Add OpenID Connect login support

Author: jjmata

.env.example

@@ -53,6 +53,12 @@ POSTGRES_USER=postgres
 # This is the domain that your Maybe instance will be hosted at. It is used to generate links in emails and other places.
 APP_DOMAIN=
 
+# OpenID Connect configuration
+OIDC_ISSUER=
+OIDC_CLIENT_ID=
+OIDC_CLIENT_SECRET=
+OIDC_REDIRECT_URI=http://localhost:3000/auth/openid_connect/callback
+
 # Disable enforcing SSL connections
 # DISABLE_SSL=true
 

.env.local.example

@@ -3,3 +3,9 @@ SELF_HOSTED=false
 
 # Enable Twelve market data (careful, this will use your API credits)
 TWELVE_DATA_API_KEY=yourapikeyhere
+
+# OpenID Connect for development
+OIDC_ISSUER=https://example.com
+OIDC_CLIENT_ID=
+OIDC_CLIENT_SECRET=
+OIDC_REDIRECT_URI=http://localhost:3000/auth/openid_connect/callback

.env.test.example

@@ -1,5 +1,11 @@
 SELF_HOSTED=false
 
+# OpenID Connect for tests
+OIDC_ISSUER=
+OIDC_CLIENT_ID=
+OIDC_CLIENT_SECRET=
+OIDC_REDIRECT_URI=http://localhost:3000/auth/openid_connect/callback
+
 # ================
 # Data Providers
 # ---------------------------------------------------------------------------------

Gemfile

@@ -74,6 +74,11 @@ gem "rqrcode", "~> 3.0"
 gem "activerecord-import"
 gem "rubyzip", "~> 2.3"
 
+# OpenID Connect authentication
+gem "omniauth", "~> 2.1"
+gem "omniauth-rails_csrf_protection"
+gem "omniauth_openid_connect"
+
 # State machines
 gem "aasm"
 gem "after_commit_everywhere", "~> 1.0"

Gemfile.lock

@@ -85,10 +85,12 @@ GEM
       tzinfo (~> 2.0, >= 2.0.5)
     addressable (2.8.7)
       public_suffix (>= 2.0.2, < 7.0)
+    aes_key_wrap (1.1.0)
     after_commit_everywhere (1.6.0)
       activerecord (>= 4.2)
       activesupport
     ast (2.4.3)
+    attr_required (1.0.2)
     aws-eventstream (1.4.0)
     aws-partitions (1.1113.0)
     aws-sdk-core (3.225.1)
@@ -119,6 +121,7 @@ GEM
       parser (>= 2.4)
       smart_properties
     bigdecimal (3.2.2)
+    bindata (2.5.1)
     bindex (0.8.1)
     bootsnap (1.18.6)
       msgpack (~> 1.2)
@@ -182,6 +185,8 @@ GEM
       dotenv (= 3.1.8)
       railties (>= 6.1)
     drb (2.2.3)
+    email_validator (2.2.4)
+      activemodel
     erb (5.0.1)
     erb_lint (0.9.0)
       activesupport
@@ -200,6 +205,8 @@ GEM
       faraday-net_http (>= 2.0, < 3.5)
       json
       logger
+    faraday-follow_redirects (0.3.0)
+      faraday (>= 1, < 3)
     faraday-multipart (1.1.1)
       multipart-post (~> 2.0)
     faraday-net_http (3.4.1)
@@ -224,6 +231,7 @@ GEM
     globalid (1.2.1)
       activesupport (>= 6.1)
     hashdiff (1.2.0)
+    hashie (5.0.0)
     heapy (0.2.0)
       thor
     highline (3.1.2)
@@ -272,6 +280,13 @@ GEM
       activesupport (>= 5.0.0)
     jmespath (1.6.2)
     json (2.12.2)
+    json-jwt (1.16.7)
+      activesupport (>= 4.2)
+      aes_key_wrap
+      base64
+      bindata
+      faraday (~> 2.0)
+      faraday-follow_redirects
     jwt (2.10.2)
       base64
     language_server-protocol (3.17.0.5)
@@ -363,6 +378,29 @@ GEM
     octokit (10.0.0)
       faraday (>= 1, < 3)
       sawyer (~> 0.9)
+    omniauth (2.1.3)
+      hashie (>= 3.4.6)
+      rack (>= 2.2.3)
+      rack-protection
+    omniauth-rails_csrf_protection (1.0.2)
+      actionpack (>= 4.2)
+      omniauth (~> 2.0)
+    omniauth_openid_connect (0.8.0)
+      omniauth (>= 1.9, < 3)
+      openid_connect (~> 2.2)
+    openid_connect (2.3.1)
+      activemodel
+      attr_required (>= 1.0.0)
+      email_validator
+      faraday (~> 2.0)
+      faraday-follow_redirects
+      json-jwt (>= 1.16)
+      mail
+      rack-oauth2 (~> 2.2)
+      swd (~> 2.0)
+      tzinfo
+      validate_url
+      webfinger (~> 2.0)
     ostruct (0.6.2)
     pagy (9.3.5)
     parallel (1.27.0)
@@ -398,6 +436,17 @@ GEM
       rack (>= 1.0, < 4)
     rack-mini-profiler (4.0.0)
       rack (>= 1.2.0)
+    rack-oauth2 (2.2.1)
+      activesupport
+      attr_required
+      faraday (~> 2.0)
+      faraday-follow_redirects
+      json-jwt (>= 1.11.0)
+      rack (>= 2.1.0)
+    rack-protection (4.1.1)
+      base64 (>= 0.1.0)
+      logger (>= 1.6.0)
+      rack (>= 3.0.0, < 4)
     rack-session (2.1.1)
       base64 (>= 0.1.0)
       rack (>= 3.0.0)
@@ -556,6 +605,11 @@ GEM
       railties (>= 6.0.0)
     stringio (3.1.7)
     stripe (15.3.0)
+    swd (2.0.3)
+      activesupport (>= 3)
+      attr_required (>= 0.0.5)
+      faraday (~> 2.0)
+      faraday-follow_redirects
     tailwindcss-rails (4.2.3)
       railties (>= 7.0.0)
       tailwindcss-ruby (~> 4.0)
@@ -582,6 +636,9 @@ GEM
     unicode-emoji (4.0.4)
     uri (1.0.3)
     useragent (0.16.11)
+    validate_url (1.0.15)
+      activemodel (>= 3.0.0)
+      public_suffix
     vcr (6.3.1)
       base64
     vernier (1.8.0)
@@ -594,6 +651,10 @@ GEM
       activemodel (>= 6.0.0)
       bindex (>= 0.4.0)
       railties (>= 6.0.0)
+    webfinger (2.1.3)
+      activesupport
+      faraday (~> 2.0)
+      faraday-follow_redirects
     webmock (3.25.1)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
@@ -655,6 +716,9 @@ DEPENDENCIES
   lucide-rails!
   mocha
   octokit
+  omniauth (~> 2.1)
+  omniauth-rails_csrf_protection
+  omniauth_openid_connect
   ostruct
   pagy
   pg (~> 1.5)

