Take 2 on f74d6bb605.

New options are left out by default when not configured so that an incorrect default configuration doesn't blow up google oauth for everyone.
2018-02-23 07:19:36 +08:00 · 2018-02-23 07:19:36 +08:00 · 24d0a7a4c7
parent 9f5bc7a5ee
commit 24d0a7a4c7
3 changed files with 28 additions and 9 deletions
--- a/config/locales/server.en.yml
+++ b/config/locales/server.en.yml
@ -1165,8 +1165,8 @@ en:
    enable_google_oauth2_logins: "Enable Google Oauth2 authentication. This is the method of authentication that Google currently supports. Requires key and secret."
    google_oauth2_client_id: "Client ID of your Google application."
    google_oauth2_client_secret: "Client secret of your Google application."
-    google_oauth2_prompt: "[Type of prompt](https://developers.google.com/identity/protocols/OpenIDConnect#prompt) that the authorization server will show to the user. "
-    google_oauth2_hd: "[Google Apps Hosted domain](https://developers.google.com/identity/protocols/OpenIDConnect#hd-param) that the sign-in will be limited to"
+    google_oauth2_prompt: "A space-delimited list of string values that specifies whether the authorization server prompts the user for reauthentication and consent. See https://developers.google.com/identity/protocols/OpenIDConnect#prompt for the possible values."
+    google_oauth2_hd: "Google Apps Hosted domain that the sign-in will be limited to. See https://developers.google.com/identity/protocols/OpenIDConnect#hd-param for more details."

    enable_twitter_logins: "Enable Twitter authentication, requires twitter_consumer_key and twitter_consumer_secret"
    twitter_consumer_key: "Consumer key for Twitter authentication, registered at https://apps.twitter.com/"
--- a/config/site_settings.yml
+++ b/config/site_settings.yml
@ -255,6 +255,15 @@ login:
    default: false
  google_oauth2_client_id: ''
  google_oauth2_client_secret: ''
+  google_oauth2_prompt:
+    default: ''
+    type: list
+    choices:
+      - 'none'
+      - 'consent'
+      - 'select_account'
+  google_oauth2_hd:
+    default: ''
  enable_yahoo_logins:
    client: true
    default: false
--- a/lib/auth/google_oauth2_authenticator.rb
+++ b/lib/auth/google_oauth2_authenticator.rb
@ -51,15 +51,25 @@ class Auth::GoogleOAuth2Authenticator < Auth::Authenticator
  end

  def register_middleware(omniauth)
+    options = {
+      setup: lambda { |env|
+        strategy = env["omniauth.strategy"]
+         strategy.options[:client_id] = SiteSetting.google_oauth2_client_id
+         strategy.options[:client_secret] = SiteSetting.google_oauth2_client_secret
+      },
+      skip_jwt: true
+    }
+
+    if (google_oauth2_prompt = SiteSetting.google_oauth2_prompt).present?
+      options[:prompt] = google_oauth2_prompt.gsub("|", " ")
+    end
+
+    google_oauth2_hd = SiteSetting.google_oauth2_hd
+    options[:hd] = google_oauth2_hd if google_oauth2_hd.present?
+
    # jwt encoding is causing auth to fail in quite a few conditions
    # skipping
-    omniauth.provider :google_oauth2,
-           setup: lambda { |env|
-             strategy = env["omniauth.strategy"]
-              strategy.options[:client_id] = SiteSetting.google_oauth2_client_id
-              strategy.options[:client_secret] = SiteSetting.google_oauth2_client_secret
-           },
-           skip_jwt: true
+    omniauth.provider :google_oauth2, options
  end

  protected