Enable configs for omniauth providers at the org level

[virgile-dev]

Info

• where to code? meta decidim proposal is in status evaluating, meaning this can be coded directly on decidim/decidim master branch and a PR can be made
• deadline : ideally end of november or first week of December

Specs

This feature aims to enhance the capabilities of the multi-tenant mode of Decidim.

Currently when using multi-tenant, the omniauth config you have for social providers (or other SSO) are made for the whole installation and are shared by all orgs.

Problem is organizations have different hosts and you can only declare one call back with the social providers.

As a super admin (meaning I have access to /system) I want to be able to manage my omniauth configuration where I create and edit the organizations.

For each orgs should be available :

• All the providers (activated on the installation) and the necessary fieds to set them up ( clients id and client secret)
• As all the orgs on the same install won't want to activate all the omniauth connectors I'll need a checkbox to activate them one by one so that they display on the sign in and sign up page (and the modals). Alternatively if config fields are not filled the app could understand that it shouldn't activate them.

Task breakdown

• Add a new form to introduce key/secrets/url for oauth providers through a dynamic form in /system
  • twitter, facebook, google, other Decidims but also custom omniauth setups that might be present on the install, SSO, e-ID protocols that can work with SAML, LDAP etC.. Only for those configured in secrets.yml (as enabled: yes). The system will fallback to the data of secrets.yml if valid data is provided.
• Add a checkbox to enable/disable the specific provider at multitenant level.
• Refactor logic to let the system behave accordingly.
• Tests/PRs to decidim/decidim

[virgile-dev]

Mockups

Here is what the dynamic form would look like (don't mind the /admin styling this would go into /system) :

• providers are detected automatically
• a checkbox allow to activate / desactivate the omnitauth provider
  

Here is the code that generates it :

<%= decidim_form_for(@form, html: { class: "form edit_omniauth_settings" }, url: decidim_omniauth_extras.omniauth_settings_path, method: :put) do |f| %>

  <div class="card">
    <div class="card-divider">
      <h2 class="card-title"><%= t ".title" %></h2>
    </div>
  </div>
  <%= f.fields_for :omniauth_settings do %>
    <% Decidim::User.omniauth_providers.select{ |provider| Rails.application.secrets.dig(:omniauth, provider.to_sym, :enabled) }.each do |provider| %>
      <%= f.fields_for provider.to_sym do %>
        <%= render partial: "provider", locals: { f: f, provider: provider} %>
      <% end %>
    <% end %>
  <% end %>

  <div class="button--double form-general-submit">
    <%= f.submit t(".update") %>
  </div>
<% end %>

<pre>
  <%= @form.omniauth_settings %>
</pre>

<div class="card">
  <div class="card-divider">
    <%= f.check_box :enabled, label: t(".enabled", provider: normalize_provider_name(provider)) %>
  </div>
  <div class="card-section">
    <% Rails.application.secrets.dig(:omniauth, provider.to_sym).keys.select { |k| k != :enabled }.each do |setting| %>
        <%= f.text_field setting, label: normalize_provider_name(setting) %>
    <% end %>
  </div>
</div>

[virgile-dev]

Context

We need this mainly to allow the Belgium Federal State to apply different configs of their e-ID solution to organizations form the same installations.

[virgile-dev]

Code snippets that we have to handle the omniauth integratin without having the parameters in advance

# frozen_string_literal: true

require "active_support/concern"

module Decidim
  module OmniauthSettingsJsonbAttributes
    extend ActiveSupport::Concern

    class_methods do
      def omniauth_settings_jsonb_attribute(name, fields, *options)
        jsonb_attribute name, fields, default: {}

        fields.each do |provider|
          provider = provider.to_sym
          jsonb_attribute provider, Rails.application.secrets.dig(:omniauth, provider.to_sym).keys.map do |e|
            [e,
              case e
              when :enabled
                Virtus::Attribute::Boolean
              else
                String
              end
            ]
          end

          define_method provider do
            field = public_send(name) || {}
            field[provider.to_s] || field[provider.to_sym]
          end

          define_method "#{provider}=" do |value|
            field = public_send(name) || {}
            public_send("#{name}=", field.merge(provider => super(value)))
          end
        end
      end
    end
  end
end

mniauth_settings_jsonb_attribute :omniauth_settings, Decidim::User.omniauth_providers.select {
  |provider| Rails.application.secrets.dig(:omniauth, provider.to_sym, :enabled)
}

[amiedes]

@virgile-dev I'm gonna take care of this 😄

[virgile-dev]

Nice @amiedes if you have any doubt let me know in the comments.

[amiedes]

For custom auth providers we need a way to communicate the form which fields are available. I suggest using the same format as now:

default: &default
  omniauth:
    facebook:
      enabled: true
      app_id: <%= ENV["OMNIAUTH_FACEBOOK_APP_ID"] %>
      app_secret: <%= ENV["OMNIAUTH_FACEBOOK_APP_SECRET"] %>
    # google etc.
    some_custom_auth_provider:
      enabled: false
      icon_path:
      custom_field_1:
      custom_field_2:

So for that configuration the form will show something like this:

And the following behavior will be applied:

• A field will be displayed in the form for every key. All are strings except enabled which is a boolean.
• Settings defined in DB always take precedence, so:
  • Other Decidims upgrading won't be affected, since the values will be empty and they'll fallback to secrets.yml
• In the form all providers will be displayed even if enabled: false, otherwise there's no way to override it.
• We support defining auth providers both system-wide (if it's not overriden) and per-tenant (if it's overriden)

@virgile-dev can you validate that this is the expected behavior? Do you want to move this issue to https://github.com/decidim/decidim/issues so we can ping the Decidim core for advice?

cc @ferblape @rxnetwalker

[moustachu]

Hello guys. (I'm the Lead Dev @ OpenSourcePolitics)

This behavior seems OK for us. Just one question :
Does any new field defined in the secrets.yml will be taken into account (using something like the sample OmniauthSettingsJsonbAttributes class we put in example) or did you plan to have a fixed schema for the custom providers ?

[amiedes]

Hi @moustachu!

Does any new field defined in the secrets.yml will be taken into account

Yes, the form fields are generated according to what is the the config file, so anything new will appear.

[virgile-dev]

@amiedes is this going ok ?

[amiedes]

@virgile-dev yes, I've already updated the code in local with tests passing and I'm working on deploying this to one of our staging servers so I can test it configuring real omniauth providers.

If everything goes OK I can give you access to it tomorrow or past-tomorrow so you can check it.

[virgile-dev]

Great @amiedes ! Let me know :)

[amiedes]

Hi @virgile-dev,

I've had a bit of trouble configuring the virtualhosts and SSL certificates for our test server with several tenants.

This is already working https://decidim-test-a.populate.tools/ https://decidim-test-a.populate.tools/ and I've done tests with real Facebook and Google Oauth and it worked fine.

Nevertheless I still have a few things to check so I'll let you know as soon as I've finished.