summaryrefslogtreecommitdiff
path: root/config/initializers/doorkeeper_openid_connect.rb
blob: 476230d0f70c88903002e8ac372b9bae2937df07 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
# frozen_string_literal: true

Doorkeeper::OpenidConnect.configure do
  issuer Gitlab.config.gitlab.url

  signing_key Rails.application.secrets.openid_connect_signing_key

  resource_owner_from_access_token do |access_token|
    User.active.find_by(id: access_token.resource_owner_id)
  end

  auth_time_from_resource_owner do |user|
    user.current_sign_in_at
  end

  reauthenticate_resource_owner do |user, return_to|
    store_location_for user, return_to
    sign_out user
    redirect_to new_user_session_url
  end

  subject do |user|
    user.id
  end

  claims do
    with_options scope: :openid do |o|
      o.claim(:sub_legacy, response: [:id_token, :user_info]) do |user|
        # provide the previously hashed 'sub' claim to allow third-party apps
        # to migrate to the new unhashed value
        Digest::SHA256.hexdigest "#{user.id}-#{Rails.application.secrets.secret_key_base}"
      end

      o.claim(:name)           { |user| user.name }
      o.claim(:nickname)       { |user| user.username }

      # Check whether the application has access to the email scope, and grant
      # access to the user's primary email address if so, otherwise their
      # public email address (if present)
      # This allows existing solutions built for GitLab's old behavior to keep
      # working without modification.
      o.claim(:email, response: [:id_token, :user_info]) do |user, scopes|
        scopes.exists?(:email) ? user.email : user.public_email
      end
      o.claim(:email_verified, response: [:id_token, :user_info]) do |user, scopes|
        if scopes.exists?(:email)
          user.primary_email_verified?
        elsif user.public_email?
          user.verified_email?(user.public_email)
        else
          # If there is no public email set, tell doorkicker-openid-connect to
          # exclude the email_verified claim by returning nil.
          nil
        end
      end

      o.claim(:website)        { |user| user.full_website_url if user.website_url? }
      o.claim(:profile)        { |user| Gitlab::Routing.url_helpers.user_url user }
      o.claim(:picture)        { |user| user.avatar_url(only_path: false) }
      o.claim(:groups)         { |user| user.membership_groups.joins(:route).with_route.map(&:full_path) }
      o.claim(:groups_direct, response: [:id_token]) { |user| user.groups.joins(:route).with_route.map(&:full_path) }
    end
  end
end