Add our client ID and client secret, to connect to NeoPass for real!

Wowie, it's starting to happen! :3 When you run this in production, though, you get back the auth failure message, and the OmniAuth logs say the server returned the following: > invalid_client: Client authentication failed (e.g., unknown client, > no client authentication included, or unsupported authentication > method). The OAuth 2.0 Client supports client authentication method > 'client_secret_post', but method 'client_secret_basic' was requested. > You must configure the OAuth 2.0 client's > 'token_endpoint_auth_method' value to accept 'client_secret_basic'. I'll add a fix for this in the next commit, with some explanations as to why!
2024-04-01 04:55:42 -07:00 · 2024-04-01 04:55:42 -07:00 · 08986153df
commit 08986153df
parent fcc17d3dcf
4 changed files with 17 additions and 7 deletions
--- a/config/credentials.yml.enc
+++ b/config/credentials.yml.enc
@ -1 +1 @@
-p001YS2L7h/DJ9mWOUxcWD/wBNXQ41BOsN9vjnW9QWtECNNzMjRsPVZ8vkOXmRt5mHAOmvzAUhRbKmWE0PaUHMpJAVlct1mCpXlE2rHwKESuZ4S1tJFiSCfu0Uu97Nbw3kQScMJ9cB801QPpjDq5FxoCEz4XtuCEc8nuh23Ni8I77Jw9NG4VfiFFQHFhNk8xhAoAIiYekEoliRYJc1osmzSb8FcDlIV/GompPN4G2EaBcFvX1CMP2F2AYHR8EVvaeTmIv0GsdLL8NnEnsuqd+GZMljIr346aOSOzmUC76rgubpEdqG4mBZzzUjQxvXqnuawOmbQWAbDkDcSoZYwVhc2/QmR3VtFtV/YaBX27h2cp9Ef14FgpK7y1KO1vE7row8lxq4rwtZaGT0nbXf//4gpdDdrRKEOJRjwi5l+ydPgfa4aHQohFZ+4a7App3N5dovG1/c9W/a4T/7i5aBxYeiCKD6+byss74jJaqZ34eNxVQOZxoi+HfHPQwMRwsGVxKzGJaGLijwjuYq5iAdSBiMY2WouF17gNJKXgEILFvy/xAyHnUDM3K/traeC7ULRztdGGxHHIC2D26+s5mS5zI9OAM2lXI6ms4jKEui/BYKuQ/sHpB4Cg7wdk0JQ5SPW/8b35oW6Cuz31NrzUju5WXtXtGvlMPBKUWz8q8wIGEtM5Bc/5ASDS9Ag8J8seW2gprab2Ja7apUXPBUGuR5aU6JKLGNpAM/vV9lavgrm/rvXNlkPvgoULpBhtZI5EfuiSncke7NCuJUEw4fZr5KeRze5U7qyk1Jg+Fz2nQGvOn0T1PDvezN5yT+b/0YZnyTI9zmhur4KY4Z9OZgsMTG073qkdZF6y3qeWKHpWrhXKWc8i/CAVsUKrWQpSDWDhvzhhanR936OEoqqpKoGunsba1fh5oOdrTBiFnH+MfI/IAh7tjUjcQx6bu8/1rdaZ7omBdaeDx36SekoOqndCBgrMX0mri5hoG2LIVA==--VLKM05ugRRSrks6H--/nICajJes+PjNkh9lyRi0Q==
+nyb0iYp3ohic5yKU42wU1YFnL1YHMvOxyCZOz1Vs/fDgcSHFajsTaBM+smD+/+6xnhOlu9uaHIXCGUZiKnY6pjnJJRrO2w6h20p7tuulbPwJEKszljdnREMSII2ltatK0efb2X+UkqIU+fAr7L+6VglX6tYKSk06BC505HUKWhK+UHkHVx9UiQe6KJhX//+G/jE033kMnj/Krqn6QrJ3xwe1jWwdnAi/glJSLt2zGJDndPVPag/8UBeJqd3VtJOIDFTe0FxGvtc5KFUYrkZ1YJWWCIcGlDWpm0Mt3EEQ2yrqYC0VtSg6EedcDZBqcXF9uY2femXSriOmAw7hTHcF0YG0N0elweq8LCa3Q1sEW+BGibrPwIL14aogySDR7BYoq3LevW94ExnUsIwyGPRFpG+nDWA3HGb/BSySSIkLd70a3943S8a7klmo8fo1CArxfIt/8xyXrF0D6T+9FHnhvaj+pDSBOUxlcqZ3qvmLEWwMfCUBOLpTHo2ZlKpKlDJuJmAZ7/ah+Mg34WWPbsXU+7tUhKEXckvM/gaTvmByhxdBDE/7KsnP50qQods7ODjrDTaxHut9OBrl3ODc9Y14dp66OYIMy4X8sS/N5momi59E9MZaGj6bfaZor0ZxctRRJTjrEHFyvxO0CXYh5kkHLjs5BVB00wWHeNA9qgNEdsGVrYCa4v3RXZ6vc8JmtUXy1vwErC67uaemgWds38OV3/xViZFzbnZtqOiSWTzD8/myhKa75GLZ0vjk8+s96GDqX2+lHz6X+RA7NcCdGO+gW1f3Xm7M/Rp5nAUHSfrLG6Gv/RH8nkvGxkT6dcwZjSJ00+1ENL2qqN20008OX5TuWKeo1/TF4DFxJ+X1ipWqoZhypZOW38sRROqE5uGF1aBga8CbCLWF2p1E3HSi45vbSMnpWau4i+8KQvzfUksa7nk1O6qqEamdoJGb9OJuv//ZYcv1GyDfM/8iFIReIwsM7q/hlB0PjfFkoYsC5WRbRMncKEzzGs8fVpL4O4enDPe4ZopaYHecnPy1oDoxrpl6OOSSOjMxg+0=--+Jx8l9zhIw0wWX6f--2I4PF87PHuXTkmcBI3yhVA==
--- a/config/environments/development.rb
+++ b/config/environments/development.rb
@ -121,6 +121,10 @@ Rails.application.configure do
  config.neopass_access_secret = "1"