app/controllers/sessions_controller.rb

@@ -1,6 +1,6 @@
 class SessionsController < ApplicationController
   before_action :set_session, only: :destroy
-  skip_authentication only: %i[new create]
+  skip_authentication only: %i[new create openid_connect failure]
 
   layout "auth"
 
@@ -27,6 +27,20 @@ def destroy
     redirect_to new_session_path, notice: t(".logout_successful")
   end
 
+  def openid_connect
+    auth = request.env["omniauth.auth"]
+    if auth && (user = User.find_by(email: auth.info.email))
+      @session = create_session_for(user)
+      redirect_to root_path
+    else
+      redirect_to new_session_path, alert: t(".failed")
+    end
+  end
+
+  def failure
+    redirect_to new_session_path, alert: t(".failed")
+  end
+
   private
     def set_session
       @session = Current.user.sessions.find(params[:id])

app/views/sessions/new.html.erb

@@ -13,3 +13,7 @@
 <div class="mt-6 text-center">
   <%= link_to t(".forgot_password"), new_password_reset_path, class: "font-medium text-sm text-primary hover:underline transition" %>
 </div>
+
+<div class="mt-6 text-center">
+  <%= link_to t(".openid_connect"), "/auth/openid_connect", class: "font-medium text-sm text-primary hover:underline transition" %>
+</div>

config/initializers/omniauth.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require "omniauth/rails_csrf_protection"
+
+if ENV["OIDC_ISSUER"].present?
+  Rails.application.config.middleware.use OmniAuth::Builder do
+    provider :openid_connect,
+             name: :openid_connect,
+             scope: %i[openid email profile],
+             response_type: :code,
+             issuer: ENV["OIDC_ISSUER"],
+             discovery: true,
+             pkce: true,
+             client_options: {
+               identifier: ENV["OIDC_CLIENT_ID"],
+               secret: ENV["OIDC_CLIENT_SECRET"],
+               redirect_uri: ENV["OIDC_REDIRECT_URI"]
+             }
+  end
+end

config/locales/views/sessions/en.yml

@@ -5,11 +5,14 @@ en:
       invalid_credentials: Invalid email or password.
     destroy:
       logout_successful: You have signed out successfully.
+    openid_connect:
+      failed: Could not authenticate via OpenID Connect.
     new:
       email: Email address
       email_placeholder: [email protected]
       forgot_password: Forgot your password?
       password: Password
       submit: Log in
       title: Sign in to your account
-      password_placeholder: Enter your password
+      password_placeholder: Enter your password
+      openid_connect: Sign in with OpenID Connect

config/locales/views/sessions/nb.yml

@@ -3,13 +3,16 @@ nb:
   sessions:
     create:
       invalid_credentials: Ugyldig e-post eller passord.
-    destroy:
-      logout_successful: Du har blitt logget ut.
-    new:
-      email: E-postadresse
-      email_placeholder: [email protected]
-      forgot_password: Glemt passordet ditt?
-      password: Passord
-      submit: Logg inn
-      title: Logg inn på kontoen din
-      password_placeholder: Angi passordet ditt
+    destroy:
+      logout_successful: Du har blitt logget ut.
+    openid_connect:
+      failed: Kunne ikke autentisere via OpenID Connect.
+    new:
+      email: E-postadresse
+      email_placeholder: [email protected]
+      forgot_password: Glemt passordet ditt?
+      password: Passord
+      submit: Logg inn
+      title: Logg inn på kontoen din
+      password_placeholder: Angi passordet ditt
+      openid_connect: Logg inn med OpenID Connect