Refine OpenID Connect Authentication from #1194 (#1399)

* Adds OpenID Connect. * Add CSS class for openid_connect omniauth provider * Add translation (de_DE and en) for openid_connect omniauth provider label * Make uid_field configurable for openid_connect omniauth provider * updates to support for openid * updates to support for openid * updated ldap gem * updated sample.env Co-authored-by: mapidentity <git@mapidentity.com> Co-authored-by: Jesus Federico <jesus@123it.ca> Co-authored-by: mapidentity <49822181+mapidentity@users.noreply.github.com>
2021-01-07 21:11:17 +01:00 · 2021-01-07 21:11:17 +01:00 · 3b7b45cc03
parent 6be629ae82
commit 3b7b45cc03
11 changed files with 121 additions and 14 deletions
--- a/1
+++ b/1
@ -50,6 +50,7 @@ gem 'sprockets', '< 4.0.0'
 gem 'omniauth'
 gem 'omniauth-twitter'
 gem 'omniauth-google-oauth2'
+gem 'omniauth_openid_connect'
 gem 'omniauth-bn-launcher', '~> 0.1.3'
 gem 'net-ldap'
 gem 'bn-ldap-authentication', '~> 0.1.4'
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -68,8 +68,10 @@ GEM
      tzinfo (~> 1.1)
    addressable (2.7.0)
      public_suffix (>= 2.0.2, < 5.0)
+    aes_key_wrap (1.1.0)
    arel (9.0.0)
    ast (2.4.0)
+    attr_required (1.0.1)
    autoprefixer-rails (9.7.6)
      execjs
    aws-eventstream (1.1.0)
@ -89,6 +91,7 @@ GEM
    aws-sigv4 (1.2.1)
      aws-eventstream (~> 1, >= 1.0.2)
    bcrypt (3.1.13)
+    bindata (2.4.8)
    bindex (0.8.1)
    bn-ldap-authentication (0.1.4)
      net-ldap (~> 0)
@ -191,6 +194,10 @@ GEM
    jquery-ui-rails (6.0.1)
      railties (>= 3.2.16)
    json (2.3.0)
+    json-jwt (1.13.0)
+      activesupport (>= 4.2)
+      aes_key_wrap
+      bindata
    jwt (2.2.1)
    listen (3.0.8)
      rb-fsevent (~> 0.9, >= 0.9.4)
@ -250,6 +257,20 @@ GEM
    omniauth-twitter (1.4.0)
      omniauth-oauth (~> 1.1)
      rack
+    omniauth_openid_connect (0.3.5)
+      addressable (~> 2.5)
+      omniauth (~> 1.9)
+      openid_connect (~> 1.1)
+    openid_connect (1.2.0)
+      activemodel
+      attr_required (>= 1.0.0)
+      json-jwt (>= 1.5.0)
+      rack-oauth2 (>= 1.6.1)
+      swd (>= 1.0.0)
+      tzinfo
+      validate_email
+      validate_url
+      webfinger (>= 1.0.1)
    os (1.1.0)
    pagy (3.8.1)
    parallel (1.19.1)
@ -263,6 +284,12 @@ GEM
    public_suffix (4.0.5)
    puma (3.12.6)
    rack (2.2.3)
+    rack-oauth2 (1.16.0)
+      activesupport
+      attr_required
+      httpclient
+      json-jwt (>= 1.11.0)
+      rack (>= 2.1.0)
    rack-test (1.1.0)
      rack (>= 1.0, < 3)
    rails (5.2.4.4)
@ -376,6 +403,10 @@ GEM
      activesupport (>= 4.0)
      sprockets (>= 3.0.0)
    sqlite3 (1.3.13)
+    swd (1.2.0)
+      activesupport (>= 3)
+      attr_required (>= 0.0.5)
+      httpclient (>= 2.4)
    sync (0.5.0)
    syslog_protocol (0.9.2)
    term-ansicolor (1.7.1)
@ -396,11 +427,20 @@ GEM
    uglifier (4.2.0)
      execjs (>= 0.3.0, < 3)
    unicode-display_width (1.7.0)
+    validate_email (0.1.6)
+      activemodel (>= 3.0)
+      mail (>= 2.2.5)
+    validate_url (1.0.13)
+      activemodel (>= 3.0.0)
+      public_suffix
    web-console (3.7.0)
      actionview (>= 5.0)
      activemodel (>= 5.0)
      bindex (>= 0.4.0)
      railties (>= 5.0)
+    webfinger (1.1.0)
+      activesupport
+      httpclient (>= 2.4)
    webmock (3.8.3)
      addressable (>= 2.3.6)
      crack (>= 0.3.2)
@ -444,6 +484,7 @@ DEPENDENCIES
  omniauth-bn-office365 (~> 0.1.1)
  omniauth-google-oauth2
  omniauth-twitter
+  omniauth_openid_connect
  pagy
  pg (~> 0.18)
  pluck_to_hash (~> 1.0.2)
--- a/README.md
+++ b/README.md
@ -7,7 +7,7 @@

