From d9a0887dc9af83f7fef7035b5cef978664dfc7d9 Mon Sep 17 00:00:00 2001 From: Anamika Aggarwal Date: Tue, 9 Sep 2025 16:45:31 +0200 Subject: [PATCH] Fix OIDC parameters for non-default tenants We were using the `client_options` hash for the default tenant, defined in the Devise initializer, but we forgot to include that key in the multitenant code. This means OIDC wasn't working when different tenants used different configurations. --- app/lib/omniauth_tenant_setup.rb | 7 ++++--- spec/lib/omniauth_tenant_setup_spec.rb | 21 ++++++++++++--------- 2 files changed, 16 insertions(+), 12 deletions(-) diff --git a/app/lib/omniauth_tenant_setup.rb b/app/lib/omniauth_tenant_setup.rb index c0909b0cd..4a37ae359 100644 --- a/app/lib/omniauth_tenant_setup.rb +++ b/app/lib/omniauth_tenant_setup.rb @@ -64,10 +64,11 @@ module OmniauthTenantSetup unless Tenant.default? strategy = env["omniauth.strategy"] - strategy.options[:client_id] = client_id if client_id.present? - strategy.options[:client_secret] = client_secret if client_secret.present? strategy.options[:issuer] = issuer if issuer.present? - strategy.options[:redirect_uri] = redirect_uri if redirect_uri.present? + strategy.options[:client_options] ||= {} + strategy.options[:client_options][:identifier] = client_id if client_id.present? + strategy.options[:client_options][:secret] = client_secret if client_secret.present? + strategy.options[:client_options][:redirect_uri] = redirect_uri if redirect_uri.present? end end diff --git a/spec/lib/omniauth_tenant_setup_spec.rb b/spec/lib/omniauth_tenant_setup_spec.rb index 9b8929dd7..f38eca3b4 100644 --- a/spec/lib/omniauth_tenant_setup_spec.rb +++ b/spec/lib/omniauth_tenant_setup_spec.rb @@ -119,11 +119,12 @@ describe OmniauthTenantSetup do OmniauthTenantSetup.oidc(mars_env) mars_strategy_options = mars_env["omniauth.strategy"].options + mars_client_options = mars_strategy_options[:client_options] - expect(mars_strategy_options[:client_id]).to eq "mars-client-id" - expect(mars_strategy_options[:client_secret]).to eq "mars-client-secret" expect(mars_strategy_options[:issuer]).to eq "https://mars-oidc.example.com" - expect(mars_strategy_options[:redirect_uri]).to eq "https://mars.consul.dev/auth/oidc/callback" + expect(mars_client_options[:secret]).to eq "mars-client-secret" + expect(mars_client_options[:identifier]).to eq "mars-client-id" + expect(mars_client_options[:redirect_uri]).to eq "https://mars.consul.dev/auth/oidc/callback" end Tenant.switch("venus") do @@ -134,11 +135,12 @@ describe OmniauthTenantSetup do OmniauthTenantSetup.oidc(venus_env) venus_strategy_options = venus_env["omniauth.strategy"].options + venus_client_options = venus_strategy_options[:client_options] - expect(venus_strategy_options[:client_id]).to eq "venus-client-id" - expect(venus_strategy_options[:client_secret]).to eq "venus-client-secret" expect(venus_strategy_options[:issuer]).to eq "https://venus-oidc.example.com" - expect(venus_strategy_options[:redirect_uri]).to eq "https://venus.consul.dev/auth/oidc/callback" + expect(venus_client_options[:identifier]).to eq "venus-client-id" + expect(venus_client_options[:secret]).to eq "venus-client-secret" + expect(venus_client_options[:redirect_uri]).to eq "https://venus.consul.dev/auth/oidc/callback" end end @@ -168,11 +170,12 @@ describe OmniauthTenantSetup do OmniauthTenantSetup.oidc(earth_env) earth_strategy_options = earth_env["omniauth.strategy"].options + earth_client_options = earth_strategy_options[:client_options] - expect(earth_strategy_options[:client_id]).to eq "default-client-id" - expect(earth_strategy_options[:client_secret]).to eq "default-client-secret" expect(earth_strategy_options[:issuer]).to eq "https://default-oidc.example.com" - expect(earth_strategy_options[:redirect_uri]).to eq "https://default.consul.dev/auth/oidc/callback" + expect(earth_client_options[:identifier]).to eq "default-client-id" + expect(earth_client_options[:secret]).to eq "default-client-secret" + expect(earth_client_options[:redirect_uri]).to eq "https://default.consul.dev/auth/oidc/callback" end end end