1 # frozen_string_literal: true
3 Doorkeeper::OpenidConnect.configure do
4 issuer do |_resource_owner, _application|
9 -----BEGIN RSA PRIVATE KEY-----
11 -----END RSA PRIVATE KEY-----
14 subject_types_supported [:public]
16 resource_owner_from_access_token do |access_token|
17 # Example implementation:
18 # User.find_by(id: access_token.resource_owner_id)
21 auth_time_from_resource_owner do |resource_owner|
22 # Example implementation:
23 # resource_owner.current_sign_in_at
26 reauthenticate_resource_owner do |resource_owner, return_to|
27 # Example implementation:
28 # store_location_for resource_owner, return_to
29 # sign_out resource_owner
30 # redirect_to new_user_session_url
33 # Depending on your configuration, a DoubleRenderError could be raised
34 # if render/redirect_to is called at some point before this callback is executed.
35 # To avoid the DoubleRenderError, you could add these two lines at the beginning
36 # of this callback: (Reference: https://github.com/rails/rails/issues/25106)
37 # self.response_body = nil
38 # @_response_body = nil
39 select_account_for_resource_owner do |resource_owner, return_to|
40 # Example implementation:
41 # store_location_for resource_owner, return_to
42 # redirect_to account_select_url
45 subject do |resource_owner, application|
46 # Example implementation:
49 # or if you need pairwise subject identifier, implement like below:
50 # Digest::SHA256.hexdigest("#{resource_owner.id}#{URI.parse(application.redirect_uri).host}#{'your_secret_salt'}")
53 # Protocol to use when generating URIs for the discovery endpoint,
54 # for example if you also use HTTPS in development
59 # Expiration time on or after which the ID Token MUST NOT be accepted for processing. (default 120 seconds).
64 # normal_claim :_foo_ do |resource_owner|
68 # normal_claim :_bar_ do |resource_owner|