Use omniauth openid connect (#51)

## What's changed

* Removed omniauth-rpi
* Added omniauth_openid_connect 
* Added helper methods to RpiAuth::Configuration class to help set up
the openid_connect client
* Adjusted how the tests were run to make sure OmniAuth test mode was
toggled correctly
* Moved RpiAuthBypass + tests from omniauth-rpi to this gem
* Fixed up dummy app to work for local development.

## Points for consideration

I don't *think* any reconfiguration is necessary for clients to move
from omniauth-rpi to omniauth_openid_connect thanks to the smoothing out
performed in this gem.

The RpiAuthBypass is a bit.. rustic. It has just been transplanted from
omniauth-rpi, but I suspect the implementation could be refined to make
it more useful, and less likely to breakage as Hydra /
omniauth_openid_connect develop. Ideally we'd have a check to make sure
the auth hash it returns doesn't have extra fields compared to what
hydra returns in the id token, etc.

This change allows us to use the JWKS client auth method, and more
tightly verifies tokens returned by Hydra.

Author: patch0

CHANGELOG.md

@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Changed
+
+- Replaced usage of [omniauth-rpi](https://github.com/RaspberryPiFoundation/omniauth-rpi/) strategy with [omniauth_openid_connect](https://github.com/omniauth/omniauth_openid_connect/) (#51)
+
 ## [v2.0.0]
 
 ### Added

Gemfile.lock

@@ -3,7 +3,7 @@ PATH
   specs:
     rpi_auth (2.0.0)
       omniauth-rails_csrf_protection (~> 1.0.0)
-      omniauth-rpi (~> 1.4.0)
+      omniauth_openid_connect (~> 0.7.1)
       rails (>= 6.1.4)
 