 Greenlight is a simple front-end interface for your BigBlueButton server. At its heart, Greenlight provides a minimalistic web-based application that allows users to:

-  * Signup/Login with Google, Office365, or through the application itself.
+  * Signup/Login with Google, Office365, OpenID Connect, or through the application itself.
  * Manage your account settings and user preferences.
  * Create and manage your own personal rooms ([BigBlueButton](https://github.com/bigbluebutton/bigbluebutton) sessions).
  * Invite others to your room using a simple URL.
@ -34,4 +34,3 @@ Greenlight is built using Ruby on Rails. Many developers already know Rails well
 We invite you to build upon Greenlight and help make it better. See [Contributing to BigBlueButton](http://docs.bigbluebutton.org/support/faq.html#contributing-to-bigbluebutton).

 We invite your feedback, questions, and suggests about Greenlight too. Please post them to the [developer mailing list](https://groups.google.com/forum/#!forum/bigbluebutton-dev).
-
--- a/app/assets/images/openid-logo.png
+++ b/app/assets/images/openid-logo.png
--- a/app/assets/stylesheets/main.scss
+++ b/app/assets/stylesheets/main.scss
@ -155,6 +155,17 @@
  }
 }

+.customBtn-openid_connect {
+  @extend .customBtn;
+  background: #ef8e1f;
+
+  .customBtn-image {
+    background: #ffffff image-url("openid-logo.png") no-repeat left top;
+    background-size: 18px 18px;
+    padding:10px 10px 10px 10px;
+  }
+}
+
 .signin-button {
  font-size: 16px;
 }
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@ -22,7 +22,7 @@ require 'uri'
 module ApplicationHelper
  # Determines which providers can show a login button in the login modal.
  def iconset_providers
-    providers = configured_providers & [:google, :twitter, :office365, :ldap]
+    providers = configured_providers & [:google, :twitter, :office365, :openid_connect, :ldap]

    providers.delete(:twitter) if session[:old_twitter_user_id]

--- a/config/initializers/omniauth.rb
+++ b/config/initializers/omniauth.rb
@ -16,6 +16,9 @@ Rails.application.config.omniauth_twitter = ENV['TWITTER_ID'].present? && ENV['T
 Rails.application.config.omniauth_google = ENV['GOOGLE_OAUTH2_ID'].present? && ENV['GOOGLE_OAUTH2_SECRET'].present?
 Rails.application.config.omniauth_office365 = ENV['OFFICE365_KEY'].present? &&
                                              ENV['OFFICE365_SECRET'].present?
+Rails.application.config.omniauth_openid_connect = ENV['OPENID_CONNECT_CLIENT_ID'].present? &&
+                                                   ENV['OPENID_CONNECT_CLIENT_SECRET'].present? &&
+                                                   ENV['OPENID_CONNECT_ISSUER'].present?

