Added support for Authentiq Back-Channel Logout

beb88774 · Alexandros Keramidas · 5d8f5328 · beb88774 · beb88774 · beb88774
Commit beb88774 authored Jan 06, 2017 by Alexandros Keramidas
6 changed files
--- a/Gemfile
+++ b/Gemfile
@@ -34,7 +34,7 @@ gem 'omniauth-saml',          '~> 1.7.0'
 gem 'omniauth-shibboleth',    '~> 1.2.0'
 gem 'omniauth-twitter',       '~> 1.2.0'
 gem 'omniauth_crowd',         '~> 2.2.0'
-gem 'omniauth-authentiq',     '~> 0.2.0'
+gem 'omniauth-authentiq',     '~> 0.3.0'
 gem 'rack-oauth2',            '~> 1.2.1'
 gem 'jwt',                    '~> 1.5.6'


--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -448,7 +448,7 @@ GEM
      rack (>= 1.0, < 3)
    omniauth-auth0 (1.4.1)
      omniauth-oauth2 (~> 1.1)
-    omniauth-authentiq (0.2.2)
+    omniauth-authentiq (0.3.0)
      omniauth-oauth2 (~> 1.3, >= 1.3.1)
    omniauth-azure-oauth2 (0.0.6)
      jwt (~> 1.0)
@@ -925,7 +925,7 @@ DEPENDENCIES
  oj (~> 2.17.4)
  omniauth (~> 1.3.2)
  omniauth-auth0 (~> 1.4.1)
-  omniauth-authentiq (~> 0.2.0)
+  omniauth-authentiq (~> 0.3.0)
  omniauth-azure-oauth2 (~> 0.0.6)
  omniauth-cas3 (~> 1.1.2)
  omniauth-facebook (~> 4.0.0)

--- a/app/controllers/omniauth_callbacks_controller.rb
+++ b/app/controllers/omniauth_callbacks_controller.rb
@@ -78,6 +78,13 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
    handle_omniauth
  end

+  def authentiq
+    if params['sid']
+      handle_service_ticket oauth['provider'], params['sid']
+    end
+    handle_omniauth
+  end
+
  private

  def handle_omniauth

--- a/changelogs/unreleased/9381-authentiq-backchannel-logout.yml
+++ b/changelogs/unreleased/9381-authentiq-backchannel-logout.yml
+---
+title: Adds remote logout functionality to the Authentiq OAuth provider
+merge_request: 9381
+author: Alexandros Keramidas
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -240,6 +240,17 @@ Devise.setup do |config|
          true
        end
      end
+      if provider['name'] == 'authentiq'
+        provider['args'][:remote_sign_out_handler] = lambda do |request|
+          authentiq_session = request.params['sid']
+          if Gitlab::OAuth::Session.valid?(:authentiq, authentiq_session)
+            Gitlab::OAuth::Session.destroy(:authentiq, authentiq_session)
+            true
+          else
+            false
+          end
+        end
+      end

      if provider['name'] == 'shibboleth'
        provider['args'][:fail_with_empty_uid] = true

--- a/doc/administration/auth/authentiq.md
+++ b/doc/administration/auth/authentiq.md
@@ -54,7 +54,7 @@ Authentiq will generate a Client ID and the accompanying Client Secret for you t
 5. The `scope` is set to request the user's name, email (required and signed), and permission to send push notifications to sign in on subsequent visits.
 See [OmniAuth Authentiq strategy](https://github.com/AuthentiqID/omniauth-authentiq#scopes-and-redirect-uri-configuration) for more information on scopes and modifiers.

-6. Change 'YOUR_CLIENT_ID' and 'YOUR_CLIENT_SECRET' to the Client credentials you received in step 1.
+6. Change `YOUR_CLIENT_ID` and `YOUR_CLIENT_SECRET` to the Client credentials you received in step 1.

 7. Save the configuration file.