Coder Social home page Coder Social logo

omniauth_openid_connect's Introduction

OmniAuth: Standardized Multi-Provider Authentication

Gem Version Ruby TruffleRuby JRuby Code Climate Coverage Status

This is the documentation for the in-development branch of OmniAuth. You can find the documentation for the latest stable release here

An Introduction

OmniAuth is a library that standardizes multi-provider authentication for web applications. It was created to be powerful, flexible, and do as little as possible. Any developer can create strategies for OmniAuth that can authenticate users via disparate systems. OmniAuth strategies have been created for everything from Facebook to LDAP.

In order to use OmniAuth in your applications, you will need to leverage one or more strategies. These strategies are generally released individually as RubyGems, and you can see a community maintained list on the wiki for this project.

One strategy, called Developer, is included with OmniAuth and provides a completely insecure, non-production-usable strategy that directly prompts a user for authentication information and then passes it straight through. You can use it as a placeholder when you start development and easily swap in other strategies later.

Getting Started

Each OmniAuth strategy is a Rack Middleware. That means that you can use it the same way that you use any other Rack middleware. For example, to use the built-in Developer strategy in a Sinatra application you might do this:

require 'sinatra'
require 'omniauth'

class MyApplication < Sinatra::Base
  use Rack::Session::Cookie
  use OmniAuth::Strategies::Developer

Because OmniAuth is built for multi-provider authentication, you may want to leave room to run multiple strategies. For this, the built-in OmniAuth::Builder class gives you an easy way to specify multiple strategies. Note that there is no difference between the following code and using each strategy individually as middleware. This is an example that you might put into a Rails initializer at config/initializers/omniauth.rb:

Rails.application.config.middleware.use OmniAuth::Builder do
  provider :developer unless Rails.env.production?
  provider :twitter, ENV['TWITTER_KEY'], ENV['TWITTER_SECRET']

You should look to the documentation for each provider you use for specific initialization requirements.

Integrating OmniAuth Into Your Application

OmniAuth is an extremely low-touch library. It is designed to be a black box that you can send your application's users into when you need authentication and then get information back. OmniAuth was intentionally built not to automatically associate with a User model or make assumptions about how many authentication methods you might want to use or what you might want to do with the data once a user has authenticated. This makes OmniAuth incredibly flexible. To use OmniAuth, you need only to redirect users to /auth/:provider, where :provider is the name of the strategy (for example, developer or twitter). From there, OmniAuth will take over and take the user through the necessary steps to authenticate them with the chosen strategy.

Once the user has authenticated, what do you do next? OmniAuth simply sets a special hash called the Authentication Hash on the Rack environment of a request to /auth/:provider/callback. This hash contains as much information about the user as OmniAuth was able to glean from the utilized strategy. You should set up an endpoint in your application that matches to the callback URL and then performs whatever steps are necessary for your application.

The omniauth.auth key in the environment hash provides an Authentication Hash which will contain information about the just authenticated user including a unique id, the strategy they just used for authentication, and personal details such as name and email address as available. For an in-depth description of what the authentication hash might contain, see the Auth Hash Schema wiki page.

Note that OmniAuth does not perform any actions beyond setting some environment information on the callback request. It is entirely up to you how you want to implement the particulars of your application's authentication flow.


omniauth is not OOTB-compatible with rack_csrf. In order to do so, the following code needs to be added to the application bootstrapping code:

OmniAuth::AuthenticityTokenProtection.default_options(key: "csrf.token", authenticity_param: "_csrf")

Rails (without Devise)

To get started, add the following gems


gem 'omniauth'
gem "omniauth-rails_csrf_protection"

Then insert OmniAuth as a middleware


Rails.application.config.middleware.use OmniAuth::Builder do
  provider :developer if Rails.env.development?

Additional providers can be added here in the future. Next we wire it all up using routes, a controller and a login view.


  get 'auth/:provider/callback', to: 'sessions#create'
  get '/login', to: 'sessions#new'


class SessionsController < ApplicationController
  def new
    render :new

  def create
    user_info = request.env['omniauth.auth']
    raise user_info # Your own session management should be placed here.


<%= form_tag('/auth/developer', method: 'post', data: {turbo: false}) do %>
  <button type='submit'>Login with Developer</button>
<% end %>

Now if you visit /login and click the Login button, you should see the OmniAuth developer login screen. After submitting it, you are returned to your application at Sessions#create. The raise should now display all the Omniauth details you have available to integrate it into your own user management.

If you want out of the box usermanagement, you should consider using Omniauth through Devise. Please visit the Devise Github page for more information.

Rails API

The following middleware are (by default) included for session management in Rails applications. When using OmniAuth with a Rails API, you'll need to add one of these required middleware back in:

  • ActionDispatch::Session::CacheStore
  • ActionDispatch::Session::CookieStore
  • ActionDispatch::Session::MemCacheStore

The trick to adding these back in is that, by default, they are passed session_options when added (including the session key), so you can't just add a session_store.rb initializer, add use ActionDispatch::Session::CookieStore and have sessions functioning as normal.

To be clear: sessions may work, but your session options will be ignored (i.e. the session key will default to _session_id). Instead of the initializer, you'll have to set the relevant options somewhere before your middleware is built (like application.rb) and pass them to your preferred middleware, like this:


config.session_store :cookie_store, key: '_interslice_session'
config.middleware.use ActionDispatch::Cookies # Required for all session management
config.middleware.use ActionDispatch::Session::CookieStore, config.session_options

(Thanks @mltsy)


OmniAuth supports a configurable logger. By default, OmniAuth will log to STDOUT but you can configure this using OmniAuth.config.logger:

# Rails application example
OmniAuth.config.logger = Rails.logger

Origin Param

The origin url parameter is typically used to inform where a user came from and where, should you choose to use it, they'd want to return to. Omniauth supports the following settings which can be configured on a provider level:


provider :twitter, ENV['KEY'], ENV['SECRET']
POST /auth/twitter/?origin=[URL]
# If the `origin` parameter is blank, `omniauth.origin` is set to HTTP_REFERER

Using a differently named origin parameter:

provider :twitter, ENV['KEY'], ENV['SECRET'], origin_param: 'return_to'
POST /auth/twitter/?return_to=[URL]
# If the `return_to` parameter is blank, `omniauth.origin` is set to HTTP_REFERER


provider :twitter, ENV['KEY'], ENV['SECRET'], origin_param: false
POST /auth/twitter
# This means the origin should be handled by your own application. 
# Note that `omniauth.origin` will always be blank.


The OmniAuth Wiki has actively maintained in-depth documentation for OmniAuth. It should be your first stop if you are wondering about a more in-depth look at OmniAuth, how it works, and how to use it.

OmniAuth for Enterprise

Available as part of the Tidelift Subscription.

The maintainers of OmniAuth and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source packages you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact packages you use. Learn more.

Supported Ruby Versions

OmniAuth is tested under 2.5, 2.6, 2.7, 3.0, 3.1, 3.2, truffleruby, and JRuby.


This library aims to adhere to Semantic Versioning 2.0.0. Violations of this scheme should be reported as bugs. Specifically, if a minor or patch version is released that breaks backward compatibility, that version should be immediately yanked and/or a new version should be immediately released that restores compatibility. Breaking changes to the public API will only be introduced with new major versions. As a result of this policy, you can (and should) specify a dependency on this gem using the Pessimistic Version Constraint with two digits of precision. For example:

spec.add_dependency 'omniauth', '~> 1.0'


Copyright (c) 2010-2017 Michael Bleigh and Intridea, Inc. See LICENSE for details.

omniauth_openid_connect's People


aperakett avatar bufferoverflow avatar csdummi avatar davidwessman avatar erbridge avatar eszjay avatar formigarafa avatar gerardo-navarro avatar gregmolnar avatar hanachin avatar hobbypunk90 avatar ignatiusreza avatar januszm avatar jjbohn avatar lscorcia avatar m0n9oose avatar machisuji avatar manuelvanrijn avatar marckysharky avatar miguelakira avatar naari3 avatar naitoh avatar nessamurmur avatar petergoldstein avatar skycocker avatar stanhu avatar takahashim avatar tim-s-ccs avatar yannvery avatar ytkg avatar


 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar


 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

omniauth_openid_connect's Issues

OpenIDConnect::Discovery::DiscoveryFailed when discovery is not enabled

Hi there,

thanks for providing this gem, we at CitizenLab use it for two identity providers that we integrate with.

The authentication process of both providers started to fail with the error described in in #97 some time ago. We tried to fix this by upgrading to omniauth_openid_connect 0.4.0, but after the upgrade we now see the following exception being thrown:


We don't know exactly yet why this is happening, but the interesting part is that this error happens on two completely separate OpenID providers.
I don't know the OpenID protocol very well, but we do not have Discovery enabled in any of the two providers, so why is this error being thrown then?

