A sample OpenID Connect Provider (OP or IdP) using the openid_connect
gem. The Authorization Code Flow and the Implicit Flow.
Ruby on Rails 6.1. See https://www.nslabs.jp/digital-identity.rhtml
openid_connect
gem が依存する json-jwt
1.13.0 で次のエラーが発生. OpenSSL::PKey::PKeyError
型.
rsa#set_key= is incompatible with OpenSSL 3.0
OpenSSL の仕様変更により ruby/openssl v3.0 のいくつかのメソッドが取り除かれた。とはいえ、Ruby v2.x のときからそれらのメソッドは非推奨 deprecated になっており、しかも OpenSSL v3.0 との組み合わせでは動かない。
関連 issue: Add OpenSSL 3 support · Issue #100 · nov/json-jwt
修正待つしかなさそう。
For this sample:
- View source on GitHub: https://github.com/netsphere-labs/openid_connect_sample/
For more information, see readme and wiki for openid_connect
gem:
OAuth 2.0 server library:
Also of interest, the corresponding sample RP:
-
OmniAuth2, OpenID Connect RP sample the Authorization Code Flow, the Implicit Flow. And, Single Logout (SLO) based on OpenID Connect RP-Initiated Logout 1.0.
- Ruby on Rails v6.1
- fb_graph2
- sorcery
- openid_connect
This sample application does not use "omniauth-openid-connect" gem.
To run this in development mode on your local machine:
-
Download (or fork or clone) this repo
-
bundle install
(see "Note" section below if you get "pg"-gem-related problems) -
config/database.yml.sample
ファイルをdatabase.yml
にコピーして、適宜編集。 -
Setup database
# su postgres $ createdb --owner rails --encoding utf-8 openid-connect-sample_dev
rake db:migrate, rake db:seed でもよい。
$ rails db:migrate $ rails db:seed
- Copy
config/connect/facebook.yml.sample
tofacebook.yml
. And Google's.
Set client_id
and client_secret
Sorcery による OpenID Connect Login, Facebook Login のサンプルを兼ねている。
-
Modify
config/connect/id_token/issuer.yml
-- changeissuer
value tohttp://localhost:3000
-
Run!
$ bin/yarn
$ bundle exec rails server -p 3000
production 環境の場合は, まず、次のようにしてコンパイルする。
$ RAILS_ENV=production bin/rails assets:precompile
次のようなシェルスクリプトを作る
export g_client_id=クライアントid
export g_client_secret=クライアントsecret
RAILS_ENV=production passenger start
- Facebook または Google でログインする
Admin user としてログインする。
- [Register New Client...] から, RPを登録する。
redirect_uri は複数登録可能。
- RP側で, client_id, client_secret を登録する。
To see it in action right now:
- press "Discover"
- the RP will use the OP to authenticate
Point your browser at http://localhost:3000
Obviously, external servers will not be able to connect to an OP that is running on localhost.
To run it on a public server, the steps are the same as for localhost, except
you will set issuer
in the issuer.yml config file to your domain name.
- The Gemfile includes gem 'pg' (for PostgreSQL), but you can remove it. Nov uses PostgreSQL for his Heroku deployment, but the default DB configs are all SQLite.
- The Facebook link won't work unless you register your app with them.
Centos' default OpenSSL package does not include some Elliptic Curve algorithms for patent reasons.
Unfortunately, the gem dependency json-jwt
calls on one of those excluded algorithms.
If you see uninitialized constant OpenSSL::PKey::EC
when you try to run the server,
this is your problem. You need to rebuild OpenSSL to include those missing algorithms.
This problem is beyond the scope of this README, but this question on StackOverflow may be of help.
Copyright (c) 2011 nov matake. See LICENSE for details. Copyright (c) 2021 Hisashi Horikawa.