debian-mirror-gitlab/config/initializers/doorkeeper_openid_connect.rb

62 lines
2.1 KiB
Ruby
Raw Permalink Normal View History

2017-08-17 22:00:37 +05:30
Doorkeeper::OpenidConnect.configure do
issuer Gitlab.config.gitlab.url
2018-03-17 18:26:18 +05:30
signing_key Rails.application.secrets.openid_connect_signing_key
2017-08-17 22:00:37 +05:30
resource_owner_from_access_token do |access_token|
User.active.find_by(id: access_token.resource_owner_id)
end
auth_time_from_resource_owner do |user|
user.current_sign_in_at
end
reauthenticate_resource_owner do |user, return_to|
store_location_for user, return_to
sign_out user
redirect_to new_user_session_url
end
subject do |user|
2018-11-08 19:23:39 +05:30
user.id
2017-08-17 22:00:37 +05:30
end
claims do
with_options scope: :openid do |o|
2018-11-08 19:23:39 +05:30
o.claim(:sub_legacy, response: [:id_token, :user_info]) do |user|
# provide the previously hashed 'sub' claim to allow third-party apps
# to migrate to the new unhashed value
Digest::SHA256.hexdigest "#{user.id}-#{Rails.application.secrets.secret_key_base}"
end
2017-08-17 22:00:37 +05:30
o.claim(:name) { |user| user.name }
o.claim(:nickname) { |user| user.username }
2019-03-02 22:35:43 +05:30
# Check whether the application has access to the email scope, and grant
# access to the user's primary email address if so, otherwise their
# public email address (if present)
# This allows existing solutions built for GitLab's old behavior to keep
# working without modification.
o.claim(:email) do |user, scopes|
scopes.exists?(:email) ? user.email : user.public_email
end
o.claim(:email_verified) do |user, scopes|
if scopes.exists?(:email)
user.primary_email_verified?
elsif user.public_email?
user.verified_email?(user.public_email)
else
# If there is no public email set, tell doorkicker-openid-connect to
# exclude the email_verified claim by returning nil.
nil
end
end
2017-08-17 22:00:37 +05:30
o.claim(:website) { |user| user.full_website_url if user.website_url? }
2017-09-10 17:25:29 +05:30
o.claim(:profile) { |user| Gitlab::Routing.url_helpers.user_url user }
o.claim(:picture) { |user| user.avatar_url(only_path: false) }
2018-03-27 19:54:05 +05:30
o.claim(:groups) { |user| user.membership_groups.map(&:full_path) }
2017-08-17 22:00:37 +05:30
end
end
end