config/initializers/doorkeeper_openid_connect.rb

   1 # frozen_string_literal: true
   2
   3 Doorkeeper::OpenidConnect.configure do
   4   issuer do |_resource_owner, _application|
   5     "issuer string"
   6   end
   7
   8   signing_key <<~KEY
   9     -----BEGIN RSA PRIVATE KEY-----
  10     ....
  11     -----END RSA PRIVATE KEY-----
  12   KEY
  13
  14   subject_types_supported [:public]
  15
  16   resource_owner_from_access_token do |access_token|
  17     # Example implementation:
  18     # User.find_by(id: access_token.resource_owner_id)
  19   end
  20
  21   auth_time_from_resource_owner do |resource_owner|
  22     # Example implementation:
  23     # resource_owner.current_sign_in_at
  24   end
  25
  26   reauthenticate_resource_owner do |resource_owner, return_to|
  27     # Example implementation:
  28     # store_location_for resource_owner, return_to
  29     # sign_out resource_owner
  30     # redirect_to new_user_session_url
  31   end
  32
  33   # Depending on your configuration, a DoubleRenderError could be raised
  34   # if render/redirect_to is called at some point before this callback is executed.
  35   # To avoid the DoubleRenderError, you could add these two lines at the beginning
  36   #  of this callback: (Reference: https://github.com/rails/rails/issues/25106)
  37   #   self.response_body = nil
  38   #   @_response_body = nil
  39   select_account_for_resource_owner do |resource_owner, return_to|
  40     # Example implementation:
  41     # store_location_for resource_owner, return_to
  42     # redirect_to account_select_url
  43   end
  44
  45   subject do |resource_owner, application|
  46     # Example implementation:
  47     # resource_owner.id
  48
  49     # or if you need pairwise subject identifier, implement like below:
  50     # Digest::SHA256.hexdigest("#{resource_owner.id}#{URI.parse(application.redirect_uri).host}#{'your_secret_salt'}")
  51   end
  52
  53   # Protocol to use when generating URIs for the discovery endpoint,
  54   # for example if you also use HTTPS in development
  55   # protocol do
  56   #   :https
  57   # end
  58
  59   # Expiration time on or after which the ID Token MUST NOT be accepted for processing. (default 120 seconds).
  60   # expiration 600
  61
  62   # Example claims:
  63   # claims do
  64   #   normal_claim :_foo_ do |resource_owner|
  65   #     resource_owner.foo
  66   #   end
  67
  68   #   normal_claim :_bar_ do |resource_owner|
  69   #     resource_owner.bar
  70   #   end
  71   # end
  72 end