From beb887748e8aa3bc42376656f28b689aad91dab7 Mon Sep 17 00:00:00 2001
From: Alexandros Keramidas <dev.alexkeramidas@gmail.com>
Date: Fri, 6 Jan 2017 21:07:27 +0200
Subject: [PATCH] Added support for Authentiq Back-Channel Logout
---
Gemfile | 2 +-
Gemfile.lock | 4 ++--
app/controllers/omniauth_callbacks_controller.rb | 7 +++++++
.../unreleased/9381-authentiq-backchannel-logout.yml | 4 ++++
config/initializers/devise.rb | 11 +++++++++++
doc/administration/auth/authentiq.md | 2 +-
6 files changed, 26 insertions(+), 4 deletions(-)
create mode 100644 changelogs/unreleased/9381-authentiq-backchannel-logout.yml
diff --git a/Gemfile b/Gemfile
index 0060f122512..ccbbb11c5d9 100644
--- a/Gemfile
+++ b/Gemfile
@@ -34,7 +34,7 @@ gem 'omniauth-saml', '~> 1.7.0'
gem 'omniauth-shibboleth', '~> 1.2.0'
gem 'omniauth-twitter', '~> 1.2.0'
gem 'omniauth_crowd', '~> 2.2.0'
-gem 'omniauth-authentiq', '~> 0.2.0'
+gem 'omniauth-authentiq', '~> 0.3.0'
gem 'rack-oauth2', '~> 1.2.1'
gem 'jwt', '~> 1.5.6'
diff --git a/Gemfile.lock b/Gemfile.lock
index a3c2fad41ba..4f98dc9d085 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -448,7 +448,7 @@ GEM
rack (>= 1.0, < 3)
omniauth-auth0 (1.4.1)
omniauth-oauth2 (~> 1.1)
- omniauth-authentiq (0.2.2)
+ omniauth-authentiq (0.3.0)
omniauth-oauth2 (~> 1.3, >= 1.3.1)
omniauth-azure-oauth2 (0.0.6)
jwt (~> 1.0)
@@ -925,7 +925,7 @@ DEPENDENCIES
oj (~> 2.17.4)
omniauth (~> 1.3.2)
omniauth-auth0 (~> 1.4.1)
- omniauth-authentiq (~> 0.2.0)
+ omniauth-authentiq (~> 0.3.0)
omniauth-azure-oauth2 (~> 0.0.6)
omniauth-cas3 (~> 1.1.2)
omniauth-facebook (~> 4.0.0)
diff --git a/app/controllers/omniauth_callbacks_controller.rb b/app/controllers/omniauth_callbacks_controller.rb
index f54c79c2e37..3ab7e6e0658 100644
--- a/app/controllers/omniauth_callbacks_controller.rb
+++ b/app/controllers/omniauth_callbacks_controller.rb
@@ -78,6 +78,13 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
handle_omniauth
end
+ def authentiq
+ if params['sid']
+ handle_service_ticket oauth['provider'], params['sid']
+ end
+ handle_omniauth
+ end
+
private
def handle_omniauth
diff --git a/changelogs/unreleased/9381-authentiq-backchannel-logout.yml b/changelogs/unreleased/9381-authentiq-backchannel-logout.yml
new file mode 100644
index 00000000000..4dbf36cd096
--- /dev/null
+++ b/changelogs/unreleased/9381-authentiq-backchannel-logout.yml
@@ -0,0 +1,4 @@
+---
+title: Adds remote logout functionality to the Authentiq OAuth provider
+merge_request: 9381
+author: Alexandros Keramidas
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index a8afc36fc78..738dbeefc11 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -240,6 +240,17 @@ Devise.setup do |config|
true
end
end
+ if provider['name'] == 'authentiq'
+ provider['args'][:remote_sign_out_handler] = lambda do |request|
+ authentiq_session = request.params['sid']
+ if Gitlab::OAuth::Session.valid?(:authentiq, authentiq_session)
+ Gitlab::OAuth::Session.destroy(:authentiq, authentiq_session)
+ true
+ else
+ false
+ end
+ end
+ end
if provider['name'] == 'shibboleth'
provider['args'][:fail_with_empty_uid] = true
diff --git a/doc/administration/auth/authentiq.md b/doc/administration/auth/authentiq.md
index 3f39539da95..fb1a16b0f96 100644
--- a/doc/administration/auth/authentiq.md
+++ b/doc/administration/auth/authentiq.md
@@ -54,7 +54,7 @@ Authentiq will generate a Client ID and the accompanying Client Secret for you t
5. The `scope` is set to request the user's name, email (required and signed), and permission to send push notifications to sign in on subsequent visits.
See [OmniAuth Authentiq strategy](https://github.com/AuthentiqID/omniauth-authentiq#scopes-and-redirect-uri-configuration) for more information on scopes and modifiers.
-6. Change 'YOUR_CLIENT_ID' and 'YOUR_CLIENT_SECRET' to the Client credentials you received in step 1.
+6. Change `YOUR_CLIENT_ID` and `YOUR_CLIENT_SECRET` to the Client credentials you received in step 1.
7. Save the configuration file.
--
GitLab