From a486706ec99e2cfc7844db3b50d1e434af22152d Mon Sep 17 00:00:00 2001 From: Markus Kahl Date: Wed, 30 Jul 2025 14:53:23 +0100 Subject: [PATCH 1/5] fix oidc attr map keys for email, first name, last name --- .../app/services/openid_connect/configuration_mapper.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/openid_connect/app/services/openid_connect/configuration_mapper.rb b/modules/openid_connect/app/services/openid_connect/configuration_mapper.rb index 4f61d780020..554754d9950 100644 --- a/modules/openid_connect/app/services/openid_connect/configuration_mapper.rb +++ b/modules/openid_connect/app/services/openid_connect/configuration_mapper.rb @@ -62,9 +62,9 @@ module OpenIDConnect "end_session_endpoint" => extract_url(options, "end_session_endpoint"), "jwks_uri" => extract_url(options, "jwks_uri"), "mapping_login" => options.dig("attribute_map", "login"), - "mapping_mail" => options.dig("attribute_map", "email"), - "mapping_firstname" => options.dig("attribute_map", "first_name"), - "mapping_lastname" => options.dig("attribute_map", "last_name"), + "mapping_email" => options.dig("attribute_map", "email"), + "mapping_first_name" => options.dig("attribute_map", "first_name"), + "mapping_last_name" => options.dig("attribute_map", "last_name"), "mapping_admin" => options.dig("attribute_map", "admin") }.compact end From 1e64c24caa668cd66cdb1b4ec7949fd8ce7523a2 Mon Sep 17 00:00:00 2001 From: Markus Kahl Date: Wed, 30 Jul 2025 14:53:51 +0100 Subject: [PATCH 2/5] add missing post logout redirect uri option to hash builder --- .../app/models/openid_connect/provider/hash_builder.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/openid_connect/app/models/openid_connect/provider/hash_builder.rb b/modules/openid_connect/app/models/openid_connect/provider/hash_builder.rb index 993778369b0..9cd245e2ae1 100644 --- a/modules/openid_connect/app/models/openid_connect/provider/hash_builder.rb +++ b/modules/openid_connect/app/models/openid_connect/provider/hash_builder.rb @@ -55,7 +55,8 @@ module OpenIDConnect token_endpoint:, limit_self_registration:, end_session_endpoint:, - attribute_map: + attribute_map:, + post_logout_redirect_uri: }.merge(attribute_map) .merge(provider_specific_to_h) .compact_blank From c3b44eecab6554958950863d3d39f35d8ffcbe7b Mon Sep 17 00:00:00 2001 From: Markus Kahl Date: Wed, 30 Jul 2025 15:36:26 +0100 Subject: [PATCH 3/5] add missing claims and acr_values to oidc hash --- .../app/models/openid_connect/provider/hash_builder.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/openid_connect/app/models/openid_connect/provider/hash_builder.rb b/modules/openid_connect/app/models/openid_connect/provider/hash_builder.rb index 9cd245e2ae1..c6cb5a2f7b9 100644 --- a/modules/openid_connect/app/models/openid_connect/provider/hash_builder.rb +++ b/modules/openid_connect/app/models/openid_connect/provider/hash_builder.rb @@ -56,7 +56,9 @@ module OpenIDConnect limit_self_registration:, end_session_endpoint:, attribute_map:, - post_logout_redirect_uri: + post_logout_redirect_uri:, + claims:, + acr_values: }.merge(attribute_map) .merge(provider_specific_to_h) .compact_blank From d011adfe244e88ee734ab554e1e52a8fa56545d7 Mon Sep 17 00:00:00 2001 From: Markus Kahl Date: Thu, 31 Jul 2025 11:17:06 +0100 Subject: [PATCH 4/5] remove superfluous attributes in provider hash --- .../app/models/openid_connect/provider/hash_builder.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/openid_connect/app/models/openid_connect/provider/hash_builder.rb b/modules/openid_connect/app/models/openid_connect/provider/hash_builder.rb index c6cb5a2f7b9..4977ffde403 100644 --- a/modules/openid_connect/app/models/openid_connect/provider/hash_builder.rb +++ b/modules/openid_connect/app/models/openid_connect/provider/hash_builder.rb @@ -59,7 +59,7 @@ module OpenIDConnect post_logout_redirect_uri:, claims:, acr_values: - }.merge(attribute_map) + } .merge(provider_specific_to_h) .compact_blank end From 723fd68618d03d324c06bf4c332d8078a69bf4e8 Mon Sep 17 00:00:00 2001 From: Markus Kahl Date: Thu, 31 Jul 2025 11:17:48 +0100 Subject: [PATCH 5/5] amend provider spec covering missing attributes --- .../spec/models/provider_spec.rb | 67 +++++++++++++++++++ 1 file changed, 67 insertions(+) diff --git a/modules/openid_connect/spec/models/provider_spec.rb b/modules/openid_connect/spec/models/provider_spec.rb index 4c9f868ec21..a46410ed8ab 100644 --- a/modules/openid_connect/spec/models/provider_spec.rb +++ b/modules/openid_connect/spec/models/provider_spec.rb @@ -54,4 +54,71 @@ RSpec.describe OpenIDConnect::Provider do it { is_expected.to be_falsey } end end + + describe "#to_h" do + subject { provider.to_h } + + let(:options) { raise "define me!" } + + before do + options.stringify_keys.each do |opt, value| + provider.options[opt] = value + end + end + + describe "with claims" do + let(:options) { { claims: "login" } } + + it "includes the claims" do + expect(subject[:claims]).to eq "login" + end + end + + describe "with acr_values" do + let(:options) { { acr_values: "phr" } } + + it "includes the acr values" do + expect(subject[:acr_values]).to eq "phr" + end + end + + describe "with mapped attributes" do + let(:options) do + { + mapping_email: :address, + mapping_login: :logout, + mapping_first_name: :given_name, + mapping_last_name: :surname + } + end + + let(:expected_value) do + { + email: :address, + login: :logout, + first_name: :given_name, + last_name: :surname + } + end + + it "contains the resulting attribute map being passed to omniauth-openid-connect" do + expect(subject[:attribute_map]).to eq expected_value + end + + it "does not turn them into superfluous attributes" do + expect(subject).not_to include :email + expect(subject).not_to include :login + expect(subject).not_to include :first_name + expect(subject).not_to include :last_name + end + end + + describe "with post_logout_redirect_uri" do + let(:options) { { post_logout_redirect_uri: "https://www.openproject.org" } } + + it "contains the option" do + expect(subject[:post_logout_redirect_uri]).to eq options[:post_logout_redirect_uri] + end + end + end end