[openstreetmap/openstreetmap-website] osm.org as identity provider for dev instance (Issue #5063)
mmd
notifications at github.com
Sat Aug 10 18:34:41 UTC 2024
Back in https://github.com/OpenHistoricalMap/issues/issues/662, we've been discussing to use osm.org as identity provider for other sites, such as our dev instances. This should make it easier for our users to try out new features, such as https://microcosms.apis.dev.openstreetmap.org, without remembering a new user + password for the dev instance.
I'm documenting all required steps here. For discussion...
### Add omniauth_openid_connect gem
Link: https://github.com/omniauth/omniauth_openid_connect
```
diff --git a/Gemfile b/Gemfile
index fcf2ceb4d..f3bc8eac9 100644
--- a/Gemfile
+++ b/Gemfile
@@ -83,6 +83,7 @@ gem "omniauth-google-oauth2", ">= 0.6.0"
gem "omniauth-mediawiki", ">= 0.0.4"
gem "omniauth-microsoft_graph"
gem "omniauth-openid"
+gem "omniauth_openid_connect"
gem "omniauth-rails_csrf_protection", "~> 1.0"
```
### Trust osm.org as email provider
```ruby
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 0830e51d4..8f5485591 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -197,7 +197,7 @@ class UsersController < ApplicationController
when "openid"
uid.match(%r{https://www.google.com/accounts/o8/id?(.*)}) ||
uid.match(%r{https://me.yahoo.com/(.*)})
- when "google", "facebook", "microsoft", "github", "wikipedia"
+ when "google", "facebook", "microsoft", "github", "wikipedia", "openstreetmap"
true
else
false
```
### Add osm.org as new OIDC provider
* Scope is currently set to openid, maybe email would also be possible.
* Settings probably need some more fine tuning.
* Redirect URL should point to the respective site, such as microcosms
```ruby
diff --git a/config/initializers/omniauth.rb b/config/initializers/omniauth.rb
index bce82b3c9..89702e6ae 100644
--- a/config/initializers/omniauth.rb
+++ b/config/initializers/omniauth.rb
@@ -27,11 +27,26 @@ facebook_options = { :name => "facebook", :scope => "email", :client_options =>
microsoft_options = { :name => "microsoft", :scope => "openid User.Read" }
github_options = { :name => "github", :scope => "user:email" }
wikipedia_options = { :name => "wikipedia", :client_options => { :site => "https://meta.wikimedia.org" } }
+osm_oidc_options = { :name => :openstreetmap,
+ :scope => [:openid],
+ :issuer => "https://www.openstreetmap.org",
+ :discovery => true,
+ :response_type => :code,
+ :uid_field => "preferred_username",
+ :client_options => {
+ :port => 443,
+ :scheme => "https",
+ :host => "www.openstreetmap.org",
+ :identifier => Settings.openstreetmap_auth_id,
+ :secret => Settings.openstreetmap_auth_secret,
+ :redirect_uri => "http://127.0.0.1:3000/auth/openstreetmap/callback"
+ } }
google_options[:openid_realm] = Settings.google_openid_realm if Settings.key?(:google_openid_realm)
Rails.application.config.middleware.use OmniAuth::Builder do
provider :openid, openid_options
+ provider :openid_connect, osm_oidc_options
provider :google_oauth2, Settings.google_auth_id, Settings.google_auth_secret, google_options if Settings.key?(:google_auth_id)
provider :facebook, Settings.facebook_auth_id, Settings.facebook_auth_secret, facebook_options if Settings.key?(:facebook_auth_id)
provider :microsoft_graph, Settings.microsoft_auth_id, Settings.microsoft_auth_secret, microsoft_options if Settings.key?(:microsoft_auth_id)
```
### Updated translations
```
diff --git a/config/locales/en.yml b/config/locales/en.yml
index ac41952c7..08d3a6942 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -223,6 +223,7 @@ en:
microsoft: Microsoft
github: GitHub
wikipedia: Wikipedia
+ openstreetmap: OpenStreetMap
api:
notes:
comment:
@@ -2612,6 +2613,9 @@ en:
wikipedia:
title: Log in with Wikipedia
alt: Wikipedia logo
+ openstreetmap:
+ title: Log in with OpenStreetMap
+ alt: OpenStreetMap logo
oauth:
authorize:
title: "Authorize access to your account"
```
### Default settings.yml
```
diff --git a/config/settings.yml b/config/settings.yml
index 71df9ad3d..bd4665381 100644
--- a/config/settings.yml
+++ b/config/settings.yml
@@ -143,6 +143,8 @@ fossgis_valhalla_url: "https://valhalla1.openstreetmap.de/route"
#microsoft_auth_secret: ""
#wikipedia_auth_id: ""
#wikipedia_auth_secret: ""
+#openstreetmap_auth_id: ""
+#openstreetmap_auth_secret: ""
# Thunderforest authentication details
#thunderforest_key: ""
# Tracestrack authentication details
```
### Provider list updated
```ruby
diff --git a/lib/auth.rb b/lib/auth.rb
index 729772477..f89cdf38f 100644
--- a/lib/auth.rb
+++ b/lib/auth.rb
@@ -10,6 +10,7 @@ module Auth
providers[I18n.t("auth.providers.microsoft")] = "microsoft" if Settings.key?(:microsoft_auth_id)
providers[I18n.t("auth.providers.github")] = "github" if Settings.key?(:github_auth_id)
providers[I18n.t("auth.providers.wikipedia")] = "wikipedia" if Settings.key?(:wikipedia_auth_id)
+ providers[I18n.t("auth.providers.openstreetmap")] = "openstreetmap" if Settings.key?(:openstreetmap_auth_id)
end.freeze
end
end
```
### Copy /app/assets/images/osm_logo.svg to /app/assets/images/auth_providers/openstreetmap.svg
### Register new oauth2 application on osm.org with
* Redirect URIs: `http://127.0.0.1:3000/auth/openstreetmap/callback `
(this could include many different URLs, such as: https://microcosms.apis.dev.openstreetmap.org/auth/openstreetmap/callback )
Permissions: Sign-in using OpenStreetMap (openid)
Confidential application
### Copy client id + secret to settings.local.yml on microcosms rails instance
```
openstreetmap_auth_id: "1SDBnVj815zwFN6cV70TiQlC50...."
openstreetmap_auth_secret: "R3TWRC9GdxzQTHWvspugOc..."
```
### Screenshots

Email and display name are not taken over. I don't have admin permission on osm.org to define an OAuth2 app with email reading permissions. Maybe this would also work out of the box.
Most importantly, users don't have to remember a separate logon + password for the dev instance, they can simply click on the "Log on with OpenStreetMap" button.

--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/5063
You are receiving this because you are subscribed to this thread.
Message ID: <openstreetmap/openstreetmap-website/issues/5063 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20240810/738123af/attachment-0001.htm>
More information about the rails-dev
mailing list