Fix NeoPass access token request to use POST data instead of Auth header
Ahh okay, the NeoPass spec says to pass the `client_id` and `client_secret` as POST form data when exchanging the code for the access token, but the default behavior of our client is to pass it as an `Authorization` header instead. In this change, we set an option to change that behavior, and also add a lot of comments about this and the other options!
This commit is contained in:
parent
08986153df
commit
e2d763e3c3
1 changed files with 22 additions and 0 deletions
|
@ -275,15 +275,37 @@ Devise.setup do |config|
|
||||||
# up on your models and hooks.
|
# up on your models and hooks.
|
||||||
config.omniauth :openid_connect, {
|
config.omniauth :openid_connect, {
|
||||||
name: :neopass,
|
name: :neopass,
|
||||||
|
|
||||||
|
# We'll request only basic info, and we'll "discover" most of the server's
|
||||||
|
# configuration by reading its `/.well-known/openid_configuation` endpoint.
|
||||||
scope: [:openid, :email],
|
scope: [:openid, :email],
|
||||||
response_type: :code,
|
response_type: :code,
|
||||||
issuer: Rails.configuration.neopass_origin,
|
issuer: Rails.configuration.neopass_origin,
|
||||||
discovery: true,
|
discovery: true,
|
||||||
|
|
||||||
|
# Here's the client info registered with the NeoPass team! They generated
|
||||||
|
# a Client ID and a Client Secret for us; and we provided them with a
|
||||||
|
# redirect URL, which must match the one used here, or the initial auth
|
||||||
|
# request will be rejected.
|
||||||
client_options: {
|
client_options: {
|
||||||
identifier: "19ea1361-f0b1-48f2-9405-b570c655afd9",
|
identifier: "19ea1361-f0b1-48f2-9405-b570c655afd9",
|
||||||
secret: Rails.application.credentials.dig(:neopass, :client_secret),
|
secret: Rails.application.credentials.dig(:neopass, :client_secret),
|
||||||
redirect_uri: Rails.configuration.neopass_redirect_uri,
|
redirect_uri: Rails.configuration.neopass_redirect_uri,
|
||||||
},
|
},
|
||||||
|
|
||||||
|
# Specify that the client ID and secret should be passed as POST form data,
|
||||||
|
# rather than the default of an `Authorization` header. This is necessary
|
||||||
|
# to match the NeoPass specification; if we use the header instead, it will
|
||||||
|
# tell us their record of the Dress to Impress client isn't configured to
|
||||||
|
# allow this!
|
||||||
|
#
|
||||||
|
# NOTE: This isn't a documented supported value for `client_auth_method`
|
||||||
|
# here. The `omniauth_openid_connect` docs say it must be `:basic` or
|
||||||
|
# `:jwks`, but as far as I can tell, the value gets passed to
|
||||||
|
# `Rack::OAuth2::Client#access_token!`, which uses an `Authorization`
|
||||||
|
# header if the value is `:basic`, or POST form data if the value is
|
||||||
|
# anything else. So this option isn't stable, but it works for now!
|
||||||
|
client_auth_method: :request_body,
|
||||||
}
|
}
|
||||||
|
|
||||||
# Output OmniAuth debug info to the server logs.
|
# Output OmniAuth debug info to the server logs.
|
||||||
|
|
Loading…
Reference in a new issue