 SETUP_PROC = lambda do |env|
  OmniauthOptions.omniauth_options env
@ -56,8 +59,44 @@ Rails.application.config.middleware.use OmniAuth::Builder do
      redirect = ENV['OAUTH2_REDIRECT'].present? ? File.join(ENV['OAUTH2_REDIRECT'], "auth", "office365", "callback") : nil

      provider :office365, ENV['OFFICE365_KEY'], ENV['OFFICE365_SECRET'],
-      redirect_uri: redirect,
-      setup: SETUP_PROC
+        redirect_uri: redirect,
+        setup: SETUP_PROC
+    end
+    if Rails.configuration.omniauth_openid_connect
+      Rails.application.config.providers << :openid_connect
+
+      redirect = ENV['OAUTH2_REDIRECT'].present? ? File.join(ENV['OAUTH2_REDIRECT'], "auth", "openid_connect", "callback") : nil
+
+      provider :openid_connect,
+        issuer: ENV["OPENID_CONNECT_ISSUER"],
+        discovery: true,
+        scope: [:email, :profile],
+        response_type: :code,
+        uid_field: ENV["OPENID_CONNECT_UID_FIELD"] || "preferred_username",
+        client_options: {
+          identifier: ENV['OPENID_CONNECT_CLIENT_ID'],
+          secret: ENV['OPENID_CONNECT_CLIENT_SECRET'],
+          redirect_uri: redirect
+        },
+        setup: SETUP_PROC
+    end
+    if Rails.configuration.omniauth_openid_connect
+      Rails.application.config.providers << :openid_connect
+
+      redirect = ENV['OAUTH2_REDIRECT'].present? ? File.join(ENV['OAUTH2_REDIRECT'], "auth", "openid_connect", "callback") : nil
+
+      provider :openid_connect,
+        issuer: ENV["OPENID_CONNECT_ISSUER"],
+        discovery: true,
+        scope: [:email, :profile],
+        response_type: :code,
+        uid_field: ENV["OPENID_CONNECT_UID_FIELD"] || "preferred_username",
+        client_options: {
+          identifier: ENV['OPENID_CONNECT_CLIENT_ID'],
+          secret: ENV['OPENID_CONNECT_CLIENT_SECRET'],
+          redirect_uri: redirect
+        },
+        setup: SETUP_PROC
    end
  end
 end
--- a/config/locales/de_DE.yml
+++ b/config/locales/de_DE.yml
@ -477,6 +477,7 @@ de_DE:
    office365: Office 365
    twitter: Twitter
    ldap: LDAP
+    openid_connect: OpenID Connect
  recaptcha:
    errors:
      recaptcha_unreachable: "Ups, es war nicht möglich die reCAPTCHA Antwort zu überprüfen. Bitte versuchen Sie es nochmals."
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@ -72,7 +72,7 @@ en:
      email_mapping:
        info: Map the user to a role using their email. Must be in the format email1=role1,email2=role2
        title: Role Mapping by Email
-        update: 
+        update:
      log_level:
        title: Log Level
        information: Change the Log Level for the entire deployment
@ -94,7 +94,7 @@ en:
        title: Maintenance Banner
        display: Set
        clear: Clear
-        time: "Example: Update scheduled on December 13 @ 23:00 ET. Users may experience problems signing in."        
+        time: "Example: Update scheduled on December 13 @ 23:00 ET. Users may experience problems signing in."
      preupload:
        info: Users can preupload a presentation to be used as the default presentation for that specific room
        title: Allow Users to Preupload Presentations
@ -478,6 +478,7 @@ en:
    office365: Office 365
    twitter: Twitter
    ldap: LDAP
+    openid_connect: OpenID Connect
  recaptcha:
    errors:
      recaptcha_unreachable: Oops, we failed to validate your reCAPTCHA response. Please try again.
@ -549,7 +550,7 @@ en:
      fail: Failed to delete room (%{error})
    enter_the_access_code: Enter the room's access code
    invalid_provider: You have entered an invalid url. Please check the url and try again.
-    invitation_description: You have been invited to join %{name} using BigBlueButton. To join, click the link above and enter your name.  
+    invitation_description: You have been invited to join %{name} using BigBlueButton. To join, click the link above and enter your name.
    invited: You have been invited to join
    recording_present: I acknowledge that this session is going to be recorded. This may include my voice and video if enabled.
    invite_participants: Invite Participants
--- a/lib/omniauth_options.rb
+++ b/lib/omniauth_options.rb
@ -37,6 +37,8 @@ module OmniauthOptions
      set_hd(env, ENV['GOOGLE_OAUTH2_HD'])
    elsif env['omniauth.strategy'].options[:name] == "office365"
      set_hd(env, ENV['OFFICE365_HD'])
+    elsif env['omniauth.strategy'].options[:name] == "openid_connect"
+      set_hd(env, ENV['OPENID_CONNECT_HD'])
    end
  end

