Merge pull request #6046 from Anamika1608/oidc_auth

Add support for OIDC authentication
2025-09-01 19:55:10 +02:00
parent bde25273bc 5e263baed2
commit 3cf6e9b1ca
19 changed files with 441 additions and 6 deletions
--- a/app/assets/stylesheets/layout.scss
+++ b/app/assets/stylesheets/layout.scss
@@ -1384,7 +1384,8 @@ table {
 .button.button-facebook,
 .button.button-google,
 .button.button-wordpress,
-.button.button-saml {
+.button.button-saml,
+.button.button-oidc {
  color: inherit;
  font-weight: bold;

@@ -1444,6 +1445,16 @@ table {
  }
 }

+.button.button-oidc {
+  @include has-fa-icon(openid, brands);
+  background: #fdf9f1;
+  border-left: 3px solid #f7931e;
+
+  &::before {
+    color: #f7931e;
+  }
+}
+

 // 14. Verification
 // ----------------
--- a/app/components/admin/settings/features_tab_component.rb
+++ b/app/components/admin/settings/features_tab_component.rb
@@ -4,6 +4,7 @@ class Admin::Settings::FeaturesTabComponent < ApplicationComponent
      feature.featured_proposals
      feature.facebook_login
      feature.google_login
+      feature.oidc_login
      feature.saml_login
      feature.twitter_login
      feature.wordpress_login
--- a/app/components/devise/omniauth_form_component.rb
+++ b/app/components/devise/omniauth_form_component.rb
@@ -17,7 +17,8 @@ class Devise::OmniauthFormComponent < ApplicationComponent
        (:facebook if feature?(:facebook_login)),
        (:google_oauth2 if feature?(:google_login)),
        (:wordpress_oauth2 if feature?(:wordpress_login)),
-        (:saml if feature?(:saml_login))
+        (:saml if feature?(:saml_login)),
+        (:oidc if feature?(:oidc_login))
      ].compact
    end
 end
--- a/app/controllers/users/omniauth_callbacks_controller.rb
+++ b/app/controllers/users/omniauth_callbacks_controller.rb
@@ -21,6 +21,10 @@ class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
    sign_in_with :saml_login, :saml
  end

+  def oidc
+    sign_in_with :oidc_login, :oidc
+  end
+
  def after_sign_in_path_for(resource)
    if resource.registering_with_oauth
      finish_signup_path
--- a/app/lib/omniauth_tenant_setup.rb
+++ b/app/lib/omniauth_tenant_setup.rb
@@ -21,6 +21,11 @@ module OmniauthTenantSetup
                secrets.saml_idp_metadata_url, secrets.saml_idp_sso_service_url)
    end

+    def oidc(env)
+      oidc_auth(env, secrets.oidc_client_id,
+                secrets.oidc_client_secret, secrets.oidc_issuer, secrets.oidc_redirect_uri)
+    end
+
    private

      def oauth(env, key, secret)
@@ -55,6 +60,17 @@ module OmniauthTenantSetup
        end
      end

+      def oidc_auth(env, client_id, client_secret, issuer, redirect_uri)
+        unless Tenant.default?
+          strategy = env["omniauth.strategy"]
+
+          strategy.options[:client_id] = client_id if client_id.present?
+          strategy.options[:client_secret] = client_secret if client_secret.present?
+          strategy.options[:issuer] = issuer if issuer.present?
+          strategy.options[:redirect_uri] = redirect_uri if redirect_uri.present?
+        end
+      end
+
      def secrets
        Tenant.current_secrets
      end
--- a/app/models/setting.rb
+++ b/app/models/setting.rb
@@ -85,6 +85,7 @@ class Setting < ApplicationRecord
        "feature.remote_census": nil,
        "feature.valuation_comment_notification": true,
        "feature.graphql_api": true,
+        "feature.oidc_login": false,
        "feature.saml_login": false,
        "feature.sdg": true,
        "feature.machine_learning": false,