forked from discourse/discourse-openid-connect
-
Notifications
You must be signed in to change notification settings - Fork 0
/
plugin.rb
51 lines (38 loc) · 1.68 KB
/
plugin.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
# frozen_string_literal: true
# name: discourse-openid-connect
# about: Add support for openid-connect as a login provider
# version: 1.0
# authors: David Taylor
# url: https://github.com/discourse/discourse-openid-connect
enabled_site_setting :openid_connect_enabled
require_relative "lib/openid_connect_faraday_formatter"
require_relative "lib/omniauth_open_id_connect"
require_relative "lib/openid_connect_authenticator"
# RP-initiated logout
# https://openid.net/specs/openid-connect-rpinitiated-1_0.html
on(:before_session_destroy) do |data|
next if !SiteSetting.openid_connect_rp_initiated_logout
authenticator = OpenIDConnectAuthenticator.new
oidc_record = data[:user]&.user_associated_accounts&.find_by(provider_name: "oidc")
if !oidc_record
authenticator.oidc_log "Logout: No oidc user_associated_account record for user"
next
end
token = oidc_record.extra["id_token"]
if !token
authenticator.oidc_log "Logout: No oidc id_token in user_associated_account record"
next
end
end_session_endpoint = authenticator.discovery_document["end_session_endpoint"].presence
if !end_session_endpoint
authenticator.oidc_log "Logout: No end_session_endpoint found in discovery document", error: true
next
end
authenticator.oidc_log "Logout: Redirecting user_id=#{data[:user].id} to end_session_endpoint"
redirect_uri = end_session_endpoint
redirect_uri += "?id_token_hint=#{token}"
post_logout_redirect = SiteSetting.openid_connect_rp_initiated_logout_redirect.presence
redirect_uri += "&post_logout_redirect_uri=#{post_logout_redirect}" if post_logout_redirect
data[:redirect_url] = redirect_uri
end
auth_provider authenticator: OpenIDConnectAuthenticator.new