 GEM
@@ -74,7 +74,10 @@ GEM
       i18n (>= 1.6, < 2)
       minitest (>= 5.1)
       tzinfo (~> 2.0)
+    aes_key_wrap (1.1.0)
     ast (2.4.2)
+    attr_required (1.0.1)
+    bindata (2.4.15)
     builder (3.2.4)
     byebug (11.1.3)
     coderay (1.1.3)
@@ -86,6 +89,8 @@ GEM
     faraday (2.7.4)
       faraday-net_http (>= 2.0, < 3.1)
       ruby2_keywords (>= 0.0.4)
+    faraday-follow_redirects (0.3.0)
+      faraday (>= 1, < 3)
     faraday-net_http (3.0.2)
     ffi (1.15.5)
     globalid (1.1.0)
@@ -94,7 +99,12 @@ GEM
     i18n (1.13.0)
       concurrent-ruby (~> 1.0)
     json (2.6.2)
-    jwt (2.2.3)
+    json-jwt (1.16.3)
+      activesupport (>= 4.2)
+      aes_key_wrap
+      bindata
+      faraday (~> 2.0)
+      faraday-follow_redirects
     listen (3.7.1)
       rb-fsevent (~> 0.10, >= 0.10.3)
       rb-inotify (~> 0.9, >= 0.9.10)
@@ -107,7 +117,6 @@ GEM
     method_source (1.0.0)
     mini_mime (1.1.2)
     minitest (5.18.0)
-    multi_xml (0.6.0)
     net-imap (0.3.1)
       net-protocol
     net-pop (0.1.2)
@@ -121,27 +130,29 @@ GEM
       racc (~> 1.4)
     nokogiri (1.14.3-x86_64-linux)
       racc (~> 1.4)
-    oauth2 (2.0.9)
-      faraday (>= 0.17.3, < 3.0)
-      jwt (>= 1.0, < 3.0)
-      multi_xml (~> 0.5)
-      rack (>= 1.2, < 4)
-      snaky_hash (~> 2.0)
-      version_gem (~> 1.1)
     omniauth (2.1.1)
       hashie (>= 3.4.6)
       rack (>= 2.2.3)
       rack-protection
-    omniauth-oauth2 (1.8.0)
-      oauth2 (>= 1.4, < 3)
-      omniauth (~> 2.0)
     omniauth-rails_csrf_protection (1.0.1)
       actionpack (>= 4.2)
       omniauth (~> 2.0)
-    omniauth-rpi (1.4.0)
-      jwt (~> 2.2.3)
-      omniauth (~> 2.0)
-      omniauth-oauth2 (~> 1.4)
+    omniauth_openid_connect (0.7.1)
+      omniauth (>= 1.9, < 3)
+      openid_connect (~> 2.2)
+    openid_connect (2.2.0)
+      activemodel
+      attr_required (>= 1.0.0)
+      faraday (~> 2.0)
+      faraday-follow_redirects
+      json-jwt (>= 1.16)
+      net-smtp
+      rack-oauth2 (~> 2.2)
+      swd (~> 2.0)
+      tzinfo
+      validate_email
+      validate_url
+      webfinger (~> 2.0)
     parallel (1.22.1)
     parser (3.1.3.0)
       ast (~> 2.4.1)
@@ -151,8 +162,18 @@ GEM
     pry-byebug (3.10.1)
       byebug (~> 11.0)
       pry (>= 0.13, < 0.15)
+    public_suffix (5.0.1)
+    puma (6.2.2)
+      nio4r (~> 2.0)
     racc (1.6.2)
     rack (2.2.7)
+    rack-oauth2 (2.2.0)
+      activesupport
+      attr_required
+      faraday (~> 2.0)
+      faraday-follow_redirects
+      json-jwt (>= 1.11.0)
+      rack (>= 2.1.0)
     rack-protection (3.0.6)
       rack
     rack-test (2.0.2)
@@ -238,15 +259,26 @@ GEM
       simplecov_json_formatter (~> 0.1)
     simplecov-html (0.12.3)
     simplecov_json_formatter (0.1.4)
-    snaky_hash (2.0.1)
-      hashie
-      version_gem (~> 1.1, >= 1.1.1)
+    swd (2.0.2)
+      activesupport (>= 3)
+      attr_required (>= 0.0.5)
+      faraday (~> 2.0)
+      faraday-follow_redirects
     thor (1.2.1)
     timeout (0.3.0)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
     unicode-display_width (2.3.0)
-    version_gem (1.1.2)
+    validate_email (0.1.6)
+      activemodel (>= 3.0)
+      mail (>= 2.2.5)
+    validate_url (1.0.15)
+      activemodel (>= 3.0.0)
+      public_suffix
+    webfinger (2.1.2)
+      activesupport
+      faraday (~> 2.0)
+      faraday-follow_redirects
     websocket-driver (0.7.5)
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.5)
@@ -259,6 +291,7 @@ PLATFORMS
 DEPENDENCIES
   listen
   pry-byebug
+  puma
   rails (~> 7.0)
   rpi_auth!
   rspec-rails

README.md

@@ -1,6 +1,6 @@
 # RpiAuth
 
-A gem to handle authenticating via Hydra for Raspberry Pi Foundation Rails applications.
+A gem to handle OpenID Connect authentication via Hydra for Raspberry Pi Foundation Rails applications.
 
 ## Usage
 
@@ -11,7 +11,7 @@ The Engine includes the [Rails CSRF protection gem](https://github.com/cookpad/o
 Add this line to your application's Gemfile:
 
 ```ruby
-gem 'rpi_auth', git: 'https://github.com/RaspberryPiFoundation/rpi-auth.git', tag: 'v1.3.0'
+gem 'rpi_auth', git: 'https://github.com/RaspberryPiFoundation/rpi-auth.git', tag: 'v2.0.0'
 ```
 
