forked from OpenNeo/impress
Fix NeoPass access token request to use POST data instead of Auth header
Ahh okay, the NeoPass spec says to pass the `client_id` and `client_secret` as POST form data when exchanging the code for the access token, but the default behavior of our client is to pass it as an `Authorization` header instead. In this change, we set an option to change that behavior, and also add a lot of comments about this and the other options!
This commit is contained in:
parent
08986153df
commit
e2d763e3c3
1 changed files with 22 additions and 0 deletions
|
@ -275,15 +275,37 @@ Devise.setup do |config|
|
|||
# up on your models and hooks.
|
||||
config.omniauth :openid_connect, {
|
||||
name: :neopass,
|
||||
|
||||
# We'll request only basic info, and we'll "discover" most of the server's
|
||||
# configuration by reading its `/.well-known/openid_configuation` endpoint.
|
||||
scope: [:openid, :email],
|
||||
response_type: :code,
|
||||
issuer: Rails.configuration.neopass_origin,
|
||||
discovery: true,
|
||||
|
||||
# Here's the client info registered with the NeoPass team! They generated
|
||||
# a Client ID and a Client Secret for us; and we provided them with a
|
||||
# redirect URL, which must match the one used here, or the initial auth
|
||||
# request will be rejected.
|
||||
client_options: {
|
||||
identifier: "19ea1361-f0b1-48f2-9405-b570c655afd9",
|
||||
secret: Rails.application.credentials.dig(:neopass, :client_secret),
|
||||
redirect_uri: Rails.configuration.neopass_redirect_uri,
|
||||
},
|
||||
|
||||
# Specify that the client ID and secret should be passed as POST form data,
|
||||
# rather than the default of an `Authorization` header. This is necessary
|
||||
# to match the NeoPass specification; if we use the header instead, it will
|
||||
# tell us their record of the Dress to Impress client isn't configured to
|
||||
# allow this!
|
||||
#
|
||||
# NOTE: This isn't a documented supported value for `client_auth_method`
|
||||
# here. The `omniauth_openid_connect` docs say it must be `:basic` or
|
||||
# `:jwks`, but as far as I can tell, the value gets passed to
|
||||
# `Rack::OAuth2::Client#access_token!`, which uses an `Authorization`
|
||||
# header if the value is `:basic`, or POST form data if the value is
|
||||
# anything else. So this option isn't stable, but it works for now!
|
||||
client_auth_method: :request_body,
|
||||
}
|
||||
|
||||
# Output OmniAuth debug info to the server logs.
|
||||
|
|
Loading…
Reference in a new issue