Fix NeoPass access token request to use POST data instead of Auth header

Ahh okay, the NeoPass spec says to pass the `client_id` and
`client_secret` as POST form data when exchanging the code for the
access token, but the default behavior of our client is to pass it as
an `Authorization` header instead.

In this change, we set an option to change that behavior, and also add
a lot of comments about this and the other options!
This commit is contained in:
Emi Matchu 2024-04-01 05:08:47 -07:00
parent 08986153df
commit e2d763e3c3

View file

@ -275,15 +275,37 @@ Devise.setup do |config|
# up on your models and hooks. # up on your models and hooks.
config.omniauth :openid_connect, { config.omniauth :openid_connect, {
name: :neopass, name: :neopass,
# We'll request only basic info, and we'll "discover" most of the server's
# configuration by reading its `/.well-known/openid_configuation` endpoint.
scope: [:openid, :email], scope: [:openid, :email],
response_type: :code, response_type: :code,
issuer: Rails.configuration.neopass_origin, issuer: Rails.configuration.neopass_origin,
discovery: true, discovery: true,
# Here's the client info registered with the NeoPass team! They generated
# a Client ID and a Client Secret for us; and we provided them with a
# redirect URL, which must match the one used here, or the initial auth
# request will be rejected.
client_options: { client_options: {
identifier: "19ea1361-f0b1-48f2-9405-b570c655afd9", identifier: "19ea1361-f0b1-48f2-9405-b570c655afd9",
secret: Rails.application.credentials.dig(:neopass, :client_secret), secret: Rails.application.credentials.dig(:neopass, :client_secret),
redirect_uri: Rails.configuration.neopass_redirect_uri, redirect_uri: Rails.configuration.neopass_redirect_uri,
}, },
# Specify that the client ID and secret should be passed as POST form data,
# rather than the default of an `Authorization` header. This is necessary
# to match the NeoPass specification; if we use the header instead, it will
# tell us their record of the Dress to Impress client isn't configured to
# allow this!
#
# NOTE: This isn't a documented supported value for `client_auth_method`
# here. The `omniauth_openid_connect` docs say it must be `:basic` or
# `:jwks`, but as far as I can tell, the value gets passed to
# `Rack::OAuth2::Client#access_token!`, which uses an `Authorization`
# header if the value is `:basic`, or POST form data if the value is
# anything else. So this option isn't stable, but it works for now!
client_auth_method: :request_body,
} }
# Output OmniAuth debug info to the server logs. # Output OmniAuth debug info to the server logs.