Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Allow calling of the UserInfo endpoint to be configurable #172

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
+8 −2
Open

feat: Allow calling of the UserInfo endpoint to be configurable #172

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,7 @@ end
| jwt_secret_base64 | For HMAC with SHA2 (e.g. HS256) signing algorithms, specify the base64-encoded secret used to sign the JWT token. Defaults to the OAuth2 client secret if not specified. | no | client_options.secret | "bXlzZWNyZXQ=\n" |
| logout_path | The log out is only triggered when the request path ends on this path | no | '/logout' | '/sign_out' |
| acr_values | Authentication Class Reference(ACR) values to be passed to the authorize_uri to enforce a specific level, see [RFC9470](https://www.rfc-editor.org/rfc/rfc9470.html) | no | nil | "c1 c2" |
| call_userinfo_endpoint | Whether to call the userinfo endpoint | no | true | one of: true, false |

### Client Config Options

Expand Down
9 changes: 7 additions & 2 deletions lib/omniauth/strategies/openid_connect.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,7 @@ class OpenIDConnect # rubocop:disable Metrics/ClassLength
},
code_challenge_method: 'S256',
}
option :call_userinfo_endpoint, true

option :logout_path, '/logout'

Expand Down Expand Up @@ -258,10 +259,14 @@ def user_info

if access_token.id_token
decoded = decode_id_token(access_token.id_token).raw_attributes
merge_with = JSON::JWS.new({})
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As far as I can tell, ::OpenIDConnect::ResponseObject::UserInfo.new works on a regular Hash; what's the deal with using JSON::JWS?

merge_with = access_token.userinfo!.raw_attributes if options.call_userinfo_endpoint

@user_info = ::OpenIDConnect::ResponseObject::UserInfo.new access_token.userinfo!.raw_attributes.merge(decoded)
else
@user_info = ::OpenIDConnect::ResponseObject::UserInfo.new merge_with.merge(decoded)
elsif options.call_userinfo_endpoint
@user_info = access_token.userinfo!
else
@user_info = ::OpenIDConnect::ResponseObject::UserInfo.new
end
Comment on lines 260 to 270
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest to keep the default case as is and put this extra handling into elsif !options.call_userinfo_endpoint and a test case would be great.

end

Expand Down