Refine OpenID Connect Authentication from #1194 (#1399)

* Adds OpenID Connect.

* Add CSS class for openid_connect omniauth provider

* Add translation (de_DE and en) for openid_connect omniauth provider label

* Make uid_field configurable for openid_connect omniauth provider

* updates to support for openid

* updates to support for openid

* updated ldap gem

* updated sample.env

Co-authored-by: mapidentity <git@mapidentity.com>
Co-authored-by: Jesus Federico <jesus@123it.ca>
Co-authored-by: mapidentity <49822181+mapidentity@users.noreply.github.com>

Gemfile

@@ -50,6 +50,7 @@ gem 'sprockets', '< 4.0.0'
 gem 'omniauth'
 gem 'omniauth-twitter'
 gem 'omniauth-google-oauth2'
+gem 'omniauth_openid_connect'
 gem 'omniauth-bn-launcher', '~> 0.1.3'
 gem 'net-ldap'
 gem 'bn-ldap-authentication', '~> 0.1.4'

Gemfile.lock

@@ -68,8 +68,10 @@ GEM
       tzinfo (~> 1.1)
     addressable (2.7.0)
       public_suffix (>= 2.0.2, < 5.0)
+    aes_key_wrap (1.1.0)
     arel (9.0.0)
     ast (2.4.0)
+    attr_required (1.0.1)
     autoprefixer-rails (9.7.6)
       execjs
     aws-eventstream (1.1.0)
@@ -89,6 +91,7 @@ GEM
     aws-sigv4 (1.2.1)
       aws-eventstream (~> 1, >= 1.0.2)
     bcrypt (3.1.13)
+    bindata (2.4.8)
     bindex (0.8.1)
     bn-ldap-authentication (0.1.4)
       net-ldap (~> 0)
@@ -191,6 +194,10 @@ GEM
     jquery-ui-rails (6.0.1)
       railties (>= 3.2.16)
     json (2.3.0)
+    json-jwt (1.13.0)
+      activesupport (>= 4.2)
+      aes_key_wrap
+      bindata
     jwt (2.2.1)
     listen (3.0.8)
       rb-fsevent (~> 0.9, >= 0.9.4)
@@ -250,6 +257,20 @@ GEM
     omniauth-twitter (1.4.0)
       omniauth-oauth (~> 1.1)
       rack
+    omniauth_openid_connect (0.3.5)
+      addressable (~> 2.5)
+      omniauth (~> 1.9)
+      openid_connect (~> 1.1)
+    openid_connect (1.2.0)
+      activemodel
+      attr_required (>= 1.0.0)
+      json-jwt (>= 1.5.0)
+      rack-oauth2 (>= 1.6.1)
+      swd (>= 1.0.0)
+      tzinfo
+      validate_email
+      validate_url
+      webfinger (>= 1.0.1)
     os (1.1.0)
     pagy (3.8.1)
     parallel (1.19.1)
@@ -263,6 +284,12 @@ GEM
     public_suffix (4.0.5)
     puma (3.12.6)
     rack (2.2.3)
+    rack-oauth2 (1.16.0)
+      activesupport
+      attr_required
+      httpclient
+      json-jwt (>= 1.11.0)
+      rack (>= 2.1.0)
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
     rails (5.2.4.4)
@@ -376,6 +403,10 @@ GEM
       activesupport (>= 4.0)
       sprockets (>= 3.0.0)
     sqlite3 (1.3.13)
+    swd (1.2.0)
+      activesupport (>= 3)
+      attr_required (>= 0.0.5)
+      httpclient (>= 2.4)
     sync (0.5.0)
     syslog_protocol (0.9.2)
     term-ansicolor (1.7.1)
@@ -396,11 +427,20 @@ GEM
     uglifier (4.2.0)
       execjs (>= 0.3.0, < 3)
     unicode-display_width (1.7.0)
+    validate_email (0.1.6)
+      activemodel (>= 3.0)
+      mail (>= 2.2.5)
+    validate_url (1.0.13)
+      activemodel (>= 3.0.0)
+      public_suffix
     web-console (3.7.0)
       actionview (>= 5.0)
       activemodel (>= 5.0)
       bindex (>= 0.4.0)
       railties (>= 5.0)
+    webfinger (1.1.0)
+      activesupport
+      httpclient (>= 2.4)
     webmock (3.8.3)
       addressable (>= 2.3.6)
       crack (>= 0.3.2)
@@ -444,6 +484,7 @@ DEPENDENCIES
   omniauth-bn-office365 (~> 0.1.1)
   omniauth-google-oauth2
   omniauth-twitter
+  omniauth_openid_connect
   pagy
   pg (~> 0.18)
   pluck_to_hash (~> 1.0.2)

README.md

@@ -7,7 +7,7 @@
 
 Greenlight is a simple front-end interface for your BigBlueButton server. At its heart, Greenlight provides a minimalistic web-based application that allows users to:
 
-  * Signup/Login with Google, Office365, or through the application itself.
+  * Signup/Login with Google, Office365, OpenID Connect, or through the application itself.
   * Manage your account settings and user preferences.
   * Create and manage your own personal rooms ([BigBlueButton](https://github.com/bigbluebutton/bigbluebutton) sessions).
   * Invite others to your room using a simple URL.
@@ -34,4 +34,3 @@ Greenlight is built using Ruby on Rails. Many developers already know Rails well
 We invite you to build upon Greenlight and help make it better. See [Contributing to BigBlueButton](http://docs.bigbluebutton.org/support/faq.html#contributing-to-bigbluebutton).
 
