OIDC app creation with encrypted secrets and application roles

2025-10-24 14:47:24 +11:00
parent 831bd083c2
commit 12e0ef66ed
32 changed files with 1983 additions and 72 deletions
--- a/app/controllers/admin/applications_controller.rb
+++ b/app/controllers/admin/applications_controller.rb
@@ -1,6 +1,6 @@
 module Admin
  class ApplicationsController < BaseController
-    before_action :set_application, only: [:show, :edit, :update, :destroy, :regenerate_credentials]
+    before_action :set_application, only: [:show, :edit, :update, :destroy, :regenerate_credentials, :roles, :create_role, :update_role, :assign_role, :remove_role]

    def index
      @applications = Application.order(created_at: :desc)
@@ -17,6 +17,7 @@ module Admin

    def create
      @application = Application.new(application_params)
+      @available_groups = Group.order(:name)

      if @application.save
        # Handle group assignments
@@ -25,9 +26,22 @@ module Admin
          @application.allowed_groups = Group.where(id: group_ids)
        end

-        redirect_to admin_application_path(@application), notice: "Application created successfully."
+        # Get the plain text client secret to show one time
+        client_secret = nil
+        if @application.oidc?
+          client_secret = @application.generate_new_client_secret!
+        end
+
+        if @application.oidc? && client_secret
+          flash[:notice] = "Application created successfully."
+          flash[:client_id] = @application.client_id
+          flash[:client_secret] = client_secret
+        else
+          flash[:notice] = "Application created successfully."
+        end
+
+        redirect_to admin_application_path(@application)
      else
-        @available_groups = Group.order(:name)
        render :new, status: :unprocessable_entity
      end
    end
@@ -60,16 +74,69 @@ module Admin

    def regenerate_credentials
      if @application.oidc?
-        @application.update!(
-          client_id: SecureRandom.urlsafe_base64(32),
-          client_secret: SecureRandom.urlsafe_base64(48)
-        )
-        redirect_to admin_application_path(@application), notice: "Credentials regenerated successfully. Make sure to update your application configuration."
+        # Generate new client ID and secret
+        new_client_id = SecureRandom.urlsafe_base64(32)
+        client_secret = @application.generate_new_client_secret!
+
+        @application.update!(client_id: new_client_id)
+
+        flash[:notice] = "Credentials regenerated successfully."
+        flash[:client_id] = @application.client_id
+        flash[:client_secret] = client_secret
+
+        redirect_to admin_application_path(@application)
      else
        redirect_to admin_application_path(@application), alert: "Only OIDC applications have credentials."
      end
    end

+    def roles
+      @application_roles = @application.application_roles.includes(:user_role_assignments)
+      @available_users = User.active.order(:email_address)
+    end
+
+    def create_role
+      @role = @application.application_roles.build(role_params)
+
+      if @role.save
+        redirect_to roles_admin_application_path(@application), notice: "Role created successfully."
+      else
+        @application_roles = @application.application_roles.includes(:user_role_assignments)
+        @available_users = User.active.order(:email_address)
+        render :roles, status: :unprocessable_entity
+      end
+    end
+
+    def update_role
+      @role = @application.application_roles.find(params[:role_id])
+
+      if @role.update(role_params)
+        redirect_to roles_admin_application_path(@application), notice: "Role updated successfully."
+      else
+        @application_roles = @application.application_roles.includes(:user_role_assignments)
+        @available_users = User.active.order(:email_address)
+        render :roles, status: :unprocessable_entity
+      end
+    end
+
+    def assign_role
+      user = User.find(params[:user_id])
+      role = @application.application_roles.find(params[:role_id])
+
+      @application.assign_role_to_user!(user, role.name, source: 'manual')
+
+      redirect_to roles_admin_application_path(@application), notice: "Role assigned successfully."
+    end
+
+    def remove_role
+      user = User.find(params[:user_id])
+      role = @application.application_roles.find(params[:role_id])
+
+      @application.remove_role_from_user!(user, role.name)
+
+      redirect_to roles_admin_application_path(@application), notice: "Role removed successfully."
+    end
+
    private

    def set_application
@@ -77,7 +144,14 @@ module Admin
    end

    def application_params
-      params.require(:application).permit(:name, :slug, :app_type, :active, :redirect_uris, :description, :metadata)
+      params.require(:application).permit(
+        :name, :slug, :app_type, :active, :redirect_uris, :description, :metadata,
+        :role_mapping_mode, :role_prefix, :role_claim_name, managed_permissions: {}
+      )
+    end
+
+    def role_params
+      params.require(:application_role).permit(:name, :display_name, :description, :active, permissions: {})
    end
  end
 end
--- a/app/controllers/oidc_controller.rb
+++ b/app/controllers/oidc_controller.rb
@@ -161,7 +161,7 @@ class OidcController < ApplicationController

    # Find and validate the application
    application = Application.find_by(client_id: client_id)
-    unless application && application.client_secret == client_secret
+    unless application && application.authenticate_client_secret(client_secret)
      render json: { error: "invalid_client" }, status: :unauthorized
      return
    end