E2618 - OIDC login

Gemfile

@@ -58,6 +58,8 @@ gem 'find_with_order'
 # For handling zip file uploads and extraction
 gem 'rubyzip'
 
+gem 'openid_connect'
+gem 'rack-attack'
 
 group :development, :test do
   gem 'debug', platforms: %i[mri mingw x64_mingw]

Gemfile.lock

@@ -79,11 +79,14 @@ GEM
       uri (>= 0.13.1)
     addressable (2.8.7)
       public_suffix (>= 2.0.2, < 7.0)
+    aes_key_wrap (1.1.0)
     ast (2.4.3)
+    attr_required (1.0.2)
     base64 (0.3.0)
     bcrypt (3.1.20)
     benchmark (0.4.1)
     bigdecimal (3.2.3)
+    bindata (2.5.1)
     bootsnap (1.18.6)
       msgpack (~> 1.2)
     builder (3.3.0)
@@ -134,6 +137,8 @@ GEM
     docile (1.4.1)
     domain_name (0.6.20240107)
     drb (2.2.3)
+    email_validator (2.2.4)
+      activemodel
     erb (5.0.2)
     erubi (1.13.1)
     factory_bot (6.5.5)
@@ -147,6 +152,8 @@ GEM
       faraday-net_http (>= 2.0, < 3.5)
       json
       logger
+    faraday-follow_redirects (0.5.0)
+      faraday (>= 1, < 3)
     faraday-http-cache (2.5.1)
       faraday (>= 0.8)
     faraday-net_http (3.4.1)
@@ -174,6 +181,13 @@ GEM
       rdoc (>= 4.0.0)
       reline (>= 0.4.2)
     json (2.15.0)
+    json-jwt (1.17.0)
+      activesupport (>= 4.2)
+      aes_key_wrap
+      base64
+      bindata
+      faraday (~> 2.0)
+      faraday-follow_redirects
     json-schema (5.2.2)
       addressable (~> 2.8)
       bigdecimal (~> 3.1)
@@ -238,6 +252,19 @@ GEM
       faraday (>= 1, < 3)
       sawyer (~> 0.9)
     open4 (1.3.4)
+    openid_connect (2.3.1)
+      activemodel
+      attr_required (>= 1.0.0)
+      email_validator
+      faraday (~> 2.0)
+      faraday-follow_redirects
+      json-jwt (>= 1.16)
+      mail
+      rack-oauth2 (~> 2.2)
+      swd (~> 2.0)
+      tzinfo
+      validate_url
+      webfinger (~> 2.0)
     ostruct (0.6.3)
     parallel (1.27.0)
     parser (3.3.9.0)
@@ -257,9 +284,18 @@ GEM
       nio4r (~> 2.0)
     racc (1.8.1)
     rack (3.2.1)
+    rack-attack (6.8.0)
+      rack (>= 1.0, < 4)
     rack-cors (3.0.0)
       logger
       rack (>= 3.0.14)
+    rack-oauth2 (2.3.0)
+      activesupport
+      attr_required
+      faraday (~> 2.0)
+      faraday-follow_redirects
+      json-jwt (>= 1.11.0)
+      rack (>= 2.1.0)
     rack-session (2.1.1)
       base64 (>= 0.1.0)
       rack (>= 3.0.0)
@@ -374,6 +410,11 @@ GEM
     sqlite3 (1.7.3)
       mini_portile2 (~> 2.8.0)
     stringio (3.1.7)
+    swd (2.0.3)
+      activesupport (>= 3)
+      attr_required (>= 0.0.5)
+      faraday (~> 2.0)
+      faraday-follow_redirects
     sync (0.5.0)
     term-ansicolor (1.11.3)
       tins (~> 1)
@@ -395,6 +436,13 @@ GEM
     unicode-emoji (4.1.0)
     uri (1.0.3)
     useragent (0.16.11)
+    validate_url (1.0.15)
+      activemodel (>= 3.0.0)
+      public_suffix
+    webfinger (2.1.3)
+      activesupport
+      faraday (~> 2.0)
+      faraday-follow_redirects
     websocket-driver (0.8.0)
       base64
       websocket-extensions (>= 0.1.0)
@@ -435,9 +483,11 @@ DEPENDENCIES
   mutex_m
   mysql2 (~> 0.5.7)
   observer
+  openid_connect
   ostruct
   psych (~> 5.2)
   puma (~> 6.4)
+  rack-attack
   rack-cors
   rails (~> 8.0, >= 8.0.1)
   rspec-rails