For reference, this is what the configurations of the providers look like:

# Configuration for identity provider 1
options = env['omniauth.strategy'].options
options[:scope] = %i[openid profile egovnrn]
options[:response_type] = :code
options[:state] = true
options[:nonce] = true
options[:issuer] = "https://#{host}"
options[:acr_values] = 'urn:be:fedict:iam:fas:Level450'
options[:send_scope_to_token_endpoint] = false
options[:client_options] = {
  identifier: config[:identifier],
  secret: config[:secret],
  port: 443,
  scheme: 'https',
  host: host,
  authorization_endpoint: '/fas/oauth2/authorize',
  token_endpoint: '/fas/oauth2/access_token',
  userinfo_endpoint: '/fas/oauth2/userinfo',
  redirect_uri: "#{configuration.base_backend_uri}/auth/bosa_fas/callback"

# Configuration for identiy provider 2
options = env['omniauth.strategy'].options
options[:scope] = %i[openid run name]
options[:response_type] = :code
options[:state] = true
options[:nonce] = true
options[:issuer] = issuer
options[:send_scope_to_token_endpoint] = false
options[:client_options] = {
  identifier: config[:client_id],
  secret: config[:client_secret],
  port: 443,
  scheme: 'https',
  host: host,
  authorization_endpoint: '/openid/authorize',
  token_endpoint: '/openid/token',
  userinfo_endpoint: '/openid/userinfo',
  redirect_uri: "#{configuration.base_backend_uri}/auth/clave_unica/callback"

An exemplary stack trace from config 2:

JSON::ParserError: 859: unexpected token at '<!doctype html>
<html data-n-head-ssr>
  <head >
    <title>Portal ciudadano Claveรšnica</title><meta data-n-head="ssr" charset="utf-8"><meta data-n-head="ssr" name="viewport" content="width=device-width, initial-scale=1"><meta data-n-head="ssr" data-hid="Portal ciudadano Claveรšnica" name="Portal ciudadano Claveรšnica" content="Portal ciudadano Claveรšnica"><link data-n-head="ssr" rel="stylesheet" href=";display=swap"><link data-n-head="ssr" rel="stylesheet" href=";display=swap"><link data-n-head="ssr" rel="icon" type="image/x-icon" href="/favicon.ico"><script data-n-head="ssr" data-hid="stripe" src="" defer></script><script data-n-head="ssr" data-hid="stripe" src=";render=explicit" defer></script><link rel="preload" href="/_nuxt/b57117b.js" as="script"><link rel="preload" href="/_nuxt/31c1e4d.js" as="script"><link rel="preload" href="/_nuxt/e78a47a.js" as="script"><link rel="preload" href="/_nuxt/a257210.js" as="script"><link rel="preload" href="/_nuxt/136ec92.js" as="script"><style data-vue-ssr-id="71f83a6d:0 32df6d42:0 a07579c2:0 a07579c2:1 432fb0d6:0 a5041f02:0 0667d9c0:0 b2d1e312:0 3191d5ad:0">/*!
 * Bootstrap v4.6.1 (
 * Copyright 2011-2021 The Bootstrap Authors
 * Copyright 2011-2021 Twitter, Inc.
 * Licensed under MIT (
 */:root{--blue:#007bff;--indigo:#6610f2;--purple:#6f42c1;--pink:#e83e8c;--red:#dc3545;--orange:#fd7e14;--yellow:#ffc107;--green:#28a745;--teal:#20c997;--cyan:#17a2b8;--white:#fff;--gray:#6c757d;--gray-dark:#343a40;--primary:#007bff;--secondary:#6c757d;--success:#28a745;--info:#17a2b8;--warning:#ffc107;--danger:#dc3545;--light:#f8f9fa;--dark:#343a40;--breakpoint-xs:0;--breakpoint-sm:576px;--breakpoint-md:768px;--breakpoint-lg:992px;--breakpoint-xl:1200px;--font-family-sans-serif:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Helvetica Neue",Arial,"Noto Sans","Liberation Sans",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";--font-family-monospace:SFMono-Regular,Menlo,Monaco,Consolas,"Liberation Mono","Courier New",monospace}*,:after,:before{box-sizing:border-box}html{font-family:sans-serif;line-height:1.15;-webkit-text-size-adjust:100%;-webkit-tap-highlight-color:rgba(0,0,0,0)}article,aside,figcaption,figure,footer,header,hgroup,main,nav,section{display:block}body{margin:0;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Helvetica Neue",Arial,"Noto Sans","Liberation Sans",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";font-size:1rem;font-weight:400;line-height:1.5;color:#212529;text-align:left;background-color:#fff}[tabindex="-1"]:focus:not(.focus-visible),[tabindex="-1"]:focus:not(:focus-visible){outline:0!important}hr{box-sizing:content-box;height:0;overflow:visible}h1,h2,h3,h4,h5,h6{margin-top:0;margin-bottom:.5rem}p{margin-top:0;margin-bottom:1rem}abbr[data-original-title],abbr[title]{text-decoration:underline;-webkit-text-decoration:underline dotted;text-decoration:underline dotted;cursor:help;border-bottom:0;-webkit-text-decoration-skip-ink:none;text-decoration-skip-ink:none}address{font-style:normal;line-height:inherit}address,dl,ol,ul{margin-bottom:1rem}dl,ol,ul{margin-top:0}ol ol,ol ul,ul ol,ul ul{margin-bottom:0}dt{font-weight:700}dd{margin-bottom:.5rem;margin-left:0}blockquote{margin:0 0 1rem}b,strong{font-weight:bolder}small{font-size:80%}sub,sup{position:relative;font-size:75%;line-height:0;vertical-align:baseline}sub{bottom:-.25em}sup{top:-.5em}a{color:#007bff;text-decoration:none;background-color:transparent}a:hover{color:#0056b3;text-decoration:underline}a:not([href]):not([class]),a:not([href]):not([class]):hover{color:inherit;text-decoration:none}code,kbd,pre,samp{font-family:SFMono-Regular,Menlo,Monaco,Consolas,"Liberation Mono","Courier New",monospace;font-size:1em}pre{margin-top:0;margin-bottom:1rem;overflow:auto;-ms-overflow-style:scrollbar}figure{margin:0 0 1rem}img{border-style:none}img,svg{vertical-align:middle}svg{overflow:hidden}table{border-collapse:collapse}caption{padding-top:.75rem;padding-bottom:.75rem;color:#6c757d;text-align:left;caption-side:bottom}th{text-align:inherit;text-align:-webkit-match-parent}label{display:inline-block;margin-bottom:.5rem}button{border-radius:0}button:focus:not(.focus-visible),button:focus:not(:focus-visible){outline:0}button,input,optgroup,select,textarea{margin:0;font-family:inherit;font-size:inherit;line-height:inherit}button,input{overflow:visible}button,select{text-transform:none}[role=button]{cursor:pointer}select{word-wrap:normal}[type=button],[type=reset],[type=submit],button{-webkit-appearance:button}[type=button]:not(:disabled),[type=reset]:not(:disabled),[type=submit]:not(:disabled),button:not(:disabled){cursor:pointer}[type=button]::-moz-focus-inner,[type=reset]::-moz-focus-inner,[type=submit]::-moz-focus-inner,button::-moz-focus-inner{padding:0;border-style:none}input[type=checkbox],input[type=radio]{box-sizing:border-box;padding:0}textarea{overflow:auto;resize:vertical}fieldset{min-width:0;padding:0;margin:0;border:0}legend{display:block;width:100%;max-width:100%;padding:0;margin-bottom:.5rem;font-size:1.5rem;line-height:inherit;color:inherit;white-space:normal}progress{vertical-align:baseline}[type=number]::-webkit-inner-spin-button,[type=number]::-webkit-outer-spin-button{height:auto}[type=search]{outline-offset:-2px;-webkit-appearance:none}[type=search]::-webkit-search-decoration{-webkit-appearance:none}::-webkit-file-upload-button{font:inherit;-webkit-appearance:button}output{display:inline-block}summary{display:list-item;cursor:pointer}template{display:none}[hidden]{display:none!important}.h1,.h2,.h3,.h4,.h5,.h6,h1,h2,h3,h4,h5,h6{margin-bottom:.5rem;font-weight:500;line-height:1.2}.h1,h1{font-size:2.5rem}.h2,h2{font-size:2rem}.h3,h3{font-size:1.75rem}.h4,h4{font-size:1.5rem}.h5,h5{font-size:1.25rem}.h6,h6{font-size:1rem}.lead{font-size:1.25rem;font-weight:300}.display-1{font-size:6rem}.display-1,.display-2{font-weight:300;line-height:1.2}.display-2{font-size:5.5rem}.display-3{font-size:4.5rem}.display-3,.display-4{font-weight:300;line-height:1.2}.display-4{font-size:3.5rem}hr{margin-top:1rem;margin-bottom:1rem;border:0;border-top:1px solid rgba(0,0,0,.1)}.small,small{font-size:80%;font-weight:400}.mark,mark{padding:.2em;background-color:#fcf8e3}.list-inline,.list-unstyled{padding-left:0;list-style:none}.list-inline-item{display:inline-block}.list-inline-item:not(:last-child){margin-right:.5rem}.initialism{font-size:90%;text-transform:uppercase}.blockquote{margin-bottom:1rem;font-size:1.25rem}.blockquote-footer{display:block;font-size:80%;color:#6c757d}.blockquote-footer:before{content:"\2014\00A0"}.img-fluid,.img-thumbnail{max-width:100%;height:auto}.img-thumbnail{padding:.25rem;background-color:#fff;border:1px solid #dee2e6;border-radius:.25rem}.figure{display:inline-block}.figure-img{margin-bottom:.5rem;line-height:1}.figure-caption{font-size:90%;color:#6c757d}code{font-size:87.5%;color:#e83e8c;word-wrap:break-word}a>code{color:inherit}kbd{padding:.2rem .4rem;font-size:87.5%;color:#fff;background-color:#212529;border-radius:.2rem}kbd kbd{padding:0;font-size:100%;font-weight:700}pre{display:block;font-size:87.5%;color:#212529}pre code{font-size:inherit;color:inherit;word-break:normal}.pre-scrollable{max-height:340px;overflow-y:scroll}.container,.container-fluid,.container-lg,.container-md,.container-sm,.container-xl{width:100%;padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}@media (min-width:576px){.container,.container-sm{max-width:540px}}@media (min-width:768px){.container,.container-md,.container-sm{max-width:720px}}@media (min-width:992px){.container,.container-lg,.container-md,.container-sm{max-width:960px}}@media (min-width:1200px){.container,.container-lg,.container-md,.container-sm,.container-xl{max-width:1140px}}.row{display:flex;flex-wrap:wrap;margin-right:-15px;margin-
  from json (2.6.1) lib/json/common.rb:216:in `parse'
  from json (2.6.1) lib/json/common.rb:216:in `parse'
  from swd (1.3.0) lib/swd/resource.rb:37:in `handle_response'
  from swd (1.3.0) lib/swd/resource.rb:19:in `block in discover!'
  from swd (1.3.0) lib/swd/cache.rb:4:in `fetch'
  from swd (1.3.0) lib/swd/resource.rb:18:in `discover!'
  from openid_connect (7e5136cb3712) lib/openid_connect/discovery/provider/config.rb:7:in `discover!'
  from omniauth_openid_connect (0.4.0) lib/omniauth/strategies/openid_connect.rb:98:in `config'
  from omniauth_openid_connect (0.4.0) lib/omniauth/strategies/openid_connect.rb:187:in `public_key'
  from omniauth_openid_connect (0.4.0) lib/omniauth/strategies/openid_connect.rb:234:in `decode_id_token'
  from omniauth_openid_connect (0.4.0) lib/omniauth/strategies/openid_connect.rb:354:in `verify_id_token!'
  from omniauth_openid_connect (0.4.0) lib/omniauth/strategies/openid_connect.rb:228:in `access_token'
  from omniauth_openid_connect (0.4.0) lib/omniauth/strategies/openid_connect.rb:126:in `callback_phase'
  from omniauth (1.9.1) lib/omniauth/strategy.rb:238:in `callback_call'
  from omniauth (1.9.1) lib/omniauth/strategy.rb:189:in `call!'
  from omniauth (1.9.1) lib/omniauth/strategy.rb:169:in `call'
  from omniauth (1.9.1) lib/omniauth/builder.rb:45:in `call'
  from omniauth (1.9.1) lib/omniauth/strategy.rb:420:in `call_app!'
  from omniauth_openid_connect (0.4.0) lib/omniauth/strategies/openid_connect.rb:144:in `other_phase'
  from omniauth (1.9.1) lib/omniauth/strategy.rb:190:in `call!'
  from omniauth (1.9.1) lib/omniauth/strategy.rb:169:in `call'
  from omniauth (1.9.1) lib/omniauth/builder.rb:45:in `call'
  from omniauth (1.9.1) lib/omniauth/strategy.rb:192:in `call!'
  from omniauth (1.9.1) lib/omniauth/strategy.rb:169:in `call'
  from omniauth (1.9.1) lib/omniauth/builder.rb:45:in `call'
  from rack-attack (6.6.1) lib/rack/attack.rb:127:in `call'
  from engines/ee/multi_tenancy/config/initializers/apartment.rb:92:in `block in call'
  from ros-apartment (2.11.0) lib/apartment/adapters/abstract_adapter.rb:89:in `switch'
  from forwardable.rb:235:in `switch'
  from engines/ee/multi_tenancy/config/initializers/apartment.rb:92:in `call'
  from rack ( lib/rack/session/abstract/id.rb:266:in `context'
  from rack ( lib/rack/session/abstract/id.rb:260:in `call'
  from actionpack (6.1.6) lib/action_dispatch/middleware/cookies.rb:689:in `call'
  from rack ( lib/rack/etag.rb:27:in `call'
  from rack ( lib/rack/conditional_get.rb:27:in `call'
  from rack ( lib/rack/head.rb:12:in `call'
  from actionpack (6.1.6) lib/action_dispatch/middleware/callbacks.rb:27:in `block in call'
  from activesupport (6.1.6) lib/active_support/callbacks.rb:98:in `run_callbacks'
  from actionpack (6.1.6) lib/action_dispatch/middleware/callbacks.rb:26:in `call'
  from actionpack (6.1.6) lib/action_dispatch/middleware/actionable_exceptions.rb:18:in `call'
  from sentry-rails (5.3.1) lib/sentry/rails/rescued_exception_interceptor.rb:12:in `call'
  from actionpack (6.1.6) lib/action_dispatch/middleware/debug_exceptions.rb:29:in `call'
  from sentry-ruby-core (5.3.1) lib/sentry/rack/capture_exceptions.rb:26:in `block (2 levels) in call'
  from sentry-ruby-core (5.3.1) lib/sentry/hub.rb:199:in `with_session_tracking'
  from sentry-ruby-core (5.3.1) lib/sentry-ruby.rb:351:in `with_session_tracking'
  from sentry-ruby-core (5.3.1) lib/sentry/rack/capture_exceptions.rb:17:in `block in call'
  from sentry-ruby-core (5.3.1) lib/sentry/hub.rb:59:in `with_scope'
  from sentry-ruby-core (5.3.1) lib/sentry-ruby.rb:331:in `with_scope'
  from sentry-ruby-core (5.3.1) lib/sentry/rack/capture_exceptions.rb:16:in `call'
  from actionpack (6.1.6) lib/action_dispatch/middleware/show_exceptions.rb:33:in `call'
  from rails_semantic_logger (4.10.0) lib/rails_semantic_logger/rack/logger.rb:43:in `call_app'
  from rails_semantic_logger (4.10.0) lib/rails_semantic_logger/rack/logger.rb:28:in `call'
  from actionpack (6.1.6) lib/action_dispatch/middleware/remote_ip.rb:81:in `call'
  from actionpack (6.1.6) lib/action_dispatch/middleware/request_id.rb:26:in `call'
  from rack ( lib/rack/runtime.rb:22:in `call'
  from activesupport (6.1.6) lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'
  from actionpack (6.1.6) lib/action_dispatch/middleware/executor.rb:14:in `call'
  from rack ( lib/rack/sendfile.rb:110:in `call'
  from actionpack (6.1.6) lib/action_dispatch/middleware/host_authorization.rb:142:in `call'
  from rack-cors (1.1.1) lib/rack/cors.rb:100:in `call'
  from railties (6.1.6) lib/rails/engine.rb:539:in `call'
  from puma (5.6.4) lib/puma/configuration.rb:252:in `call'
  from puma (5.6.4) lib/puma/request.rb:77:in `block in handle_request'
  from puma (5.6.4) lib/puma/thread_pool.rb:340:in `with_force_shutdown'
  from puma (5.6.4) lib/puma/request.rb:76:in `handle_request'
  from puma (5.6.4) lib/puma/server.rb:441:in `process_client'
  from puma (5.6.4) lib/puma/thread_pool.rb:147:in `block in spawn_thread'

The stack trace seems to indicate that an HTML page is being parsed where JSON is expected. Is this a configuration issue on our side?

Thanks in advance for any hints. We'll investigate further from our side as well and will update the issue in case of any revelations.