 And then execute:
@@ -48,7 +48,7 @@ RpiAuth.configure do |config|
   config.auth_token_url = ENV.fetch('AUTH_TOKEN_URL', nil)
   config.auth_client_id = ENV.fetch('AUTH_CLIENT_ID', nil)
   config.auth_client_secret = ENV.fetch('AUTH_CLIENT_SECRET', nil)
-  config.brand = 'brand-name'
+  config.brand = 'raspberrypi-org'
   config.host_url = ENV.fetch('HOST_URL', nil)
   config.identity_url = ENV.fetch('IDENTITY_URL', nil)
   config.user_model = 'User'
@@ -96,7 +96,13 @@ link_to 'Log in', rpi_auth_login_path, method: :post
 button_to 'Log in', rpi_auth_login_path
 ```
 
-There is also a helper for the logout route:
+There is a helper for the sign-up buttons, which pushes the user through the sign-up flow.
+
+```ruby
+button_to 'Sign up', rpi_auth_signup_path
+```
+
+And there is also a helper for the logout route:
 
 ```ruby
 link_to 'Log out', rpi_auth_logout_path

config/routes.rb

@@ -1,10 +1,11 @@
 # frozen_string_literal: true
 
 Rails.application.routes.draw do
-  # Dummy route. This route is never reached in the app, as Omniauth intercepts
-  # it via Rack middleware before it reaches Rails, however adding this route
-  # allows us to use rpi_auth_login_path helpers etc.
-  post '/auth/rpi', as: :rpi_auth_login
+  # Dummy routes. These routes are never reached in the app, as Omniauth
+  # intercepts it via Rack middleware before it reaches Rails, however adding
+  # them allows us to use rpi_auth_login_path helpers etc.
+  post '/auth/rpi', as: :rpi_auth_login, params: { login_options: 'v1_signup' }
+  post '/auth/rpi', as: :rpi_auth_signup, params: { login_options: 'force_signup,v1_signup' }
 
   namespace 'rpi_auth' do
     get '/auth/callback', to: 'auth#callback', as: 'callback'

gemfiles/rails_6.1.gemfile.lock

@@ -1,9 +1,9 @@
 PATH
   remote: ..
   specs:
-    rpi_auth (0.1.0)
+    rpi_auth (2.0.0)
       omniauth-rails_csrf_protection (~> 1.0.0)
-      omniauth-rpi (~> 1.1)
+      omniauth_openid_connect (~> 0.7.1)
       rails (>= 6.1.4)
 
