gitlab-org--gitlab-foss/config/initializers/doorkeeper_openid_connect.rb

Doorkeeper::OpenidConnect.configure do
  issuer Gitlab.config.gitlab.url

  signing_key Rails.application.secrets.openid_connect_signing_key

  resource_owner_from_access_token do |access_token|
    User.active.find_by(id: access_token.resource_owner_id)
  end

  auth_time_from_resource_owner do |user|
    user.current_sign_in_at
  end

  reauthenticate_resource_owner do |user, return_to|
    store_location_for user, return_to
    sign_out user
    redirect_to new_user_session_url
  end

  subject do |user|
    user.id
  end

  claims do
    with_options scope: :openid do |o|
      o.claim(:sub_legacy, response: [:id_token, :user_info]) do |user|
        # provide the previously hashed 'sub' claim to allow third-party apps
        # to migrate to the new unhashed value
        Digest::SHA256.hexdigest "#{user.id}-#{Rails.application.secrets.secret_key_base}"
      end

      o.claim(:name)           { |user| user.name }
      o.claim(:nickname)       { |user| user.username }
      o.claim(:email)          { |user| user.public_email }
      o.claim(:email_verified) { |user| true if user.public_email? }
      o.claim(:website)        { |user| user.full_website_url if user.website_url? }
      o.claim(:profile)        { |user| Gitlab::Routing.url_helpers.user_url user }
      o.claim(:picture)        { |user| user.avatar_url(only_path: false) }
      o.claim(:groups)         { |user| user.membership_groups.map(&:full_path) }
    end
  end
end
Implement OpenID Connect identity provider 2016-12-09 17:36:50 +00:00			`Doorkeeper::OpenidConnect.configure do`
			`issuer Gitlab.config.gitlab.url`

Upgrade doorkeeper-openid_connect 2017-09-19 15:20:49 +00:00			`signing_key Rails.application.secrets.openid_connect_signing_key`
Implement OpenID Connect identity provider 2016-12-09 17:36:50 +00:00
			`resource_owner_from_access_token do \|access_token\|`
			`User.active.find_by(id: access_token.resource_owner_id)`
			`end`

			`auth_time_from_resource_owner do \|user\|`
			`user.current_sign_in_at`
			`end`

			`reauthenticate_resource_owner do \|user, return_to\|`
			`store_location_for user, return_to`
			`sign_out user`
			`redirect_to new_user_session_url`
			`end`

			`subject do \|user\|`
Don't hash user ID in OIDC subject claim 2018-06-13 20:32:21 +00:00			`user.id`
Implement OpenID Connect identity provider 2016-12-09 17:36:50 +00:00			`end`

			`claims do`
			`with_options scope: :openid do \|o\|`
Don't hash user ID in OIDC subject claim 2018-06-13 20:32:21 +00:00			`o.claim(:sub_legacy, response: [:id_token, :user_info]) do \|user\|`
			`# provide the previously hashed 'sub' claim to allow third-party apps`
			`# to migrate to the new unhashed value`
			`Digest::SHA256.hexdigest "#{user.id}-#{Rails.application.secrets.secret_key_base}"`
			`end`

Implement OpenID Connect identity provider 2016-12-09 17:36:50 +00:00			`o.claim(:name) { \|user\| user.name }`
			`o.claim(:nickname) { \|user\| user.username }`
Enable the Layout/ExtraSpacing cop Signed-off-by: Rémy Coutable <remy@rymai.me> 2019-01-16 12:09:29 +00:00			`o.claim(:email) { \|user\| user.public_email }`
Implement OpenID Connect identity provider 2016-12-09 17:36:50 +00:00			`o.claim(:email_verified) { \|user\| true if user.public_email? }`
			`o.claim(:website) { \|user\| user.full_website_url if user.website_url? }`
Create and use project path helpers that only need a project, no namespace 2017-06-29 17:06:35 +00:00			`o.claim(:profile) { \|user\| Gitlab::Routing.url_helpers.user_url user }`
Use relative paths for group/project/user avatars 2017-05-10 04:26:17 +00:00			`o.claim(:picture) { \|user\| user.avatar_url(only_path: false) }`
Add groups to OpenID Connect claims 2017-05-30 06:06:00 +00:00			`o.claim(:groups) { \|user\| user.membership_groups.map(&:full_path) }`
Implement OpenID Connect identity provider 2016-12-09 17:36:50 +00:00			`end`
			`end`
			`end`