 We invite your feedback, questions, and suggests about Greenlight too. Please post them to the [developer mailing list](https://groups.google.com/forum/#!forum/bigbluebutton-dev).
-

app/assets/stylesheets/main.scss

@@ -155,6 +155,17 @@
   }
 }
 
+.customBtn-openid_connect {
+  @extend .customBtn;
+  background: #ef8e1f;
+
+  .customBtn-image {
+    background: #ffffff image-url("openid-logo.png") no-repeat left top;
+    background-size: 18px 18px;
+    padding:10px 10px 10px 10px;
+  }
+}
+
 .signin-button {
   font-size: 16px;
 }

app/helpers/application_helper.rb

@@ -22,7 +22,7 @@
 module ApplicationHelper
   # Determines which providers can show a login button in the login modal.
   def iconset_providers
-    providers = configured_providers & [:google, :twitter, :office365, :ldap]
+    providers = configured_providers & [:google, :twitter, :office365, :openid_connect, :ldap]
 
     providers.delete(:twitter) if session[:old_twitter_user_id]
 

config/initializers/omniauth.rb

@@ -16,6 +16,9 @@
 Rails.application.config.omniauth_google = ENV['GOOGLE_OAUTH2_ID'].present? && ENV['GOOGLE_OAUTH2_SECRET'].present?
 Rails.application.config.omniauth_office365 = ENV['OFFICE365_KEY'].present? &&
                                               ENV['OFFICE365_SECRET'].present?
+Rails.application.config.omniauth_openid_connect = ENV['OPENID_CONNECT_CLIENT_ID'].present? &&
+                                                   ENV['OPENID_CONNECT_CLIENT_SECRET'].present? &&
+                                                   ENV['OPENID_CONNECT_ISSUER'].present?
 
 SETUP_PROC = lambda do |env|
   OmniauthOptions.omniauth_options env
@@ -56,8 +59,44 @@
       redirect = ENV['OAUTH2_REDIRECT'].present? ? File.join(ENV['OAUTH2_REDIRECT'], "auth", "office365", "callback") : nil
 
       provider :office365, ENV['OFFICE365_KEY'], ENV['OFFICE365_SECRET'],
-      redirect_uri: redirect,
-      setup: SETUP_PROC
+        redirect_uri: redirect,
+        setup: SETUP_PROC
+    end
+    if Rails.configuration.omniauth_openid_connect
+      Rails.application.config.providers << :openid_connect
+
+      redirect = ENV['OAUTH2_REDIRECT'].present? ? File.join(ENV['OAUTH2_REDIRECT'], "auth", "openid_connect", "callback") : nil
+
+      provider :openid_connect,
+        issuer: ENV["OPENID_CONNECT_ISSUER"],
+        discovery: true,
+        scope: [:email, :profile],
+        response_type: :code,
+        uid_field: ENV["OPENID_CONNECT_UID_FIELD"] || "preferred_username",
+        client_options: {
+          identifier: ENV['OPENID_CONNECT_CLIENT_ID'],
+          secret: ENV['OPENID_CONNECT_CLIENT_SECRET'],
+          redirect_uri: redirect
+        },
+        setup: SETUP_PROC
+    end
+    if Rails.configuration.omniauth_openid_connect
+      Rails.application.config.providers << :openid_connect
+
+      redirect = ENV['OAUTH2_REDIRECT'].present? ? File.join(ENV['OAUTH2_REDIRECT'], "auth", "openid_connect", "callback") : nil
+
+      provider :openid_connect,
+        issuer: ENV["OPENID_CONNECT_ISSUER"],
+        discovery: true,
+        scope: [:email, :profile],
+        response_type: :code,
+        uid_field: ENV["OPENID_CONNECT_UID_FIELD"] || "preferred_username",
+        client_options: {
+          identifier: ENV['OPENID_CONNECT_CLIENT_ID'],
+          secret: ENV['OPENID_CONNECT_CLIENT_SECRET'],
+          redirect_uri: redirect
+        },
+        setup: SETUP_PROC
     end
   end
 end

config/locales/de_DE.yml

@@ -477,6 +477,7 @@ de_DE:
     office365: Office 365
     twitter: Twitter
     ldap: LDAP
+    openid_connect: OpenID Connect
   recaptcha:
     errors:
       recaptcha_unreachable: "Ups, es war nicht möglich die reCAPTCHA Antwort zu überprüfen. Bitte versuchen Sie es nochmals."

