From 6344591c79af06916f827d4b842bbfa44b469fac Mon Sep 17 00:00:00 2001
From: Laurence de Bruxelles
 <laurence.debruxelles@digital.cabinet-office.gov.uk>
Date: Wed, 28 Jun 2023 08:47:07 +0100
Subject: [PATCH] Fix OIDC redirect_uri for CDDO SSO

For some reason the omniauth_openid_connect gem wants us to supply the
`redirect_uri` (the URL to redirect to after a successful OAuth2
negotiation, which in our case is the OmniAuth callback route) when the
provider is configured. This is really annoying to do, and I can't see
why it wouldn't be able to use the OmniAuth `callback_url` in the same
way the omniauth-oauth2 gem does [[1]]. There is an open feature request
for this [[2]], but it hasn't been acknowledged by the maintainers as
yet. So instead we'll just monkeypatch the strategy.

[1]: https://github.com/omniauth/omniauth-oauth2/blob/3a43234ab5dd36a75f9c125c58fcfe1a37b26805/lib/omniauth/strategies/oauth2.rb#L59
[2]: https://github.com/omniauth/omniauth_openid_connect/issues/136#issue-1469820435
---
 config/initializers/authentication.rb |  7 +++++++
 spec/integration/cddo_sso_spec.rb     | 12 ++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/config/initializers/authentication.rb b/config/initializers/authentication.rb
index eb6d83f2a..783444631 100644
--- a/config/initializers/authentication.rb
+++ b/config/initializers/authentication.rb
@@ -34,3 +34,10 @@
     warden.failure_app = AuthenticationController
   end
 end
+
+# Monkeypatch omniauth_openid_connect
+class OmniAuth::Strategies::OpenIDConnect
+  def redirect_uri
+    callback_url
+  end
+end
diff --git a/spec/integration/cddo_sso_spec.rb b/spec/integration/cddo_sso_spec.rb
index c6eba5598..d143f8d3e 100644
--- a/spec/integration/cddo_sso_spec.rb
+++ b/spec/integration/cddo_sso_spec.rb
@@ -43,6 +43,18 @@
 
       expect(request.env["warden"].authenticated?).to be true
     end
+
+    it "redirects to the OmniAuth callback URL" do
+      OmniAuth.config.test_mode = false
+
+      allow(Settings.cddo_sso).to receive(:identifier).and_return("foo")
+      allow(Settings.cddo_sso).to receive(:secret).and_return("bar")
+
+      get "/auth/cddo_sso"
+
+      expect(response).to redirect_to %r{^https://sso\.service\.security\.gov\.uk}
+      expect(response).to redirect_to %r{redirect_uri=http%3A%2F%2Fwww\.example\.com%2Fauth%2Fcddo_sso%2Fcallback}
+    end
   end
 
   describe "signing out" do