dumplingmiku/ubicloud
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
make-some-api-calls-idempotent
ubicloud/model/oidc_provider.rb
Jeremy Evans fc62afc0d8 Support registering OIDC provider with given client_id and client_secret 
This can be used when the OIDC provider provides discovery
information, but does not support dynamic anonymous client
registration. In this case, you can just provide the base url,
id, and secret, and the code can figure out the endpoints.

Update the method comment to reflect current behavior while here.
2025-07-08 00:10:06 +09:00

89 lines
3.2 KiB
Ruby
Raw Permalink Blame History

# frozen_string_literal: true
require_relative "../model"
require "excon"
class OidcProvider < Sequel::Model
def self.name_for_ubid(ubid)
OidcProvider[UBID.to_uuid(ubid)]&.display_name
end
# Register a new OIDC Provider using their OIDC discovery information.
# If the customer who wants to use the provider provides a client ID and
# client secret, pass those. If the OIDC provider supports anonymous
# dynamic client registration, you don't need to provide a client id
# and secret, and this will use dynamic client registration to register
# a new client. If the OIDC provider does not provide OIDC discovery
# information, you'll need to be provided all OIDC information and
# create the instance manually using OidcProvider.create.
def self.register(display_name, url, client_id: nil, client_secret: nil)
oidc_provider = new_with_id(display_name:)
uri = URI(url)
uri.path = "/.well-known/openid-configuration"
response = Excon.get(uri.to_s, headers: {"Accept" => "application/json"}, expects: 200)
config_info = JSON.parse(response.body)
authorization_endpoint = URI(config_info.fetch("authorization_endpoint")).path
token_endpoint = URI(config_info.fetch("token_endpoint")).path
userinfo_endpoint = URI(config_info.fetch("userinfo_endpoint")).path
jwks_uri = config_info.fetch("jwks_uri")
unless client_id && client_secret
response = Excon.post(config_info["registration_endpoint"],
headers: {"Accept" => "application/json", "Content-Type" => "application/json"},
body: {
client_name: "Ubicloud",
redirect_uris: [oidc_provider.callback_url],
scopes: "openid email"
}.to_json)
registration_info = JSON.parse(response.body)
raise "Unable to register with oidc provider: #{response.status} #{registration_info.inspect}" unless response.status == 201
client_id = registration_info.fetch("client_id")
client_secret = registration_info.fetch("client_secret")
registration_client_uri = registration_info["registration_client_uri"]
registration_access_token = registration_info["registration_access_token"]
end
uri.path = ""
oidc_provider.update(
url: uri.to_s,
client_id:,
client_secret:,
authorization_endpoint:,
token_endpoint:,
userinfo_endpoint:,
jwks_uri:,
registration_client_uri:,
registration_access_token:
)
end
plugin ResourceMethods
plugin :column_encryption do |enc|
enc.column :client_secret
enc.column :registration_access_token
end
def callback_url
"#{Config.base_url}/auth/#{ubid}/callback"
end
end
# Table: oidc_provider
# Columns:
# id | uuid | PRIMARY KEY
# client_id | text | NOT NULL
# client_secret | text | NOT NULL
# display_name | text | NOT NULL
# url | text | NOT NULL
# authorization_endpoint | text | NOT NULL
# token_endpoint | text | NOT NULL
# userinfo_endpoint | text | NOT NULL
# jwks_uri | text | NOT NULL
# registration_client_uri | text |
# registration_access_token | text |
# Indexes:
# oidc_provider_pkey | PRIMARY KEY btree (id)
Reference in New Issue View Git Blame Copy Permalink