[openstreetmap/openstreetmap-website] osm.org as identity provider for dev instance (Issue #5063)

mmd notifications at github.com
Sat Aug 10 18:34:41 UTC 2024 

Back in https://github.com/OpenHistoricalMap/issues/issues/662, we've been discussing to use osm.org as identity provider for other sites, such as our dev instances. This should make it easier for our users to try out new features, such as https://microcosms.apis.dev.openstreetmap.org, without remembering a new user + password for the dev instance.

I'm documenting all required steps here. For discussion...


### Add omniauth_openid_connect gem

Link: https://github.com/omniauth/omniauth_openid_connect

```
diff --git a/Gemfile b/Gemfile
index fcf2ceb4d..f3bc8eac9 100644
--- a/Gemfile
+++ b/Gemfile
@@ -83,6 +83,7 @@ gem "omniauth-google-oauth2", ">= 0.6.0"
 gem "omniauth-mediawiki", ">= 0.0.4"
 gem "omniauth-microsoft_graph"
 gem "omniauth-openid"
+gem "omniauth_openid_connect"
 gem "omniauth-rails_csrf_protection", "~> 1.0"
```

### Trust osm.org as email provider

```ruby
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 0830e51d4..8f5485591 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -197,7 +197,7 @@ class UsersController < ApplicationController
                      when "openid"
                        uid.match(%r{https://www.google.com/accounts/o8/id?(.*)}) ||
                        uid.match(%r{https://me.yahoo.com/(.*)})
-                     when "google", "facebook", "microsoft", "github", "wikipedia"
+                     when "google", "facebook", "microsoft", "github", "wikipedia", "openstreetmap"
                        true
                      else
                        false
```


### Add osm.org as new OIDC provider

* Scope is currently set to openid, maybe email would also be possible.
* Settings probably need some more fine tuning.
* Redirect URL should point to the respective site, such as microcosms

```ruby
diff --git a/config/initializers/omniauth.rb b/config/initializers/omniauth.rb
index bce82b3c9..89702e6ae 100644
--- a/config/initializers/omniauth.rb
+++ b/config/initializers/omniauth.rb
@@ -27,11 +27,26 @@ facebook_options = { :name => "facebook", :scope => "email", :client_options =>
 microsoft_options = { :name => "microsoft", :scope => "openid User.Read" }
 github_options = { :name => "github", :scope => "user:email" }
 wikipedia_options = { :name => "wikipedia", :client_options => { :site => "https://meta.wikimedia.org" } }
+osm_oidc_options = { :name => :openstreetmap,
+                     :scope => [:openid],
+                     :issuer => "https://www.openstreetmap.org",
+                     :discovery => true,
+                     :response_type => :code,
+                     :uid_field => "preferred_username",
+                     :client_options => {
+                       :port => 443,
+                       :scheme => "https",
+                       :host => "www.openstreetmap.org",
+                       :identifier => Settings.openstreetmap_auth_id,
+                       :secret => Settings.openstreetmap_auth_secret,
+                       :redirect_uri => "http://127.0.0.1:3000/auth/openstreetmap/callback"
+                     } }
 
 google_options[:openid_realm] = Settings.google_openid_realm if Settings.key?(:google_openid_realm)
 
 Rails.application.config.middleware.use OmniAuth::Builder do
   provider :openid, openid_options
+  provider :openid_connect, osm_oidc_options
   provider :google_oauth2, Settings.google_auth_id, Settings.google_auth_secret, google_options if Settings.key?(:google_auth_id)
   provider :facebook, Settings.facebook_auth_id, Settings.facebook_auth_secret, facebook_options if Settings.key?(:facebook_auth_id)
   provider :microsoft_graph, Settings.microsoft_auth_id, Settings.microsoft_auth_secret, microsoft_options if Settings.key?(:microsoft_auth_id)
```

### Updated translations


```
diff --git a/config/locales/en.yml b/config/locales/en.yml
index ac41952c7..08d3a6942 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -223,6 +223,7 @@ en:
       microsoft: Microsoft
       github: GitHub
       wikipedia: Wikipedia
+      openstreetmap: OpenStreetMap
   api:
     notes:
       comment:
@@ -2612,6 +2613,9 @@ en:
       wikipedia:
         title: Log in with Wikipedia
         alt: Wikipedia logo
+      openstreetmap:
+        title: Log in with OpenStreetMap
+        alt: OpenStreetMap logo
   oauth:
     authorize:
       title: "Authorize access to your account"
```

### Default settings.yml

```
diff --git a/config/settings.yml b/config/settings.yml
index 71df9ad3d..bd4665381 100644
--- a/config/settings.yml
+++ b/config/settings.yml
@@ -143,6 +143,8 @@ fossgis_valhalla_url: "https://valhalla1.openstreetmap.de/route"
 #microsoft_auth_secret: ""
 #wikipedia_auth_id: ""
 #wikipedia_auth_secret: ""
+#openstreetmap_auth_id: ""
+#openstreetmap_auth_secret: ""
 # Thunderforest authentication details
 #thunderforest_key: ""
 # Tracestrack authentication details
```

### Provider list updated

```ruby
diff --git a/lib/auth.rb b/lib/auth.rb
index 729772477..f89cdf38f 100644
--- a/lib/auth.rb
+++ b/lib/auth.rb
@@ -10,6 +10,7 @@ module Auth
       providers[I18n.t("auth.providers.microsoft")] = "microsoft" if Settings.key?(:microsoft_auth_id)
       providers[I18n.t("auth.providers.github")] = "github" if Settings.key?(:github_auth_id)
       providers[I18n.t("auth.providers.wikipedia")] = "wikipedia" if Settings.key?(:wikipedia_auth_id)
+      providers[I18n.t("auth.providers.openstreetmap")] = "openstreetmap" if Settings.key?(:openstreetmap_auth_id)
     end.freeze
   end
 end
```

### Copy /app/assets/images/osm_logo.svg to /app/assets/images/auth_providers/openstreetmap.svg

### Register new oauth2 application on osm.org with

* Redirect URIs:     `http://127.0.0.1:3000/auth/openstreetmap/callback  `
    (this could include many different URLs, such as: https://microcosms.apis.dev.openstreetmap.org/auth/openstreetmap/callback )

Permissions:  Sign-in using OpenStreetMap (openid)

Confidential application

### Copy client id + secret to settings.local.yml on microcosms rails instance


```
openstreetmap_auth_id: "1SDBnVj815zwFN6cV70TiQlC50...."
openstreetmap_auth_secret: "R3TWRC9GdxzQTHWvspugOc..."

```

### Screenshots

![image](https://github.com/user-attachments/assets/c2c3a147-6b92-4cf4-8cc7-c6e0b7a770ec)

Email and display name are not taken over. I don't have admin permission on osm.org to define an OAuth2 app with email reading permissions. Maybe this would also work out of the box.

Most importantly, users don't have to remember a separate logon + password for the dev instance, they can simply click on the "Log on with OpenStreetMap" button.

![image](https://github.com/user-attachments/assets/72591966-a470-4357-8d25-c37c2c06817f)






-- 
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/5063
You are receiving this because you are subscribed to this thread.

Message ID: <openstreetmap/openstreetmap-website/issues/5063 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20240810/738123af/attachment-0001.htm>

More information about the rails-dev mailing list