Confused on how to use this gem

Trying to hit /auth/openid_connect URL to invoke this strategy, but just get a 404. Is this supposed to work or is there some other way to invoke this strategy?

could not authenticate you from OpenIDConnect becuase Unauthorized

Hello,Any suggestions what to do ?
my idp is identityServer4
/var/log/gitlab/gitlab-rails/production.log: Started GET "/users/auth/openid_connect/callback?code=[FILTERED]&state=9b059526e54e3a126b99a3ef7e4815b0" for at 2019-06-10 10:57:20 +0800 Processing by OmniauthCallbacksController#failure as HTML Parameters: {"code"=>"[FILTERED]", "state"=>"9b059526e54e3a126b99a3ef7e4815b0"} Redirected to
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect']
gitlab_rails['omniauth_sync_email_from_provider'] = 'openid_connect'
gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'openid_connect'
gitlab_rails['omniauth_sync_profile_from_provider'] = ['openid_connect']
gitlab_rails['omniauth_sync_profile_attributes'] = ['name', 'email']
gitlab_rails['omniauth_auto_link_ldap_user'] = false
gitlab_rails['omniauth_auto_link_saml_user'] = false
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_providers'] = [
'name' => 'openid_connect',
'label' => 'OIDC',
'args' => {
'name' => 'openid_connect',
'scope' => ['openid','profile'],
'response_type' => 'code',
'issuer' => 'https://XXX.XX.XX',
'discovery' => true,
'client_auth_method' => 'query',
'client_options' => {
'identifier' => 'gitlab_openid',
'secret' => 'oeRiYj8_UG0sUXI_P08_Nyk_fCErP24yVD8_ci5nZw==',
'redirect_uri' => ''

Controlling the signing algorithm for response type code

We are trying to use this gem to build a client for a provider who requires the RS512 signing algorithm for the JWT, response type code. The problem is that the signing algorithm defaults to RS256. There is a client_signing_algorithm option but it is only used in response type id_token. Are we missing something in the config?

Cannot find a way to use redirect_uri param

This change suggests that it is possible to customize the redirect_uri by passing a param[:redirect_uri] at some point in the flow:


I have tried adding this param alongwith with the initial redirect to /auth/openid_connect, for example:


However, this results in 2 redirect_uri parameters being sent in the redirect to the auth service, the URI in the query string above, plus the URI specified in config.

The end goal is to support multi-tenant sub-domains, using a single auth endpoint.

Given the commit above, should it be possible to specify a request_uri at request time rather than in fixed config?

Implicit Flow problems

I've found some behaviours in the Implicit Flow that should be improved. I would like to report them.

  • response_type = 'id_token' is able to be used limited to definitely trusted OPs (Self-Issued OpenID Providers). Normally it should not be used. Instead, you have to specify ['id_token', 'token'] for the Implicit Flow.
  • The nonce is required. Therefore, the 'send_nonce' option value should be ignored on the Implicit Flow.
    -Both of id_token and access token must be properly verified. One is not enough.

Regarding verification, how to use key needs to be improved.

  • On the Authorization Code Flow, you can use OP's public key or client secret that is specified by the response code's header.
  • The other hand, you have to use the exact public key for validation on the Implicit Flow.
    So, calling key_or_secret() from public_key() is not good.


register url?

How would I redirect a new user to the registration end point? If I use user_openid_connect_omniauth_authorize_url, it redirects the user to the login page.

Support custom claims?

I've traced the code and the PRs for the claims but they're last edited 6 years ago at least. I'm not sure how the specification changed over time but there are many more attributes as listed in the latest specs, and I would like to add some other attributes than the specs (are they allowed?), as you can see from doorkeeper gem that we can customize the claims to return to clients.

Suggesting maybe we can have another configuration block for the claims mapping.

Param code should only be required when response_type is code

There's a line of code in the callback phase which raises an error:

return fail!(
) unless params['code']

It looks like it should be executed only if option :response_type is set to code (default).

How about:

return fail!(
) unless (options.response_type == 'code' && params['code'])

Which could be (apart from extracting the condition to a method) be simplified to:

return fail!(
) unless (params[options.response_type]) # e.g. params['id_token'] is present if response_type == 'id_token'

Not getting correct request.env["omniauth.auth"] when testing with Hydra auth server

Hey! I am facing an issue, which honestly might have more to do more to my own lack of knowledge on OIDC.

I created a client based on doorkeeper-gem/doorkeeper-devise-client, but refactored to make use of omniauth_openid_connect Gem instead of a more generic omniauth-oauth2 startegy.

The issue is I can't get the User persisted:

Screen Shot 2020-05-05 at 9 14 19

Since request.env["omniauth.auth"] doesn't have the right info values (specifically email is nil):

#<OmniAuth::AuthHash credentials=#<OmniAuth::AuthHash expires_in=3600 id_token="eyJhbGciOiJSUzI1NiIsImtpZCI6InB1YmxpYzo2YTFhZmY1OS04ZTcxLTQ2M2UtYjAxMy1kYjFjMWZmNDIxNzgiLCJ0eXAiOiJKV1QifQ.eyJhdF9oYXNoIjoiQW9aYzAtZWh4cm5US2Z5d1VKV0RUUSIsImF1ZCI6WyJhdXRoLWNvZGUtY2xpZW50LTUiXSwiYXV0aF90aW1lIjoxNTg4NjEyMzA5LCJleHAiOjE1ODg2MTU5MTEsImlhdCI6MTU4ODYxMjMxMSwiaXNzIjoiaHR0cDovLzEyNy4wLjAuMTo0NDQ0LyIsImp0aSI6ImQ0M2I4ZTZjLTI4MzEtNDk3ZC04ODk0LWExYzRkYTg5MjliNyIsIm5vbmNlIjoiYmI0M2I2MzFkZDg4YzBkMDg3MWM5OTljOTU1M2NmYjYiLCJyYXQiOjE1ODg2MTIzMDQsInNpZCI6IjBiYWVhMTdjLTJiNDgtNDMwYy1hNmQ0LThlOTg2ZmY2NWZhZCIsInN1YiI6ImZvb0BiYXIuY29tIn0.jmQFF7hzx-a_Gm0TXmDb3sMizdZFUijbcANSo96yz704Ajw2F29cwiJqIgw09fiLVLdiL3uEMTpiqAryRo7Ke9iZwe8WoLXtGm8s7j3r-XL41Lo7mZH7k9w0gpx0sWhKib8dxvFE92BNXX0w5rw-JWdQ5V7SICKnT723TJwImVwj3XyS1YH0K_xz6jIMMr6tto7YUROKv65CQ0QlPSUonlDxq0dsmT9_3GyA8K1cfdpFDafDdT-fGhalbyykIiPviN-R4KAc_78LAAoYRgGEgF_sTBtw1WepRLbYnihmyx8p67S0UWqhdQqSIjIXa1qZNsK71b8cv6BVCkXcGZVe7u5yxheqQh3xRuMxX2J9UUzoH3CyjkJ1tsV5JiwsgTtBAUSy-ZfE88YAEwBrC_9zXhZPIjLospASLegPnBzhxb3atZGcxxeeqw9IJ6NbiUYE6O4WRhcyBJIiNfM52MIXJXCaxQb6MztKTFXla62FeOQV_z2RFnzsBbbwITL7sUccfUCOWifefbSJCG6U52ZcFXR2CVuPFEEv_P3Iwod7Xa-MkhpZxJ-HKJH2GUX3gzv4kVfJP0F_vRlo3uY67iQA702XnDajBPYfInkgraIiKMfOSAMfDlf_R5N4r6j5UQOKNSFik3_D3ognYpSG45eb3P0gTCCaMDfAc24hQa12HW4" refresh_token=nil scope="openid email profile" token="dO4HD_dSpfXE8sHA7nU-LY3LfEkeuzIuF5U81S_s7O4.W0sPbnCaDIBGE97MmyCMa-hPgUFst31j3KvP789BqQ8"> extra=#<OmniAuth::AuthHash raw_info=#<OmniAuth::AuthHash sid="0baea17c-2b48-430c-a6d4-8e986ff65fad" sub="[email protected]">> info=#<OmniAuth::AuthHash::InfoHash email=nil first_name=nil gender=nil image=nil last_name=nil name=nil nickname=nil phone=nil urls=#<OmniAuth::AuthHash website=nil>> provider=:hydra_oidc uid="[email protected]">

Screen Shot 2020-05-05 at 9 15 54

I get persistence validation errors:

{"email":["can't be blank"]}

This is the Omniauth config I am using:

  config.omniauth :openid_connect, {
    name: :hydra_oidc,
    scope: [:openid, :email, :profile],
    response_type: :code,
    issuer: ENV['HYDRA_OIDC_URL'],
    client_options: {
      scheme: ENV['HYDRA_OIDC_SCHEME'],
      host: ENV['HYDRA_OIDC_HOST'],
      port: ENV['HYDRA_OIDC_PORT'],
      identifier: ENV['HYDRA_OIDC_CLIENT_ID'],
      authorization_endpoint: "/oauth2/auth",
      token_endpoint: "/oauth2/token",
      userinfo_endpoint: "/userinfo"

I am using Hydra's example auth server to spin off an OpenID Connect server:

docker-compose -f quickstart.yml exec hydra \
    hydra clients create \
    --endpoint \
    --id my_rails_client \
    --secret secret \
    --grant-types authorization_code,refresh_token \
    --response-types code \
    --scope openid,email,profile,offline \
    --callbacks http://localhost:5600/users/auth/hydra_oidc/callback \
    --token-endpoint-auth-method client_secret_basic

Any hint would be very helpful, thanks!

