lib/generators/doorkeeper/openid_connect/templates/initializer.rb
# frozen_string_literal: true
Doorkeeper::OpenidConnect.configure do
issuer do |resource_owner, application|
'issuer string'
end
signing_key <<~KEY
-----BEGIN RSA PRIVATE KEY-----
....
-----END RSA PRIVATE KEY-----
KEY
subject_types_supported [:public]
resource_owner_from_access_token do |access_token|
# Example implementation:
# User.find_by(id: access_token.resource_owner_id)
end
auth_time_from_resource_owner do |resource_owner|
# Example implementation:
# resource_owner.current_sign_in_at
end
reauthenticate_resource_owner do |resource_owner, return_to|
# Example implementation:
# store_location_for resource_owner, return_to
# sign_out resource_owner
# redirect_to new_user_session_url
end
# Depending on your configuration, a DoubleRenderError could be raised
# if render/redirect_to is called at some point before this callback is executed.
# To avoid the DoubleRenderError, you could add these two lines at the beginning
# of this callback: (Reference: https://github.com/rails/rails/issues/25106)
# self.response_body = nil
# @_response_body = nil
select_account_for_resource_owner do |resource_owner, return_to|
# Example implementation:
# store_location_for resource_owner, return_to
# redirect_to account_select_url
end
subject do |resource_owner, application|
# Example implementation:
# resource_owner.id
# or if you need pairwise subject identifier, implement like below:
# Digest::SHA256.hexdigest("#{resource_owner.id}#{URI.parse(application.redirect_uri).host}#{'your_secret_salt'}")
end
# Protocol to use when generating URIs for the discovery endpoint,
# for example if you also use HTTPS in development
# protocol do
# :https
# end
# Expiration time on or after which the ID Token MUST NOT be accepted for processing. (default 120 seconds).
# expiration 600
# Example claims:
# claims do
# normal_claim :_foo_ do |resource_owner|
# resource_owner.foo
# end
# normal_claim :_bar_ do |resource_owner|
# resource_owner.bar
# end
# end
end