From f27b319e4badb3bb1cbb41c7ef443608d22832bf Mon Sep 17 00:00:00 2001 From: Laurence de Bruxelles Date: Wed, 28 Jun 2023 08:47:07 +0100 Subject: [PATCH] Fix OIDC redirect_uri for CDDO SSO For some reason the omniauth_openid_connect gem wants us to supply the `redirect_uri` (the URL to redirect to after a successful OAuth2 negotiation, which in our case is the OmniAuth callback route) when the provider is configured. This is really annoying to do, and I can't see why it wouldn't be able to use the OmniAuth `callback_url` in the same way the omniauth-oauth2 gem does [[1]]. There is an open feature request for this [[2]], but it hasn't been acknowledged by the maintainers as yet. So instead we'll just monkeypatch the strategy. [1]: https://github.com/omniauth/omniauth-oauth2/blob/3a43234ab5dd36a75f9c125c58fcfe1a37b26805/lib/omniauth/strategies/oauth2.rb#L59 [2]: https://github.com/omniauth/omniauth_openid_connect/issues/136#issue-1469820435 --- config/initializers/authentication.rb | 7 +++++++ spec/integration/cddo_sso_spec.rb | 12 ++++++++++++ 2 files changed, 19 insertions(+) diff --git a/config/initializers/authentication.rb b/config/initializers/authentication.rb index eb6d83f2a..783444631 100644 --- a/config/initializers/authentication.rb +++ b/config/initializers/authentication.rb @@ -34,3 +34,10 @@ warden.failure_app = AuthenticationController end end + +# Monkeypatch omniauth_openid_connect +class OmniAuth::Strategies::OpenIDConnect + def redirect_uri + callback_url + end +end diff --git a/spec/integration/cddo_sso_spec.rb b/spec/integration/cddo_sso_spec.rb index c6eba5598..d143f8d3e 100644 --- a/spec/integration/cddo_sso_spec.rb +++ b/spec/integration/cddo_sso_spec.rb @@ -43,6 +43,18 @@ expect(request.env["warden"].authenticated?).to be true end + + it "redirects to the OmniAuth callback URL" do + OmniAuth.config.test_mode = false + + allow(Settings.cddo_sso).to receive(:identifier).and_return("foo") + allow(Settings.cddo_sso).to receive(:secret).and_return("bar") + + get "/auth/cddo_sso" + + expect(response).to redirect_to %r{^https://sso\.service\.security\.gov\.uk} + expect(response).to redirect_to %r{redirect_uri=http%3A%2F%2Fwww\.example\.com%2Fauth%2Fcddo_sso%2Fcallback} + end end describe "signing out" do