config/locales/en.yml

@@ -72,7 +72,7 @@ en:
       email_mapping:
         info: Map the user to a role using their email. Must be in the format email1=role1,email2=role2
         title: Role Mapping by Email
-        update: 
+        update:
       log_level:
         title: Log Level
         information: Change the Log Level for the entire deployment
@@ -94,7 +94,7 @@ en:
         title: Maintenance Banner
         display: Set
         clear: Clear
-        time: "Example: Update scheduled on December 13 @ 23:00 ET. Users may experience problems signing in."        
+        time: "Example: Update scheduled on December 13 @ 23:00 ET. Users may experience problems signing in."
       preupload:
         info: Users can preupload a presentation to be used as the default presentation for that specific room
         title: Allow Users to Preupload Presentations
@@ -478,6 +478,7 @@ en:
     office365: Office 365
     twitter: Twitter
     ldap: LDAP
+    openid_connect: OpenID Connect
   recaptcha:
     errors:
       recaptcha_unreachable: Oops, we failed to validate your reCAPTCHA response. Please try again.
@@ -549,7 +550,7 @@ en:
       fail: Failed to delete room (%{error})
     enter_the_access_code: Enter the room's access code
     invalid_provider: You have entered an invalid url. Please check the url and try again.
-    invitation_description: You have been invited to join %{name} using BigBlueButton. To join, click the link above and enter your name.  
+    invitation_description: You have been invited to join %{name} using BigBlueButton. To join, click the link above and enter your name.
     invited: You have been invited to join
     recording_present: I acknowledge that this session is going to be recorded. This may include my voice and video if enabled.
     invite_participants: Invite Participants

lib/omniauth_options.rb

@@ -37,6 +37,8 @@ def omniauth_options(env)
       set_hd(env, ENV['GOOGLE_OAUTH2_HD'])
     elsif env['omniauth.strategy'].options[:name] == "office365"
       set_hd(env, ENV['OFFICE365_HD'])
+    elsif env['omniauth.strategy'].options[:name] == "openid_connect"
+      set_hd(env, ENV['OPENID_CONNECT_HD'])
     end
   end
 

sample.env

@@ -51,6 +51,18 @@ OFFICE365_KEY=
 OFFICE365_SECRET=
 OFFICE365_HD=
 
+# OpenID Connect Provider (optional)
+#
+# For in-depth steps on setting up a OpenID Connect Login Provider, see:
+#
+#   https://docs.bigbluebutton.org/greenlight/gl-config.html#openid-connect
+#
+OPENID_CONNECT_CLIENT_ID=
+OPENID_CONNECT_CLIENT_SECRET=
+OPENID_CONNECT_ISSUER=
+OPENID_CONNECT_HD=
+OPENID_CONNECT_UID_FIELD=
+
 # OAUTH2_REDIRECT allows you to specify the redirect_url passed to oauth on sign in.
 # It is useful for cases when Greenlight is deployed behind a Network Load Balancer or proxy
 OAUTH2_REDIRECT=
@@ -123,7 +135,7 @@ GOOGLE_ANALYTICS_TRACKING_ID=
 #   SMTP_AUTH=plain
 #   SMTP_STARTTLS_AUTO=true
 #
-# If your mail server has a self-signed certificate, you'll also need to include the line below. 
+# If your mail server has a self-signed certificate, you'll also need to include the line below.
 # Please note that enable this presents its own security risks and should not be done unless necessary.
 #   SMTP_OPENSSL_VERIFY_MODE=none
 #
@@ -138,7 +150,7 @@ SMTP_STARTTLS_AUTO=
 # Specify the email address that all mail is sent from
 SMTP_SENDER=
 
-# Specify the recipient for test emails (needed for providers like Microsoft, who are very 
+# Specify the recipient for test emails (needed for providers like Microsoft, who are very
 # strict about RFC 2606)
 SMTP_TEST_RECIPIENT=notifications@example.com
 
@@ -202,16 +214,16 @@ MAINTENANCE_WINDOW=
 HELP_URL=https://docs.bigbluebutton.org/greenlight/gl-overview.html
 
 # Change the default language
-# 
-# By default, Greenlight will appear in the same language as that specific user's browser. 
+#
+# By default, Greenlight will appear in the same language as that specific user's browser.
 # The user can override this by going into their profile and changing the language.
 # You can override the default language to a specific language instead of the browser's language by setting
 # the variable below. To find the correct value, visit: https://github.com/bigbluebutton/greenlight/tree/v2/config/locales
 # and find the code that matches the language you want. Ex: For Arabic -> DEFAULT_LOCALE=ar, For Italian -> DEFAULT_LOCALE=it
 # DEFAULT_LOCALE=
 
-# Force a redirect to HTTPS and make cookies secure. 
-# WARNING: Only set this to false for a development environment. 
+# Force a redirect to HTTPS and make cookies secure.
+# WARNING: Only set this to false for a development environment.
 ENABLE_SSL=true
 
 # Comment this out to send logs to STDOUT in production instead of log/production.log .