Merge remote-tracking branch 'upstream/pull/4425'

[rails.git] / config / initializers / doorkeeper_openid_connect.rb

diff --git a/config/initializers/doorkeeper_openid_connect.rb b/config/initializers/doorkeeper_openid_connect.rb
index e91a907c281e7006e3cc42b5aed25bdf21b091a0..7f409ecbe8d202f7e8d4a0da4bcc36ad2f513a4a 100644 (file)
--- a/config/initializers/doorkeeper_openid_connect.rb
+++ b/config/initializers/doorkeeper_openid_connect.rb
@@ -2,71 +2,37 @@
 
 Doorkeeper::OpenidConnect.configure do
   issuer do |_resource_owner, _application|
-    "issuer string"
+    "#{Settings.server_protocol}://#{Settings.server_url}"
   end
 
-  signing_key <<~KEY
-    -----BEGIN RSA PRIVATE KEY-----
-    ....
-    -----END RSA PRIVATE KEY-----
-  KEY
+  signing_key Settings.doorkeeper_signing_key
 
   subject_types_supported [:public]
 
   resource_owner_from_access_token do |access_token|
-    # Example implementation:
-    # User.find_by(id: access_token.resource_owner_id)
+    User.find_by(:id => access_token.resource_owner_id)
   end
 
   auth_time_from_resource_owner do |resource_owner|
-    # Example implementation:
-    # resource_owner.current_sign_in_at
+    # empty block necessary as a workaround to missing configuration
+    # when no auth_time claim is provided
   end
 
-  reauthenticate_resource_owner do |resource_owner, return_to|
-    # Example implementation:
-    # store_location_for resource_owner, return_to
-    # sign_out resource_owner
-    # redirect_to new_user_session_url
+  subject do |resource_owner, _application|
+    resource_owner.id
   end
 
-  # Depending on your configuration, a DoubleRenderError could be raised
-  # if render/redirect_to is called at some point before this callback is executed.
-  # To avoid the DoubleRenderError, you could add these two lines at the beginning
-  #  of this callback: (Reference: https://github.com/rails/rails/issues/25106)
-  #   self.response_body = nil
-  #   @_response_body = nil
-  select_account_for_resource_owner do |resource_owner, return_to|
-    # Example implementation:
-    # store_location_for resource_owner, return_to
-    # redirect_to account_select_url
+  protocol do
+    Settings.server_protocol.to_sym
   end
 
-  subject do |resource_owner, application|
-    # Example implementation:
-    # resource_owner.id
+  claims do
+    claim :preferred_username, :scope => :openid do |resource_owner, _scopes, _access_token|
+      resource_owner.display_name
+    end
 
-    # or if you need pairwise subject identifier, implement like below:
-    # Digest::SHA256.hexdigest("#{resource_owner.id}#{URI.parse(application.redirect_uri).host}#{'your_secret_salt'}")
+    claim :email, :scope => :read_email, :response => [:id_token, :user_info] do |resource_owner, _scopes, _access_token|
+      resource_owner.email
+    end
   end
-
-  # Protocol to use when generating URIs for the discovery endpoint,
-  # for example if you also use HTTPS in development
-  # protocol do
-  #   :https
-  # end
-
-  # Expiration time on or after which the ID Token MUST NOT be accepted for processing. (default 120 seconds).
-  # expiration 600
-
-  # Example claims:
-  # claims do
-  #   normal_claim :_foo_ do |resource_owner|
-  #     resource_owner.foo
-  #   end
-
-  #   normal_claim :_bar_ do |resource_owner|
-  #     resource_owner.bar
-  #   end
-  # end
 end