NoMethodError: undefined method `count' for nil:NilClass


After upgrading Gem to 0.3.4, we started getting the following error:

NoMethodError: undefined method `count' for nil:NilClass
  File "/app/vendor/bundle/ruby/2.7.0/gems/json-jwt-1.11.0/lib/json/jwt.rb", line 102, in decode_compact_serialized
  File "/app/vendor/bundle/ruby/2.7.0/gems/json-jwt-1.11.0/lib/json/jose.rb", line 63, in decode
  File "/app/vendor/bundle/ruby/2.7.0/gems/openid_connect-1.2.0/lib/openid_connect/response_object/id_token.rb", line 70, in decode
  File "/app/vendor/bundle/ruby/2.7.0/gems/omniauth_openid_connect-0.3.4/lib/omniauth/strategies/openid_connect.rb", line 221, in decode_id_token
  File "/app/vendor/bundle/ruby/2.7.0/gems/omniauth_openid_connect-0.3.4/lib/omniauth/strategies/openid_connect.rb", line 215, in access_token
  File "/app/vendor/bundle/ruby/2.7.0/gems/omniauth_openid_connect-0.3.4/lib/omniauth/strategies/openid_connect.rb", line 125, in callback_phase
  File "/app/vendor/bundle/ruby/2.7.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb", line 238, in callback_call
  File "/app/vendor/bundle/ruby/2.7.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb", line 189, in call!
  File "/app/vendor/bundle/ruby/2.7.0/gems/omniauth-1.9.1/lib/omniauth/strategy.rb", line 169, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/rack-attack-6.3.1/lib/rack/attack.rb", line 97, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/rack-attack-6.3.1/lib/rack/attack.rb", line 111, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/warden-1.2.8/lib/warden/manager.rb", line 36, in block in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/warden-1.2.8/lib/warden/manager.rb", line 34, in catch
  File "/app/vendor/bundle/ruby/2.7.0/gems/warden-1.2.8/lib/warden/manager.rb", line 34, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/rack-2.2.2/lib/rack/tempfile_reaper.rb", line 15, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/rack-2.2.2/lib/rack/etag.rb", line 27, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/rack-2.2.2/lib/rack/conditional_get.rb", line 27, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/rack-2.2.2/lib/rack/head.rb", line 12, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/actionpack-", line 18, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/rack-2.2.2/lib/rack/session/abstract/id.rb", line 266, in context
  File "/app/vendor/bundle/ruby/2.7.0/gems/rack-2.2.2/lib/rack/session/abstract/id.rb", line 260, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/actionpack-", line 648, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/actionpack-", line 27, in block in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/activesupport-", line 101, in run_callbacks
  File "/app/vendor/bundle/ruby/2.7.0/gems/actionpack-", line 26, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/actionpack-", line 17, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/rollbar-2.25.0/lib/rollbar/middleware/rails/rollbar.rb", line 25, in block in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/rollbar-2.25.0/lib/rollbar.rb", line 145, in scoped
  File "/app/vendor/bundle/ruby/2.7.0/gems/rollbar-2.25.0/lib/rollbar/middleware/rails/rollbar.rb", line 22, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/actionpack-", line 32, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/rollbar-2.25.0/lib/rollbar/middleware/rails/show_exceptions.rb", line 22, in call_with_rollbar
  File "/app/vendor/bundle/ruby/2.7.0/gems/actionpack-", line 33, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/railties-", line 37, in call_app
  File "/app/vendor/bundle/ruby/2.7.0/gems/railties-", line 26, in block in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/activesupport-", line 80, in block in tagged
  File "/app/vendor/bundle/ruby/2.7.0/gems/activesupport-", line 28, in tagged
  File "/app/vendor/bundle/ruby/2.7.0/gems/activesupport-", line 80, in tagged
  File "/app/vendor/bundle/ruby/2.7.0/gems/railties-", line 26, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/actionpack-", line 81, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/request_store-1.5.0/lib/request_store/middleware.rb", line 19, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/actionpack-", line 27, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/rack-2.2.2/lib/rack/method_override.rb", line 24, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/rack-2.2.2/lib/rack/runtime.rb", line 22, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/activesupport-", line 29, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/actionpack-", line 14, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/actionpack-", line 126, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/rack-2.2.2/lib/rack/sendfile.rb", line 110, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/actionpack-", line 74, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/actionpack-", line 76, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/railties-", line 527, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/puma-4.3.5/lib/puma/configuration.rb", line 228, in call
  File "/app/vendor/bundle/ruby/2.7.0/gems/puma-4.3.5/lib/puma/server.rb", line 713, in handle_request
  File "/app/vendor/bundle/ruby/2.7.0/gems/puma-4.3.5/lib/puma/server.rb", line 472, in process_client
  File "/app/vendor/bundle/ruby/2.7.0/gems/puma-4.3.5/lib/puma/server.rb", line 328, in block in run
  File "/app/vendor/bundle/ruby/2.7.0/gems/puma-4.3.5/lib/puma/thread_pool.rb", line 134, in block in spawn_thread

There is no problem when we downgrade the gem version to 0.3.3.


Please refer to the upgraded repository

I've merged the many fixes scattered on many repositories, and I've provided a version that works with the latest environment and specs.

  • OmniAuth2
  • Ruby 3
  • Supports the following: OpenID Connect Core 1.0 the Authorization Code Flow and the Implicit Flow. OpenID Connect RP-Initiated Logout 1.0.

If you agree, please write on the README to direct visitors to the new repository.

I'm always looking for developers, contributors. Thanks.

OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)):


We are trying to integrate keycloak with Gitlab using OmniAuth without SSL applied(mandatory requirement). The configuration of the gitlab.rb file is as follows,

prometheus_monitoring['enable'] = false
gitlab_rails['ldap_enabled'] = false;
nginx['listen_port'] = 10200
nginx['listen_http'] = false
registry_nginx['enable'] = true
gitlab_rails['registry_path'] = "/mnt/docker_registry"
registry['enable'] = true
registry_external_url 'http://localhost:8123'
external_url 'http:///gitlab/'
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_providers'] = [
{ 'name' => 'Keycloak',
'label' => 'Login',
'args' => {
'name' => 'openid_connect',
'scope' => ['openid','profile',''],
'response_type' => 'code',
#'issuer' => 'http:///auth/realms/',
'discovery' => true,
'client_auth_method' => 'query',
'send_scope_to_token_endpoint' => 'false',
'client_options' => {
'port' => 80,
'scheme' => 'http',
'host' => '/auth',
'identifier' => '<CLIENT_ID>',
'secret' => '<CLIENT_SECRET>',
'redirect_uri' => 'http:///gitlab/users/auth/openid_connect/callback',
gitlab_rails['omniauth_sync_profile_from_provider'] = 'Keycloak'
#gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'openid_connect'
gitlab_rails['omniauth_allow_single_sign_on'] = ['Keycloak']
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_block_auto_created_users'] = false

We are getting the following error when we login to the UI -> go to user settings ->
Account -> click on Connect OpenID Connect option,

OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)):

Can someone help us fix this?

Thanks in advance :)

Gitlab client_auth_method basic, secret is url encoded

When i tried to set up the omniauth openid_connect in our gitlab instance with client_auth_method basic, the secret was sent url encoded to the server.


  name: "openid_connect",
  args: {
    client_auth_method: "basic",
    client_options: {
      identifier: "our_id",
      secret: "our_p+a+s/s/w+o+r+d"

would send the following authorization header to the server:
Basic b3VyX2lkOm91cl9wJTJCYSUyQnMlMkZzJTJGdyUyQm8lMkJyJTJCZA==

which gives us our_id:our_p%2Ba%2Bs%2Fs%2Fw%2Bo%2Br%2Bd instead of our_id:our_p+a+s/s/w+o+r+d

Handle errors when fetching access token at callback phase

At the callback_phase if an error occurs on the fetch of the access_token the strategy is not handling the error.