  # Use the local NeoPass development server.
+  #
+  # NOTE: In my testing, using the live NeoPass server here returns "403
+  #       Forbidden", I suspect because the development callback URL didn't
+  #       make it into the live config? Ah, well!
  config.neopass_origin = "https://localhost:8585"

  # Set the NeoPass redirect callback URL.
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@ -137,7 +137,7 @@ Rails.application.configure do

  # To see NeoPass features, add ?neopass=<SECRET> to relevant pages.
  config.neopass_access_secret =
-    Rails.application.credentials.neopass.access_secret
+    Rails.application.credentials.neopass.access_secret!

  # Use the live NeoPass production server.
  config.neopass_origin = "https://oidc.neopets.com"
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@ -275,19 +275,25 @@ Devise.setup do |config|
  # up on your models and hooks.
  config.omniauth :openid_connect, {
    name: :neopass,
-    scope: [:openid, :email, :profile],
+    scope: [:openid, :email],
    response_type: :code,
    issuer: Rails.configuration.neopass_origin,
    discovery: true,
    client_options: {
-      identifier: "DTI-TODO",
-      secret: "DTI-TODO",
+      identifier: "19ea1361-f0b1-48f2-9405-b570c655afd9",
+      secret: Rails.application.credentials.dig(:neopass, :client_secret),
      redirect_uri: Rails.configuration.neopass_redirect_uri,
    },
  }

-  # Output OmniAuth debug info to the server logs in development
-  OmniAuth.config.logger = Rails.logger if Rails.env.development?
+  # Output OmniAuth debug info to the server logs.
+  #
+  # TODO: We should perhaps evaluate whether these logs contain sensitive
+  #       information in production? I wouldn't think so, and it will be useful
+  #       for debugging NeoPass, but let's keep an eye on that! Consider
+  #       setting this to only be true in development mode, if we're not
+  #       actively using it anymore.
+  OmniAuth.config.logger = Rails.logger

  # ==> Warden configuration
  # If you want to use other strategies, that are not supported by Devise, or