Discourse/discourse
Discourse/discourse
0
0
Fork 0
mirror of https://gh.wpcy.net/https://github.com/discourse/discourse.git synced 2026-05-01 15:59:24 +08:00
Code Packages Activity Actions
discourse/plugins/discourse-openid-connect/plugin.rb
Penar Musaraj 8cbc3bcdfc
UX: Better separate login and authentication settings (#33711) 
This splits the Login and Authentication admin page into multiple
sections: Settings, social logins, DiscourseConnect, OAuth2.0, OIDC.
Internal ticket `t/161648`

This PR also adds a new extension point for plugins that want to extend
this area of the app.

```
register_site_setting_area("oauth2")
register_admin_config_login_route("oauth2")
```

Adding this to a plugin allows it to extend both the setting areas
(existing functionality) and add a tab to this admin settings screen via
`register_admin_config_login_route`.
2025-10-09 15:29:21 -04:00

67 lines
2.2 KiB
Ruby
Raw Permalink Blame History

# frozen_string_literal: true
# name: discourse-openid-connect
# about: Allows users to login to your forum using an OpenID Connect provider as authentication.
# meta_topic_id: 103632
# version: 1.0
# authors: David Taylor
# url: https://github.com/discourse/discourse/tree/main/plugins/discourse-openid-connect
enabled_site_setting :openid_connect_enabled
require_relative "lib/openid_connect_faraday_formatter"
require_relative "lib/omniauth_open_id_connect"
require_relative "lib/openid_connect_authenticator"
GlobalSetting.add_default :openid_connect_request_timeout_seconds, 10
register_site_setting_area("oidc")
register_admin_config_login_route("oidc")
# RP-initiated logout
# https://openid.net/specs/openid-connect-rpinitiated-1_0.html
on(:before_session_destroy) do |data|
next if !SiteSetting.openid_connect_rp_initiated_logout
authenticator = OpenIDConnectAuthenticator.new
oidc_record = data[:user]&.user_associated_accounts&.find_by(provider_name: "oidc")
if !oidc_record
authenticator.oidc_log "Logout: No oidc user_associated_account record for user"
next
end
token = oidc_record.extra["id_token"]
if !token
authenticator.oidc_log "Logout: No oidc id_token in user_associated_account record"
next
end
end_session_endpoint = authenticator.discovery_document["end_session_endpoint"].presence
if !end_session_endpoint
authenticator.oidc_log "Logout: No end_session_endpoint found in discovery document",
error: true
next
end
begin
uri = URI.parse(end_session_endpoint)
rescue URI::Error
authenticator.oidc_log "Logout: unable to parse end_session_endpoint #{end_session_endpoint}",
error: true
end
authenticator.oidc_log "Logout: Redirecting user_id=#{data[:user].id} to end_session_endpoint"
params = URI.decode_www_form(String(uri.query))
params << ["id_token_hint", token]
post_logout_redirect = SiteSetting.openid_connect_rp_initiated_logout_redirect.presence
params << ["post_logout_redirect_uri", post_logout_redirect] if post_logout_redirect
uri.query = URI.encode_www_form(params)
data[:redirect_url] = uri.to_s
end
auth_provider authenticator: OpenIDConnectAuthenticator.new
View git blame Copy permalink