app/controllers/authentication_controller.rb

@@ -1,16 +1,11 @@
-# app/controllers/authentication_controller.rb
-require 'json_web_token'
-
 class AuthenticationController < ApplicationController
   skip_before_action :authenticate_request!
 
   # POST /login
   def login
     user = User.find_by(name: params[:user_name]) || User.find_by(email: params[:user_name])
     if user&.authenticate(params[:password])
-      payload = { id: user.id, name: user.name, full_name: user.full_name, role: user.role.name,
-                  institution_id: user.institution.id }
-      token = JsonWebToken.encode(payload, 24.hours.from_now)
+      token = user.generate_jwt
       render json: { token: }, status: :ok
     else
       render json: { error: 'Invalid username / password' }, status: :unauthorized

app/controllers/oidc_login_controller.rb

@@ -0,0 +1,70 @@
+class OidcLoginController < ApplicationController
+  # OIDC login does not require an existing session — this is how users sign in.
+  skip_before_action :authenticate_request!
+
+  # Unknown provider keys from the frontend return 404 with the specific message.
+  rescue_from OidcConfig::ProviderNotFound do |e|
+    render_error e.message, status: :not_found
+  end
+
+  # IdP discovery or token endpoint unreachable — surface as 502 Bad Gateway
+  # so the frontend can distinguish provider outages from user-facing errors.
+  rescue_from OpenIDConnect::Discovery::DiscoveryFailed, Rack::OAuth2::Client::Error do |e|
+    render_error "Provider communication failed: #{e.message}", status: :bad_gateway
+  end
+
+  # Missing required params (from params.require) return 400 with the param name.
+  rescue_from ActionController::ParameterMissing do |e|
+    render_error e.message, status: :bad_request
+  end
+
+  # GET /auth/providers
+  # Returns the list of configured OIDC providers for the frontend dropdown.
+  # Only public info (id, name) — no secrets or endpoint URLs.
+  def providers
+    render json: OidcConfig.public_list
+  end
+
+  # POST /auth/client-select
+  # Initiates an OIDC login. The frontend calls this with the chosen provider
+  # and the user's Expertiza username, and receives an authorization URL to
+  # redirect the browser to. Username is required here because the IdP only
+  # returns an email claim, and Expertiza emails are not unique across accounts.
+  # Candidate for rate limiting — it creates a DB row and triggers provider discovery.
+  def client_select
+    provider = params.require(:provider)
+    username = params.require(:username)
+
+    authorization_uri = OidcRequest.authorization_uri_for!(
+      provider_key: provider,
+      username: username
+    )
+    render json: { redirect_uri: authorization_uri }
+  end
+
+  # POST /auth/callback
+  # Completes an OIDC login after the IdP redirects the user back to the frontend.
+  # Consumes the stored OidcRequest by state, verifies the ID token, matches a
+  # local user, and issues a session JWT.
+  # Returns a generic 401 "Authentication failed" for all verification or matching
+  # failures to avoid leaking which check failed (state, token, user match, etc.).
+  def callback
+    state = params.require(:state)
+    code = params.require(:code)
+
+    oidc_request = OidcRequest.consume_recent_by_state!(state)
+    user = oidc_request.authenticate_user!(code: code)
+    render json: { token: user.generate_jwt }, status: :ok
+  rescue ActiveRecord::RecordNotFound, OidcRequest::AuthenticationError,
+    OpenIDConnect::ResponseObject::IdToken::InvalidToken,
+    OidcConfig::ProviderNotFound
+    render_error "Authentication failed", status: :unauthorized
+  end
+
+  private
+
+  # Standardizes the JSON error response shape across all endpoints.
+  def render_error(message, status:)
+    render json: { error: message }, status: status
+  end
+end