Error Trace:

Rack::OAuth2::Client::Error (invalid_client :: invalid client credentials):
  rack-oauth2 (1.9.3) lib/rack/oauth2/client.rb:171:in `handle_error_response'
  rack-oauth2 (1.9.3) lib/rack/oauth2/client.rb:148:in `handle_response'
  rack-oauth2 (1.9.3) lib/rack/oauth2/client.rb:122:in `access_token!'
  /Users/coffeebean/Bitbucket/omniauth_openid_connect/lib/omniauth/strategies/openid_connect.rb:189:in `access_token'
  /Users/coffeebean/Bitbucket/omniauth_openid_connect/lib/omniauth/strategies/openid_connect.rb:114:in `callback_phase'
  omniauth (1.9.0) lib/omniauth/strategy.rb:238:in `callback_call'
  omniauth (1.9.0) lib/omniauth/strategy.rb:189:in `call!'
  omniauth (1.9.0) lib/omniauth/strategy.rb:169:in `call'
  exception_notification (4.3.0) lib/exception_notification/rack.rb:41:in `call'
  warden (1.2.7) lib/warden/manager.rb:36:in `block in call'
  warden (1.2.7) lib/warden/manager.rb:35:in `catch'
  warden (1.2.7) lib/warden/manager.rb:35:in `call'
  rack (1.6.11) lib/rack/etag.rb:24:in `call'
  rack (1.6.11) lib/rack/conditionalget.rb:25:in `call'
  rack (1.6.11) lib/rack/head.rb:13:in `call'
  actionpack ( lib/action_dispatch/middleware/params_parser.rb:27:in `call'
  actionpack ( lib/action_dispatch/middleware/flash.rb:260:in `call'
  rack (1.6.11) lib/rack/session/abstract/id.rb:225:in `context'
  rack (1.6.11) lib/rack/session/abstract/id.rb:220:in `call'
  actionpack ( lib/action_dispatch/middleware/cookies.rb:560:in `call'
  activerecord ( lib/active_record/query_cache.rb:36:in `call'
  activerecord ( lib/active_record/connection_adapters/abstract/connection_pool.rb:653:in `call'
  activerecord ( lib/active_record/migration.rb:377:in `call'
  actionpack ( lib/action_dispatch/middleware/callbacks.rb:29:in `block in call'
  activesupport ( lib/active_support/callbacks.rb:88:in `__run_callbacks__'
  activesupport ( lib/active_support/callbacks.rb:778:in `_run_call_callbacks'
  activesupport ( lib/active_support/callbacks.rb:81:in `run_callbacks'
  actionpack ( lib/action_dispatch/middleware/callbacks.rb:27:in `call'
  actionpack ( lib/action_dispatch/middleware/reloader.rb:73:in `call'
  actionpack ( lib/action_dispatch/middleware/remote_ip.rb:78:in `call'
  actionpack ( lib/action_dispatch/middleware/debug_exceptions.rb:17:in `call'
  actionpack ( lib/action_dispatch/middleware/show_exceptions.rb:30:in `call'
  railties ( lib/rails/rack/logger.rb:38:in `call_app'
  railties ( lib/rails/rack/logger.rb:20:in `block in call'
  activesupport ( lib/active_support/tagged_logging.rb:68:in `block in tagged'
  activesupport ( lib/active_support/tagged_logging.rb:26:in `tagged'
  activesupport ( lib/active_support/tagged_logging.rb:68:in `tagged'
  railties ( lib/rails/rack/logger.rb:20:in `call'
  request_store (1.4.1) lib/request_store/middleware.rb:19:in `call'
  actionpack ( lib/action_dispatch/middleware/request_id.rb:21:in `call'
  rack (1.6.11) lib/rack/methodoverride.rb:22:in `call'
  rack (1.6.11) lib/rack/runtime.rb:18:in `call'
  activesupport ( lib/active_support/cache/strategy/local_cache_middleware.rb:28:in `call'
  rack (1.6.11) lib/rack/lock.rb:17:in `call'
  actionpack ( lib/action_dispatch/middleware/static.rb:120:in `call'
  rack (1.6.11) lib/rack/sendfile.rb:113:in `call'
  railties ( lib/rails/engine.rb:518:in `call'
  railties ( lib/rails/application.rb:165:in `call'
  rack (1.6.11) lib/rack/content_length.rb:15:in `call'
  puma (3.12.0) lib/puma/configuration.rb:225:in `call'
  puma (3.12.0) lib/puma/server.rb:658:in `handle_request'
  puma (3.12.0) lib/puma/server.rb:472:in `process_client'
  puma (3.12.0) lib/puma/server.rb:332:in `block in run'
  puma (3.12.0) lib/puma/thread_pool.rb:133:in `block in spawn_thread'

Internal Server Error: JSON::JWK::Set::KidNotFound

Currently, we are using GitLab version 13.1.3 which ships the omniauth_openid_connect gem in version 0.3.5. In GitLab 13.1.0 the omniauth_openid_connect package was upgraded from 0.3.3 to 0.3.5. (

The previously working OpenID configuration now results in an Internal Server Error during the callback phase. Manually downgrading the package to the version 0.3.3 used in GitLab 13.1 fixes the issue temporarily for us.

Relevent stacktrace

JSON::JWK::Set::KidNotFound: JSON::JWK::Set::KidNotFound
  from json/jose.rb:29:in `with_jwk_support'
  from json/jws.rb:131:in `valid?'
  from json/jws.rb:26:in `verify!'
  from json/jws.rb:195:in `decode_compact_serialized'
  from json/jwt.rb:104:in `decode_compact_serialized'
  from json/jose.rb:63:in `decode'
  from openid_connect/response_object/id_token.rb:70:in `decode'
  from omniauth/strategies/openid_connect.rb:229:in `decode_id_token'
  from omniauth/strategies/openid_connect.rb:343:in `verify_id_token!'
  from omniauth/strategies/openid_connect.rb:223:in `access_token'
  from omniauth/strategies/openid_connect.rb:125:in `callback_phase'
  from omniauth/strategy.rb:238:in `callback_call'
  from omniauth/strategy.rb:189:in `call!'
  from omniauth/strategy.rb:169:in `call'
  from omniauth/strategy.rb:192:in `call!'
  from omniauth/strategy.rb:169:in `call'
  from omniauth/strategy.rb:192:in `call!'
  from omniauth/strategy.rb:169:in `call'
  from omniauth/strategy.rb:192:in `call!'
  from omniauth/strategy.rb:169:in `call'
  from omniauth/strategy.rb:192:in `call!'
  from omniauth/strategy.rb:169:in `call'
  from omniauth/strategy.rb:192:in `call!'
  from omniauth/strategy.rb:169:in `call'
  from gitlab/metrics/elasticsearch_rack_middleware.rb:24:in `call'
  from gitlab/metrics/redis_rack_middleware.rb:22:in `call'
  from gitlab/middleware/rails_queue_duration.rb:29:in `call'
  from gitlab/metrics/rack_middleware.rb:17:in `block in call'
  from gitlab/metrics/transaction.rb:54:in `run'
  from gitlab/metrics/rack_middleware.rb:17:in `call'
  from gitlab/request_profiler/middleware.rb:17:in `call'
  from labkit/middleware/rack.rb:19:in `block in call'
  from labkit/context.rb:32:in `with_context'
  from labkit/middleware/rack.rb:18:in `call'
  from gitlab/middleware/go.rb:20:in `call'
  from gitlab/etag_caching/middleware.rb:13:in `call'
  from batch_loader/middleware.rb:11:in `call'
  from rack/attack.rb:97:in `call'
  from apollo_upload_server/middleware.rb:20:in `call'
  from gitlab/middleware/multipart.rb:125:in `call'
  from rack/attack.rb:111:in `call'
  from warden/manager.rb:36:in `block in call'
  from warden/manager.rb:34:in `catch'
  from warden/manager.rb:34:in `call'
  from rack/cors.rb:98:in `call'
  from rack/tempfile_reaper.rb:15:in `call'
  from rack/etag.rb:25:in `call'
  from rack/conditional_get.rb:25:in `call'
  from rack/head.rb:12:in `call'
  from action_dispatch/http/content_security_policy.rb:18:in `call'
  from gitlab/middleware/read_only/controller.rb:51:in `call'
  from gitlab/middleware/read_only.rb:18:in `call'
  from rack/session/abstract/id.rb:259:in `context'
  from rack/session/abstract/id.rb:253:in `call'
  from action_dispatch/middleware/cookies.rb:648:in `call'
  from gitlab/middleware/same_site_cookies.rb:27:in `call'
  from action_dispatch/middleware/callbacks.rb:27:in `block in call'
  from active_support/callbacks.rb:101:in `run_callbacks'
  from action_dispatch/middleware/callbacks.rb:26:in `call'
  from action_dispatch/middleware/actionable_exceptions.rb:17:in `call'
  from action_dispatch/middleware/debug_exceptions.rb:32:in `call'
  from action_dispatch/middleware/show_exceptions.rb:33:in `call'
  from gitlab/middleware/basic_health_check.rb:25:in `call'
  from rails/rack/logger.rb:37:in `call_app'
  from rails/rack/logger.rb:26:in `block in call'
  from active_support/tagged_logging.rb:80:in `block in tagged'
  from active_support/tagged_logging.rb:28:in `tagged'
  from active_support/tagged_logging.rb:80:in `tagged'
  from rails/rack/logger.rb:26:in `call'
  from action_dispatch/middleware/remote_ip.rb:81:in `call'
  from gitlab/middleware/handle_ip_spoof_attack_error.rb:25:in `call'
  from gitlab/middleware/request_context.rb:23:in `call'
  from request_store/middleware.rb:19:in `call'
  from action_dispatch/middleware/request_id.rb:27:in `call'
  from rack/method_override.rb:22:in `call'
  from rack/runtime.rb:22:in `call'
  from rack/timeout/core.rb:123:in `block in call'
  from rack/timeout/support/timeout.rb:19:in `timeout'
  from rack/timeout/core.rb:122:in `call'
  from /opt/gitlab/embedded/service/gitlab-rails/config/initializers/fix_local_cache_middleware.rb:9:in `call'
  from action_dispatch/middleware/executor.rb:14:in `call'
  from rack/sendfile.rb:111:in `call'
  from action_dispatch/middleware/host_authorization.rb:76:in `call'
  from gitlab/metrics/requests_rack_middleware.rb:60:in `call'
  from raven/integrations/rack.rb:51:in `call'
  from rails/engine.rb:527:in `call'
  from rails/railtie.rb:190:in `public_send'
  from rails/railtie.rb:190:in `method_missing'
  from gitlab/middleware/release_env.rb:12:in `call'
  from rack/urlmap.rb:68:in `block in call'
  from rack/urlmap.rb:53:in `each'
  from rack/urlmap.rb:53:in `call'
  from puma/configuration.rb:228:in `call'
  from puma/server.rb:691:in `handle_request'
  from puma/server.rb:481:in `process_client'
  from puma/server.rb:335:in `block in run'
  from puma/thread_pool.rb:138:in `block in spawn_thread'