--- a/sample.env
+++ b/sample.env
@ -51,6 +51,18 @@ OFFICE365_KEY=
 OFFICE365_SECRET=
 OFFICE365_HD=

+# OpenID Connect Provider (optional)
+#
+# For in-depth steps on setting up a OpenID Connect Login Provider, see:
+#
+#   https://docs.bigbluebutton.org/greenlight/gl-config.html#openid-connect
+#
+OPENID_CONNECT_CLIENT_ID=
+OPENID_CONNECT_CLIENT_SECRET=
+OPENID_CONNECT_ISSUER=
+OPENID_CONNECT_HD=
+OPENID_CONNECT_UID_FIELD=
+
 # OAUTH2_REDIRECT allows you to specify the redirect_url passed to oauth on sign in.
 # It is useful for cases when Greenlight is deployed behind a Network Load Balancer or proxy
 OAUTH2_REDIRECT=
@ -123,7 +135,7 @@ GOOGLE_ANALYTICS_TRACKING_ID=
 #   SMTP_AUTH=plain
 #   SMTP_STARTTLS_AUTO=true
 #
-# If your mail server has a self-signed certificate, you'll also need to include the line below. 
+# If your mail server has a self-signed certificate, you'll also need to include the line below.
 # Please note that enable this presents its own security risks and should not be done unless necessary.
 #   SMTP_OPENSSL_VERIFY_MODE=none
 #
@ -138,7 +150,7 @@ SMTP_STARTTLS_AUTO=
 # Specify the email address that all mail is sent from
 SMTP_SENDER=

-# Specify the recipient for test emails (needed for providers like Microsoft, who are very 
+# Specify the recipient for test emails (needed for providers like Microsoft, who are very
 # strict about RFC 2606)
 SMTP_TEST_RECIPIENT=notifications@example.com

@ -202,16 +214,16 @@ MAINTENANCE_WINDOW=
 HELP_URL=https://docs.bigbluebutton.org/greenlight/gl-overview.html

 # Change the default language
-# 
-# By default, Greenlight will appear in the same language as that specific user's browser. 
+#
+# By default, Greenlight will appear in the same language as that specific user's browser.
 # The user can override this by going into their profile and changing the language.
 # You can override the default language to a specific language instead of the browser's language by setting
 # the variable below. To find the correct value, visit: https://github.com/bigbluebutton/greenlight/tree/v2/config/locales
 # and find the code that matches the language you want. Ex: For Arabic -> DEFAULT_LOCALE=ar, For Italian -> DEFAULT_LOCALE=it
 # DEFAULT_LOCALE=

-# Force a redirect to HTTPS and make cookies secure. 
-# WARNING: Only set this to false for a development environment. 
+# Force a redirect to HTTPS and make cookies secure.
+# WARNING: Only set this to false for a development environment.
 ENABLE_SSL=true

 # Comment this out to send logs to STDOUT in production instead of log/production.log .