{"id":18524372,"url":"https://github.com/omniauth/omniauth_openid_connect","last_synced_at":"2025-04-11T06:21:46.305Z","repository":{"id":37474067,"uuid":"74266456","full_name":"omniauth/omniauth_openid_connect","owner":"omniauth","description":null,"archived":false,"fork":false,"pushed_at":"2024-09-10T18:04:01.000Z","size":272,"stargazers_count":178,"open_issues_count":39,"forks_count":193,"subscribers_count":11,"default_branch":"master","last_synced_at":"2025-04-03T16:08:14.715Z","etag":null,"topics":["omniauth"],"latest_commit_sha":null,"homepage":"","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":"jjbohn/omniauth-openid-connect","license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/omniauth.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-11-20T10:20:43.000Z","updated_at":"2025-04-01T13:37:14.000Z","dependencies_parsed_at":"2024-06-18T13:32:19.137Z","dependency_job_id":"c3b9d486-948d-4e07-9cb0-6affe3c0183a","html_url":"https://github.com/omniauth/omniauth_openid_connect","commit_stats":{"total_commits":182,"total_committers":41,"mean_commits":4.439024390243903,"dds":0.7912087912087912,"last_synced_commit":"af61a913990f0a6bb3c0d8b026d95c5a25b2234d"},"previous_names":["m0n9oose/omniauth_openid_connect"],"tags_count":19,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/omniauth%2Fomniauth_openid_connect","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/omniauth%2Fomniauth_openid_connect/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/omniauth%2Fomniauth_openid_connect/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/omniauth%2Fomniauth_openid_connect/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/omniauth","download_url":"https://codeload.github.com/omniauth/omniauth_openid_connect/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248352459,"owners_count":21089452,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["omniauth"],"created_at":"2024-11-06T17:41:06.696Z","updated_at":"2025-04-11T06:21:46.269Z","avatar_url":"https://github.com/omniauth.png","language":"Ruby","funding_links":[],"categories":["Relying Parties (RP) Libraries"],"sub_categories":["Ruby"],"readme":"# OmniAuth::OpenIDConnect\n\nOriginally was [omniauth-openid-connect](https://github.com/jjbohn/omniauth-openid-connect)\n\nI've forked this repository and launch as separate gem because maintaining of original was dropped.\n\n[![Build Status](https://github.com/omniauth/omniauth_openid_connect/actions/workflows/main.yml/badge.svg)](https://github.com/omniauth/omniauth_openid_connect/actions/workflows/main.yml)\n[![Coverage Status](https://coveralls.io/repos/github/omniauth/omniauth_openid_connect/badge.svg)](https://coveralls.io/github/omniauth/omniauth_openid_connect)\n\n## Installation\n\nAdd this line to your application's Gemfile:\n\n gem 'omniauth_openid_connect'\n\nAnd then execute:\n\n $ bundle\n\nOr install it yourself as:\n\n $ gem install omniauth_openid_connect\n\n## Supported Ruby Versions\n\nOmniAuth::OpenIDConnect is tested under 2.7, 3.0, 3.1, 3.2\n\n## Usage\n\nExample configuration\n\n```ruby\nRails.application.config.middleware.use OmniAuth::Builder do\n provider :openid_connect, {\n name: :my_provider,\n scope: [:openid, :email, :profile, :address],\n response_type: :code,\n uid_field: \"preferred_username\",\n client_options: {\n port: 443,\n scheme: \"https\",\n host: \"myprovider.com\",\n identifier: ENV[\"OP_CLIENT_ID\"],\n secret: ENV[\"OP_SECRET_KEY\"],\n redirect_uri: \"http://myapp.com/users/auth/openid_connect/callback\",\n },\n }\nend\n```\n\n### with Devise\n```ruby\nDevise.setup do |config|\n config.omniauth :openid_connect, {\n name: :my_provider,\n scope: [:openid, :email, :profile, :address],\n response_type: :code,\n uid_field: \"preferred_username\",\n client_options: {\n port: 443,\n scheme: \"https\",\n host: \"myprovider.com\",\n identifier: ENV[\"OP_CLIENT_ID\"],\n secret: ENV[\"OP_SECRET_KEY\"],\n redirect_uri: \"http://myapp.com/users/auth/openid_connect/callback\",\n },\n }\nend\n```\n\n### Options Overview\n\n| Field | Description | Required | Default | Example/Options |\n|------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|-------------------------------|-----------------------------------------------------|\n| name | Arbitrary string to identify connection and identify it from other openid_connect providers | no | String: openid_connect | :my_idp |\n| issuer | Root url for the authorization server | yes | | https://myprovider.com |\n| discovery | Should OpenID discovery be used. This is recommended if the IDP provides a discovery endpoint. See client config for how to manually enter discovered values. | no | false | one of: true, false |\n| client_auth_method | Which authentication method to use to authenticate your app with the authorization server | no | Sym: basic | \"basic\", \"jwks\" |\n| scope | Which OpenID scopes to include (:openid is always required) | no | Array\u003csym\u003e [:openid] | [:openid, :profile, :email] |\n| response_type | Which OAuth2 response type to use with the authorization request | no | String: code | one of: 'code', 'id_token' |\n| state | A value to be used for the OAuth2 state parameter on the authorization request. Can be a proc that generates a string. | no | Random 16 character string | Proc.new { SecureRandom.hex(32) } |\n| require_state | Should the callback phase require that a state is present. If `send_state` is true, then the callback state must match the authorize state. This is recommended, not required by the OIDC specification. | no | true | false |\n| send_state | Should the authorize phase send a `state` parameter - this is recommended, not required by the OIDC specification | no | true | false |\n| response_mode | The response mode per [spec](https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html) | no | nil | one of: :query, :fragment, :form_post, :web_message |\n| display | An optional parameter to the authorization request to determine how the authorization and consent page | no | nil | one of: :page, :popup, :touch, :wap |\n| prompt | An optional parameter to the authorization request to determine what pages the user will be shown | no | nil | one of: :none, :login, :consent, :select_account |\n| send_scope_to_token_endpoint | Should the scope parameter be sent to the authorization token endpoint? | no | true | one of: true, false |\n| post_logout_redirect_uri | The logout redirect uri to use per the [session management draft](https://openid.net/specs/openid-connect-session-1_0.html) | no | empty | https://myapp.com/logout/callback |\n| uid_field | The field of the user info response to be used as a unique id | no | 'sub' | \"sub\", \"preferred_username\" |\n| extra_authorize_params | A hash of extra fixed parameters that will be merged to the authorization request | no | Hash | {\"tenant\" =\u003e \"common\"} |\n| allow_authorize_params | A list of allowed dynamic parameters that will be merged to the authorization request | no | Array | [:screen_name] |\n| pkce | Enable [PKCE flow](https://oauth.net/2/pkce/) | no | false | one of: true, false |\n| pkce_verifier | Specify a custom PKCE verifier code. | no | A random 128-char string | Proc.new { SecureRandom.hex(64) } |\n| pkce_options | Specify a custom implementation of the PKCE code challenge/method. | no | SHA256(code_challenge) in hex | Proc to customise the code challenge generation |\n| client_options | A hash of client options detailed in its own section | yes | | |\n| jwt_secret_base64 | For HMAC with SHA2 (e.g. HS256) signing algorithms, specify the base64-encoded secret used to sign the JWT token. Defaults to the OAuth2 client secret if not specified. | no | client_options.secret | \"bXlzZWNyZXQ=\\n\" |\n| logout_path | The log out is only triggered when the request path ends on this path | no | '/logout' | '/sign_out' |\n| acr_values | Authentication Class Reference (ACR) values to be passed to the authorize_uri to enforce a specific level, see [RFC9470](https://www.rfc-editor.org/rfc/rfc9470.html) | no | nil | \"c1 c2\" |\n\n### Client Config Options\n\nThese are the configuration options for the client_options hash of the configuration.