OpenID configuration

    'name' => 'openid_connect',
    'label' => 'Helmholtz AAI',
    'icon' => 'helmholtz.png',
    'args' => {
      'name' => 'openid_connect',
      'scope' => ['openid', 'profile', 'email', 'eduperson_principal_name'],
      'response_type' => 'code',
      'issuer' => '',
      'discovery' => true,
      'client_auth_method' => 'basic',
      'uid_field' => 'eduperson_principal_name',
      'send_scope_to_token_endpoint' => 'true',
      'client_options' => {
        'identifier' => '...',
        'secret' => '...',
        'redirect_uri' => ''

I also experimented with other configuration options. Setting discovery to false and specifying all information manually. I also tried to set the JSON web set keys manually as well Unfortunately, none of the measures changed anything.

Possible fixes

I would be very happy if you could have a look into this issue!

For reference, this is the respective GitLab issue:

Redirect URI is getting double escaped

for example we redirect to


Then it sends to

Then in the callback phase the "redirect uris" don't match when requesting the resource in the AccessToken.

Seems like the solve is to not initially uri encode the "redirect_uri" in openid_connect.rb:286, since it gets encoded again when the uri we send the user to gets set.

Option response_mode is defined but not used

In lib/omniauth/strategies/openid_connect.rb option response_mode is defined but not used anywhere. And it should be used (if defined) in the authorize_uri method:

module OmniAuth
  module Strategies
    class OpenIDConnect
      include OmniAuth::Strategy
      # ...
      option :state
      option :response_mode
      def authorize_uri
        client.redirect_uri = redirect_uri
        opts = {
          response_type: options.response_type,
+          response_mode: options.response_mode,
          scope: options.scope,
          # ...
        client.authorization_uri(opts.reject { |_k, v| v.nil? })

This allows using this gem with servers/flows which use response_mode=form_post for example.

JWS Token Verification Failed

Hello, I'm getting this error. Any ideas? Thank you.

(openid_connect) Callback phase initiated.
JSON::JWS::VerificationFailed (JSON::JWS::VerificationFailed):
json-jwt (1.13.0) lib/json/jws.rb:27:in verify!' json-jwt (1.13.0) lib/json/jws.rb:193:in decode_compact_serialized'
json-jwt (1.13.0) lib/json/jwt.rb:104:in decode_compact_serialized' json-jwt (1.13.0) lib/json/jose.rb:65:in decode'
openid_connect (1.2.0) lib/openid_connect/response_object/id_token.rb:70:in decode' omniauth_openid_connect (0.3.5) lib/omniauth/strategies/openid_connect.rb:229:in decode_id_token'

Allow differentiating between IdPs in rails app

Say there are two OpenID IdPs, and they return the same uid for a user from each.

We'd like to be able to differentiate based on the info/extra hash which IdP sent the user to know which to login.

Suggest adding the issuer to "extra"

Scope parameter is not supported on auth code access token exchange request

Hi, I'm not a Ruby dev but I stumbled on this when trying to configure for OpenID Connect integration a Gitlab server instance. In my scenario, I have a Gitlab server which internally uses Omniauth and Omniauth_openid_connect (v. 0.3.3) to talk to an OpenAM server (both of those are the latest available versions as of today, i.e. Gitlab CE 12.7.6 and OpenAM 14.4.3, open source editions).
I have opened an issue on the Gitlab tracker and the support redirected me here.

After setting up the required parameters, the login process fails with the following error:

Could not authenticate you from OpenIDConnect because "Invalid request :: scope parameter is not supported on an authorization code access token exchange request. scope parameter should be supplied to the authorize request."

Indeed, according to the relevant section of the OpenID Specifications (,, the scope attribute is not allowed in token requests, but it seems like it is always populated by this library.

The authentication process via OpenID Connect using code flow relies on three http calls:

Gitlab(Browser) -> OpenID(Server): GET to authorization endpoint
OpenID(Server) -> Browser(Gitlab): browser redirect to OpenID Connect callback
Gitlab(Server) -> OpenID(Server): POST to token endpoint

The first two calls complete successfully, but the third POST has an extra scope parameter that should not be there when grant_type is authorization_code.

To reproduce: configure a local instance of OpenAM ( or other local standards-compliant OpenID Connect implementation (the main online social login platforms sometimes have quirks or accept non-standard requests), try to login.

Always getting `Not found. Authentication passthru.`


sorry if I am missing something very basic but I think I need some help in configuring this gem with devise in my application; I am always getting Not found. Authentication passthru. error;

The url that devise upon clicking 'Sign In with OpenIdConnect' goes to is:

My config looks like below in config/initializers/devise.rb :

config.omniauth :openid_connect, { 
name: :provider, 
scope: [:openid], 
response_type: :code, 
client_options: { 
    port: 443, 
    scheme: "https", 
    host: "", 
    issuer: "", 
    authorization_endpoint: "/oauth2/auth", 
    token_endpoint: "/oauth2/token", 
    identifier: 'CLIENT_ID', 
    secret: 'CLIENT_SECRET', 
    redirect_uri: "", 

I know I have added extra parameters in it but that's because I'm unsure of what exactly is required; I cant see any logs on the server as well so it means I am not hitting the correct endpoint or something

I have the following urls from provider available

issuer endpoint (
authorization endpoint (
token endpoint (
also I have the client id and secret
Can you please help me ?

multiple open_id providers with devise

The doc says:

NOTE: if you use this gem with Devise you should use :openid_connect name, or Devise would route to 'users/auth/:provider' rather than 'users/auth/openid_connect'

this means that I cannot use more openid providers when using Devise?

thank you

Nonce verification

Currently, nonce is verified in access_token method and it's way too late.
I think nonce should be validated after this line:

id_token = decode_id_token(params['id_token'])

  issuer: options.issuer,
  client_id: client_options.identifier,
  nonce: stored_nonce

Verifying the response during requesting for a token doesn't make sense.

Issue with parsing id_token parameter in 'code' response_type use cases

First off, thanks for continuing to maintain this code!

We currently have a 'code' based implementation working with this gem. When upgrading to the latest code we're running into issues with the following lines:

We don't have an 'id_token' param and so decode_id_token attempts to parse nil which causes an error. A simple conditional check of the response type before calling decode_id_token fixes the error.

