Content
View differences
Updated by Pavel Balashou 7 months ago
* Remove [https://github.com/opf/omniauth-openid\_connect-providers](https://github.com/opf/omniauth-openid_connect-providers)
* Add old fashioned configurations to stage and edge.
* Add some configurations using register\_auth\_providers hook.
* Design migration ​Rebase our custom fork on top of old fashioned providers to new fashioed ones
1. conduct the following test
1. Test setup:
1. common tenant
2. app registration configured as "single tenant"
3. OpenProject "legacy" configuration (through providers gem, not using discovered API endpoints)
2. Tests:
1. Is the configuration valid at all?
2. can users from a different tenant (e.g. private microsoft accounts) login to that conifguration?
3. Will the configuration break once performing endpoint discovery?
* Update the hook to be not broken if one provider registration fails with exception
* Reason: one hook breaks then all SSO buttons are not rendered.
* Modify scopes method.
scope is (scope || "openid email profile").split.map(&:to\_sym).
It could be (scope.presence || "openid email profile").split.map(&:to\_sym)
* Add tests with "old" configurations for Entra/Azure and Google
```text
{name: :azure,
icon: "openid_connect/auth_provider-azure.png",
display_name: "Login mit ipw Benutzerkonto",
issuer: "https://ipw.openproject.com/",
scope: [:openid, :email, :profile],
attribute_map: {},
claims: "{}",
client_options: {identifier: "<identifier>", secret: "<secret>", redirect_uri: "https://ipw.openproject.com/auth/azure/callback"},
limit_self_registration: false,
retain_from_session: ["omniauth.oidc_sid", "omniauth.oidc_access_token", "omniauth.oidc_refresh_token", "omniauth.oidc_expires_in", "omniauth.oidc_groups"],
single_sign_out_callback: #<Proc:0x00007f1cdff9d7a8 /app/modules/openid_connect/app/models/openid_connect/provider/hash_builder.rb:85>,
backchannel_logout_callback: #<Method: OpenProject::OpenIDConnect::SessionMapper.handle_logout(logout_token) /app/modules/openid_connect/lib/open_project/openid_connect/session_mapper.rb:33>}
```
<br>
* Fork [https://github.com/omniauth/omniauth\_openid\_connect/](https://github.com/omniauth/omniauth_openid_connect/) and add our custom developments from [https://github.com/opf/omniauth-openid-connect](https://github.com/opf/omniauth-openid-connect)
* backchannel logout
* claims/ACR handling
* attribute mapping
* Add new Use updated fork to OpenProject
* Upstream features of our fork Try to upstream those to the upstream
* Use official gem https://github.com/omniauth/omniauth\_openid\_connect/ with separate PRs.
* Add old fashioned configurations to stage and edge.
* Add some configurations using register\_auth\_providers hook.
* Design migration
1. conduct the following test
1. Test setup:
1. common tenant
2. app registration configured as "single tenant"
3. OpenProject "legacy" configuration (through providers gem, not using discovered API endpoints)
2. Tests:
1. Is the configuration valid at all?
2. can users from a different tenant (e.g. private microsoft accounts) login to that conifguration?
3. Will the configuration break once performing endpoint discovery?
* Update the hook to be not broken if one provider registration fails with exception
* Reason: one hook breaks then all SSO buttons are not rendered.
* Modify scopes method.
scope is (scope || "openid email profile").split.map(&:to\_sym).
It could be (scope.presence || "openid email profile").split.map(&:to\_sym)
* Add tests with "old" configurations for Entra/Azure and Google
```text
{name: :azure,
icon: "openid_connect/auth_provider-azure.png",
display_name: "Login mit ipw Benutzerkonto",
issuer: "https://ipw.openproject.com/",
scope: [:openid, :email, :profile],
attribute_map: {},
claims: "{}",
client_options: {identifier: "<identifier>", secret: "<secret>", redirect_uri: "https://ipw.openproject.com/auth/azure/callback"},
limit_self_registration: false,
retain_from_session: ["omniauth.oidc_sid", "omniauth.oidc_access_token", "omniauth.oidc_refresh_token", "omniauth.oidc_expires_in", "omniauth.oidc_groups"],
single_sign_out_callback: #<Proc:0x00007f1cdff9d7a8 /app/modules/openid_connect/app/models/openid_connect/provider/hash_builder.rb:85>,
backchannel_logout_callback: #<Method: OpenProject::OpenIDConnect::SessionMapper.handle_logout(logout_token) /app/modules/openid_connect/lib/open_project/openid_connect/session_mapper.rb:33>}
```
<br>
* Fork [https://github.com/omniauth/omniauth\_openid\_connect/](https://github.com/omniauth/omniauth_openid_connect/) and add our custom developments from [https://github.com/opf/omniauth-openid-connect](https://github.com/opf/omniauth-openid-connect)
* backchannel logout
* claims/ACR handling
* attribute mapping
* Add new
* Upstream features of our fork
* Use official gem https://github.com/omniauth/omniauth\_openid\_connect/