\n\n| Field | Description | Default | Replaced by discovery? |\n|------------------------|-----------------------------------------------------------------|------------|------------------------|\n| identifier | The OAuth2 client_id | | |\n| secret | The OAuth2 client secret | | |\n| redirect_uri | The OAuth2 authorization callback url in your app | | |\n| scheme | The http scheme to use | https | |\n| host | The host of the authorization server | nil | |\n| port | The port for the authorization server | 443 | |\n| audience | The intended consumer (`aud` field) of the id_token | nil | |\n| authorization_endpoint | The authorize endpoint on the authorization server | /authorize | yes |\n| token_endpoint | The token endpoint on the authorization server | /token | yes |\n| userinfo_endpoint | The user info endpoint on the authorization server | /userinfo | yes |\n| jwks_uri | The jwks_uri on the authorization server | /jwk | yes |\n| end_session_endpoint | The url to call to log the user out at the authorization server | nil | yes |\n\n### Additional Configuration Notes\n * `name` is arbitrary, I recommend using the name of your provider. The name\n configuration exists because you could be using multiple OpenID Connect\n providers in a single app.\n\n **NOTE**: if you use this gem with Devise you should use `:openid_connect` name,\n or Devise would route to 'users/auth/:provider' rather than 'users/auth/openid_connect'\n\n * `response_type` tells the authorization server which grant type the application wants to use,\n currently, only `:code` (Authorization Code grant) and `:id_token` (Implicit grant) are valid.\n * If you want to pass `state` parameter by yourself. You can set Proc Object.\n e.g. `state: Proc.new { SecureRandom.hex(32) }`\n * `nonce` is optional. If don't want to pass \"nonce\" parameter to provider, You should specify\n `false` to `send_nonce` option. (default true)\n * Support for other client authentication methods. If don't specified\n `:client_auth_method` option, automatically set `:basic`.\n * Use \"OpenID Connect Discovery\", You should specify `true` to `discovery` option. (default false)\n * In \"OpenID Connect Discovery\", generally provider should have Webfinger endpoint.\n If provider does not have Webfinger endpoint, You can specify \"Issuer\" to option.\n e.g. `issuer: \"https://myprovider.com\"`\n It means to get configuration from \"https://myprovider.com/.well-known/openid-configuration\".\n * The uid is by default using the `sub` value from the `user_info` response,\n which in some applications is not the expected value. To avoid such limitations, the uid label can be\n configured by providing the omniauth `uid_field` option to a different label (i.e. `preferred_username`)\n that appears in the `user_info` details.\n * The `issuer` property should exactly match the provider's issuer link.\n * The `response_mode` option is optional and specifies how the result of the authorization request is formatted.\n * Some OpenID Connect providers require the `scope` attribute in requests to the token endpoint, even if\n this is not in the protocol specifications. In those cases, the `send_scope_to_token_endpoint`\n property can be used to add the attribute to the token request. Initial value is `true`, which means that the\n scope attribute is included by default.\n\n## Additional notes\n * In some cases, you may want to go straight to the callback phase - e.g. when requested by a stateless client, like a mobile app.\n In such example, the session is empty, so you have to forward certain parameters received from the client.\n Currently supported ones are `code_verifier` and `nonce` - simply provide them as the `/callback` request parameters.\n\nFor the full low down on OpenID Connect, please check out\n[the spec](http://openid.net/specs/openid-connect-core-1_0.html).\n\n## Contributing\n\n1. Fork it ( http://github.com/omniauth/omniauth_openid_connect/fork )\n2. Create your feature branch (`git checkout -b my-new-feature`)\n3. Cover your changes with tests and make sure they're green (`bundle install \u0026\u0026 bundle exec rake test`)\n4. Commit your changes (`git commit -am 'Add some feature'`)\n5. Push to the branch (`git push origin my-new-feature`)\n6. Create new Pull Request\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fomniauth%2Fomniauth_openid_connect","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fomniauth%2Fomniauth_openid_connect","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fomniauth%2Fomniauth_openid_connect/lists"}