET|POST /users/auth/saml(.:format) users/omniauth_callbacks#passthru
user_saml_omniauth_callback GET|POST /users/auth/saml/callback(.:format) users/omniauth_callbacks#saml
user_oidc_omniauth_authorize GET|POST /users/auth/oidc(.:format) users/omniauth_callbacks#passthru
user_oidc_omniauth_callback GET|POST /users/auth/oidc/callback(.:format) users/omniauth_callbacks#oidc
So for example the URL for Facebook application would be yourdomain.com/users/auth/facebook/callback.
3. Set the key and secret values
When you complete the application registration you'll get a key and secret values, those need to be stored at your config/secrets.yml file:
twitter_key: ""
twitter_secret: ""
facebook_key: ""
facebook_secret: ""
google_oauth2_key: ""
google_oauth2_secret: ""
wordpress_oauth2_key: ""
wordpress_oauth2_secret: ""
wordpress_oauth2_site: ""
saml_sp_entity_id: "https://yoursp.org/entityid"
saml_idp_metadata_url: "https://youridp.org/api/saml/metadata"
saml_idp_sso_service_url: "https://youridp.org/api/saml/sso"
oidc_client_id: "your-oidc-client-id"
oidc_client_secret: "your-oidc-client-secret"
oidc_issuer: "https://your-oidc-provider.com"
oidc_redirect_uri: "https://yourapp.com/users/auth/oidc/callback"