Use the session method in OmniAuth::Strategy #1076
Open
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Context
In our Rails application we use
omniauth_openid_connect (0.4.0)
to perform an OpenID Connect authentication flow. We want to override the session mechanism to store omniauth related attributes in a dedicated cookie (other session attributes remain in the regular session state).For that purpose, in our application we create a subclass of
OmniAuth::Strategies::OpenIDConnect
which overrides theOmniAuth::Strategy.session
method. Our implementation of thesession
method provides a wrapper that storesomniauth*
attributes in a dedicated secured cookie.Problem
By overriding
OmniAuth::Strategy.session
, we expected to be able to implement a custom session mechanism but it is not possible:Problem we have, is that
OmniAuth::Strategy
both usesOmniAuth::Strategy.session
andenv['rack.session']
(here and here).Because
OmniAuth::Strategy
directly accessesenv['rack.session']
without using itssession
method, we cannot inject the expected custom mechanism.Suggested solution
In this PR we replace direct usages of
env['rack.session']
by thesession
method inOmniAuth::Strategy
.It still leaves some questions:
The same change was introduced by Use
session
method instead of@env['rack.session']
#818, but it only touched themock_call!
method. Methodrequest_call
has not been touched, is there a rational behind this ?We cannot replace direct usage of
env['rack.session']
here by a call tosession
because@env
is not set yet. Maybe we should also set@env
before checking that the session exists ?env['rack.session']
bysession
break some kind of 'contracts' or encapsulation mechanisms with other omniauth strategies that subclassOmniAuth::Strategy
?Thank you.