 GEM
@@ -68,7 +68,10 @@ GEM
       minitest (>= 5.1)
       tzinfo (~> 2.0)
       zeitwerk (~> 2.3)
+    aes_key_wrap (1.1.0)
     ast (2.4.2)
+    attr_required (1.0.1)
+    bindata (2.4.15)
     builder (3.2.4)
     byebug (11.1.3)
     coderay (1.1.3)
@@ -77,9 +80,11 @@ GEM
     diff-lcs (1.5.0)
     docile (1.4.0)
     erubi (1.11.0)
-    faraday (2.7.1)
+    faraday (2.7.4)
       faraday-net_http (>= 2.0, < 3.1)
       ruby2_keywords (>= 0.0.4)
+    faraday-follow_redirects (0.3.0)
+      faraday (>= 1, < 3)
     faraday-net_http (3.0.2)
     ffi (1.15.5)
     globalid (1.0.0)
@@ -88,7 +93,12 @@ GEM
     i18n (1.12.0)
       concurrent-ruby (~> 1.0)
     json (2.6.2)
-    jwt (2.2.3)
+    json-jwt (1.16.3)
+      activesupport (>= 4.2)
+      aes_key_wrap
+      bindata
+      faraday (~> 2.0)
+      faraday-follow_redirects
     listen (3.7.1)
       rb-fsevent (~> 0.10, >= 0.10.3)
       rb-inotify (~> 0.9, >= 0.9.10)
@@ -101,33 +111,38 @@ GEM
     method_source (1.0.0)
     mini_mime (1.1.2)
     minitest (5.16.3)
-    multi_xml (0.6.0)
+    net-protocol (0.2.1)
+      timeout
+    net-smtp (0.3.3)
+      net-protocol
     nio4r (2.5.8)
     nokogiri (1.13.9-arm64-darwin)
       racc (~> 1.4)
     nokogiri (1.13.9-x86_64-linux)
       racc (~> 1.4)
-    oauth2 (2.0.9)
-      faraday (>= 0.17.3, < 3.0)
-      jwt (>= 1.0, < 3.0)
-      multi_xml (~> 0.5)
-      rack (>= 1.2, < 4)
-      snaky_hash (~> 2.0)
-      version_gem (~> 1.1)
-    omniauth (2.1.0)
+    omniauth (2.1.1)
       hashie (>= 3.4.6)
       rack (>= 2.2.3)
       rack-protection
-    omniauth-oauth2 (1.8.0)
-      oauth2 (>= 1.4, < 3)
-      omniauth (~> 2.0)
     omniauth-rails_csrf_protection (1.0.1)
       actionpack (>= 4.2)
       omniauth (~> 2.0)
-    omniauth-rpi (1.1.0)
-      jwt (~> 2.2.3)
-      omniauth (~> 2.0)
-      omniauth-oauth2 (~> 1.4)
+    omniauth_openid_connect (0.7.1)
+      omniauth (>= 1.9, < 3)
+      openid_connect (~> 2.2)
+    openid_connect (2.2.0)
+      activemodel
+      attr_required (>= 1.0.0)
+      faraday (~> 2.0)
+      faraday-follow_redirects
+      json-jwt (>= 1.16)
+      net-smtp
+      rack-oauth2 (~> 2.2)
+      swd (~> 2.0)
+      tzinfo
+      validate_email
+      validate_url
+      webfinger (~> 2.0)
     parallel (1.22.1)
     parser (3.1.3.0)
       ast (~> 2.4.1)
@@ -137,9 +152,17 @@ GEM
     pry-byebug (3.10.1)
       byebug (~> 11.0)
       pry (>= 0.13, < 0.15)
+    public_suffix (5.0.1)
     racc (1.6.0)
     rack (2.2.4)
-    rack-protection (3.0.4)
+    rack-oauth2 (2.2.0)
+      activesupport
+      attr_required
+      faraday (~> 2.0)
+      faraday-follow_redirects
+      json-jwt (>= 1.11.0)
+      rack (>= 2.1.0)
+    rack-protection (3.0.6)
       rack
     rack-test (2.0.2)
       rack (>= 1.3)
@@ -224,21 +247,33 @@ GEM
       simplecov_json_formatter (~> 0.1)
     simplecov-html (0.12.3)
     simplecov_json_formatter (0.1.4)
-    snaky_hash (2.0.1)
-      hashie
-      version_gem (~> 1.1, >= 1.1.1)
     sprockets (4.1.1)
       concurrent-ruby (~> 1.0)
       rack (> 1, < 3)
     sprockets-rails (3.4.2)
       actionpack (>= 5.2)
       activesupport (>= 5.2)
       sprockets (>= 3.0.0)
+    swd (2.0.2)
+      activesupport (>= 3)
+      attr_required (>= 0.0.5)
+      faraday (~> 2.0)
+      faraday-follow_redirects
     thor (1.2.1)
+    timeout (0.3.2)
     tzinfo (2.0.5)
       concurrent-ruby (~> 1.0)
     unicode-display_width (2.3.0)
-    version_gem (1.1.1)
+    validate_email (0.1.6)
+      activemodel (>= 3.0)
+      mail (>= 2.2.5)
+    validate_url (1.0.15)
+      activemodel (>= 3.0.0)
+      public_suffix
+    webfinger (2.1.2)
+      activesupport
+      faraday (~> 2.0)
+      faraday-follow_redirects
     websocket-driver (0.7.5)
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.5)