Wanted to raise it here though in case there is something I am missing. Thanks!

SSLError certificate verify failed (unable to get local issuer certificate)

Hi I'm trying to integrate my app with an openid provider. I'm getting this:

(openid_connect) Callback phase initiated.
OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)):
httpclient (2.8.3) lib/httpclient/ssl_socket.rb:103:in `connect'

The app is behind a Traefik proxy with a certificate from LetsEncrypt. I've tryied disabling https on my app but still getting the same error.

Any ideas? Thank you.

Groups/Roles support

Currently this OmniAuth provider does not read the groups or roles claims provided. It is also not possible to restrict login for users to a specific group. This causes all users for a domain to login to the application with OmniAuth using this provider.

It would be a nice improvement to this provider, if the name of the groups claim could be specified using a config property. If groups can be read via the groups claim it should also be possible to specify a required_groups in the provider configuration, causing the login to fail if the user is not in the specified groups or a successful login if the user is in the specified groups.

The latter required_groups is a pretty common requirement to restrict the login to various applications by groups, otherwise everyone can log in.

Sign In With Slack | nil request.env['omniauth.auth']

Hi thank you for this library super helpful!

So i'm trying to setup sign in with slack per their doc:

  Rails.application.config.middleware.use OmniAuth::Strategies::OpenIDConnect, {
    name: :sign_in_slack,
    issuer: '',
    discovery: true,
    scope: [:openid, :email, :profile],
    response_type: :code,
    client_options: {
      port: 443,
      scheme: "https",
      host: "",
      identifier: "redacted",
      secret: "redacted",
      redirect_uri: "#{ENV['BASE_URL']}/auth/slack/callback/sign_in",

But my callback controller is seeing request.env['omniauth.auth'] nil.

The callback_phase method is never called.

What am i doing wrong ?


new release?

I like to avoid local patches or fetching from git repo.

@m0n9oose Do you plan to publish a new release with latest changes?

how to work with endpoints with different hosts but same provider

I have two endpoints one for Authorization and another for token:

Authorization endpoint:

Token endpoint:

as you can see each one has a different host, but are the same provider, I'm not sure how to configure this in the gem as you can only specify one host:

config.omniauth :openid_connect, 
    name: :openid_connect,
    scope: [:openid],
    issuer: ""
    response_type: :code,
    discovery: :true,
    port: 443,
    scheme: "https",
    host: "",
    authorization_endpoint: "/authorize", 
    token_endpoint: "/token", #How to specify here correctly
    identifier: 'CLIENT_ID', 
    secret: 'CLIENT_SECRET', 
    redirect_uri: "", 

client_options.redirect_uri should fallback to sensible default when missing

Context: I am setting up Greenlight for use with OpenIDConnect through your library

The initialization happens this way:

      provider :openid_connect,
        issuer: ENV["OPENID_CONNECT_ISSUER"],
        discovery: true,
        scope: [:email, :profile],
        response_type: :code,
        uid_field: ENV["OPENID_CONNECT_UID_FIELD"] || "preferred_username",
        client_options: {
          identifier: ENV['OPENID_CONNECT_CLIENT_ID'],
          redirect_uri: redirect

Unless explicitly configured by the user, redirect will have a nil value, which omniauth_openid_connect will handle by constructing the following authorization uri:


redirect_uri is missing, which is not valid per the OIDC spec

Other Omniauth providers I have looked at use Omniauth's callback_url method to set the redirect_uri to a sensible default value when the user does not explicitely specify it. This makes configuration of OpenID Connect a little easier, by relieving the users from having to try and guess the correct callback URL when configuring an application that uses Omniauth.

I have tried the following change:

diff --git a/lib/omniauth/strategies/openid_connect.rb b/lib/omniauth/strategies/openid_connect.rb
index c7e86f7..ec37c7f 100644
--- a/lib/omniauth/strategies/openid_connect.rb
+++ b/lib/omniauth/strategies/openid_connect.rb
@@ -156,7 +156,7 @@ module OmniAuth
       def authorize_uri
-        client.redirect_uri = redirect_uri
+        client.redirect_uri = redirect_uri || callback_url
         opts = {
           response_type: options.response_type,
           response_mode: options.response_mode,

which works for my use case, but breaks the unit tests in ways I cannot understand as someone not very familiar with Ruby

When one of the endpoints have a different host

I have some trouble configuring my settings, I have a different URL for the token endpoint, can I enter a different URL (different than the value used at host) in token_endpoint setting?

Implicit Flow does not work

Test sample application:
Ruby 3.0, Rails 6.1, OmniAuth 2.0
The Code Flow is OK. But the Implicit Flow does not seem to work.
I'll investigate the cause.

undefined method `[]' for nil:NilClass
fail!(error_attrs[:key], error_attrs[:exception_class].new(params['error']))

omniauth_openid_connect (0.4.0.pre) lib/omniauth/strategies/openid_connect.rb:337:in `valid_response_type?'
omniauth_openid_connect (0.4.0.pre) lib/omniauth/strategies/openid_connect.rb:114:in `callback_phase'
omniauth (2.0.4) lib/omniauth/strategy.rb:272:in `callback_call'
omniauth (2.0.4) lib/omniauth/strategy.rb:194:in `call!'
omniauth (2.0.4) lib/omniauth/strategy.rb:169:in `call'
omniauth (2.0.4) lib/omniauth/strategy.rb:470:in `call_app!'
omniauth_openid_connect (0.4.0.pre) lib/omniauth/strategies/openid_connect.rb:143:in `other_phase'
omniauth (2.0.4) lib/omniauth/strategy.rb:195:in `call!'
omniauth (2.0.4) lib/omniauth/strategy.rb:169:in `call'
omniauth (2.0.4) lib/omniauth/strategy.rb:470:in `call_app!'
omniauth_openid_connect (0.4.0.pre) lib/omniauth/strategies/openid_connect.rb:143:in `other_phase'
omniauth (2.0.4) lib/omniauth/strategy.rb:195:in `call!'
omniauth (2.0.4) lib/omniauth/strategy.rb:169:in `call'
omniauth (2.0.4) lib/omniauth/strategy.rb:470:in `call_app!'
omniauth_openid_connect (0.4.0.pre) lib/omniauth/strategies/openid_connect.rb:143:in `other_phase'
omniauth (2.0.4) lib/omniauth/strategy.rb:195:in `call!'
omniauth (2.0.4) lib/omniauth/strategy.rb:169:in `call'
omniauth (2.0.4) lib/omniauth/strategy.rb:470:in `call_app!'
omniauth_openid_connect (0.4.0.pre) lib/omniauth/strategies/openid_connect.rb:143:in `other_phase'
omniauth (2.0.4) lib/omniauth/strategy.rb:195:in `call!'
omniauth (2.0.4) lib/omniauth/strategy.rb:169:in `call'
omniauth (2.0.4) lib/omniauth/builder.rb:45:in `call'
rack (2.2.3) lib/rack/tempfile_reaper.rb:15:in `call'
rack (2.2.3) lib/rack/etag.rb:27:in `call'
rack (2.2.3) lib/rack/conditional_get.rb:40:in `call'
rack (2.2.3) lib/rack/head.rb:12:in `call'
actionpack ( lib/action_dispatch/http/permissions_policy.rb:22:in `call'
actionpack ( lib/action_dispatch/http/content_security_policy.rb:18:in `call'
rack (2.2.3) lib/rack/session/abstract/id.rb:266:in `context'
rack (2.2.3) lib/rack/session/abstract/id.rb:260:in `call'
actionpack ( lib/action_dispatch/middleware/cookies.rb:689:in `call'
activerecord ( lib/active_record/migration.rb:601:in `call'
actionpack ( lib/action_dispatch/middleware/callbacks.rb:27:in `block in call'
activesupport ( lib/active_support/callbacks.rb:98:in `run_callbacks'
actionpack ( lib/action_dispatch/middleware/callbacks.rb:26:in `call'
actionpack ( lib/action_dispatch/middleware/executor.rb:14:in `call'
actionpack ( lib/action_dispatch/middleware/actionable_exceptions.rb:18:in `call'
actionpack ( lib/action_dispatch/middleware/debug_exceptions.rb:29:in `call'
web-console (4.2.0) lib/web_console/middleware.rb:132:in `call_app'

Having problem to debug connection issue

Maybe everybody else knows this, but I tried to use OIDC with gitlab and keycloak and I cannot find a single log entry showing that something is happening even if I click the sso button on the gitlab ui.

I looked at the code base of this project and I also see now line about outputting log.

I wonder how people approach this, and if that would make sense that the have some words about debugging the thing.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.