app/jobs/cleanup_stale_oidc_requests_job.rb

@@ -0,0 +1,7 @@
+class CleanupStaleOidcRequestsJob < ApplicationJob
+  queue_as :default
+
+  def perform
+    OidcRequest.delete_stale
+  end
+end

app/models/oidc_config.rb

@@ -0,0 +1,90 @@
+class OidcConfig
+  class ProviderNotFound < StandardError; end
+  class InvalidConfiguration < StandardError; end
+
+  CONFIG_FILE = Rails.root.join("config", "oidc_providers.yml").freeze
+  REQUIRED_KEYS = %w[display_name issuer client_id client_secret redirect_uri].freeze
+
+  # Loads, parses, and validates the OIDC provider YAML file.
+  # Memoized per process — call reload! to force a re-read.
+  # In production, invalid config raises InvalidConfiguration to block startup.
+  # In other environments, invalid providers are skipped with a warning.
+  def self.providers
+    @providers ||= begin
+                     yaml = ERB.new(File.read(CONFIG_FILE)).result
+                     parsed = YAML.safe_load(yaml, permitted_classes: [], aliases: true)
+
+                     unless parsed.is_a?(Hash)
+                       handle_invalid("OIDC config: expected top-level mapping in #{CONFIG_FILE}, got #{parsed.class}")
+                       parsed = {}
+                     end
+
+                     providers = parsed["providers"] || {}
+                     unless providers.is_a?(Hash)
+                       handle_invalid("OIDC config: expected 'providers' to be a mapping in #{CONFIG_FILE}, got #{providers.class}")
+                       providers = {}
+                     end
+
+                     validate!(providers)
+                   end
+  end
+
+  # Looks up a provider config by its key (e.g. "google-ncsu").
+  # Raises ProviderNotFound if the key is not configured.
+  def self.find(provider_key)
+    providers.fetch(provider_key) do
+      raise ProviderNotFound, "Unknown OIDC provider: #{provider_key}"
+    end
+  end
+
+  # Returns the list of providers safe to expose to the frontend.
+  # Only includes display information — never secrets or endpoint URLs.
+  def self.public_list
+    providers.map { |key, cfg| { id: key, name: cfg["display_name"] } }
+  end
+
+  # Clears the memoized config so the next call to `providers` re-reads the YAML file.
+  # Primarily useful for tests and hot-reloading in development.
+  def self.reload!
+    @providers = nil
+  end
+
+  # Parses the provider's scopes string (whitespace or comma-separated) into an array.
+  # Falls back to the default OIDC scopes if none are configured.
+  def self.scopes_for(provider)
+    raw = provider["scopes"]
+    list = case raw
+           when Array  then raw.map { |s| s.to_s.strip }
+           when String then raw.split(/[\s,]+/)
+           else []
+           end
+    list.reject(&:blank?).presence || %w[openid email profile]
+  end
+
+  # Removes providers missing any REQUIRED_KEYS.
+  # In production, raises InvalidConfiguration to prevent startup with misconfigured providers.
+  # In other environments, logs a warning and skips the provider.
+  def self.validate!(providers)
+    providers.reject! do |key, cfg|
+      unless cfg.is_a?(Hash)
+        handle_invalid("OIDC provider '#{key}' invalid: expected mapping, got #{cfg.class}")
+        next true
+      end
+
+      missing = REQUIRED_KEYS.select { |k| cfg[k].blank? }
+      if missing.any?
+        handle_invalid("OIDC provider '#{key}' invalid: missing #{missing.join(', ')}")
+        true
+      end
+    end
+    providers
+  end
+
+  # Raises in production to block startup; logs a warning elsewhere.
+  def self.handle_invalid(message)
+    raise InvalidConfiguration, message if Rails.env.production?
+    Rails.logger.warn(message)
+  end
+
+  private_class_method :validate!, :handle_invalid
+end