omniauth-vitsme 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: a95f27003ba5e85db4705861d35ebbb62a8d4701a7494d01faec43144d4f4749
+  data.tar.gz: ab6049d8756893307f0076cc75c2f14f83042de57f292f1031ab052dfbec922e
+SHA512:
+  metadata.gz: 0dcb9ba6a03dac71969ed404f4e41d47cc47d21b2ca710ea55b36720afdbe11e8750347141f8cc6abdfaebfb65c95154be52655181626b7ae8740aa944580d82
+  data.tar.gz: e0980bf755901669c8c3eb2ea70dc4ab79532a6ee4adad032f940ffaa7ed19a8035f479197002bab62bbb41c47e912be2bd6085a77e9bdf1bf5386f4450a1594

data/.claude/settings.local.json

@@ -0,0 +1,27 @@
+{
+  "permissions": {
+    "allow": [
+      "WebSearch",
+      "WebFetch(domain:vits.me)",
+      "WebFetch(domain:github.com)",
+      "WebFetch(domain:rubygems.org)",
+      "WebFetch(domain:msuliq.medium.com)",
+      "Bash(gem contents:*)",
+      "Bash(gem list:*)",
+      "WebFetch(domain:raw.githubusercontent.com)",
+      "Bash(curl:*)",
+      "Bash(python3:*)",
+      "Bash(ruby --version:*)",
+      "Bash(git init:*)",
+      "Bash(git add:*)",
+      "Bash(git commit:*)",
+      "Bash(bundle install:*)",
+      "Bash(bundle exec rspec:*)",
+      "Bash(bundle show:*)",
+      "Bash(bundle exec rubocop:*)",
+      "Bash(bundle update:*)",
+      "Bash(gem build:*)",
+      "Bash(bundle exec rake:*)"
+    ]
+  }
+}

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/.rspec_status

@@ -0,0 +1,29 @@
+example_id                                        | status | run_time        |
+------------------------------------------------- | ------ | --------------- |
+./spec/omniauth/strategies/vitsme_spec.rb[1:1:1]  | passed | 0.00013 seconds |
+./spec/omniauth/strategies/vitsme_spec.rb[1:1:2]  | passed | 0.00034 seconds |
+./spec/omniauth/strategies/vitsme_spec.rb[1:1:3]  | passed | 0.00014 seconds |
+./spec/omniauth/strategies/vitsme_spec.rb[1:1:4]  | passed | 0.00013 seconds |
+./spec/omniauth/strategies/vitsme_spec.rb[1:1:5]  | passed | 0.00026 seconds |
+./spec/omniauth/strategies/vitsme_spec.rb[1:1:6]  | passed | 0.00014 seconds |
+./spec/omniauth/strategies/vitsme_spec.rb[1:1:7]  | passed | 0.00014 seconds |
+./spec/omniauth/strategies/vitsme_spec.rb[1:2:1]  | passed | 0.00014 seconds |
+./spec/omniauth/strategies/vitsme_spec.rb[1:2:2]  | passed | 0.00014 seconds |
+./spec/omniauth/strategies/vitsme_spec.rb[1:2:3]  | passed | 0.00014 seconds |
+./spec/omniauth/strategies/vitsme_spec.rb[1:2:4]  | passed | 0.00014 seconds |
+./spec/omniauth/strategies/vitsme_spec.rb[1:2:5]  | passed | 0.00014 seconds |
+./spec/omniauth/strategies/vitsme_spec.rb[1:2:6]  | passed | 0.00013 seconds |
+./spec/omniauth/strategies/vitsme_spec.rb[1:2:7]  | passed | 0.00014 seconds |
+./spec/omniauth/strategies/vitsme_spec.rb[1:3:1]  | passed | 0.00015 seconds |
+./spec/omniauth/strategies/vitsme_spec.rb[1:3:2]  | passed | 0.00056 seconds |
+./spec/omniauth/strategies/vitsme_spec.rb[1:4:1]  | passed | 0.00024 seconds |
+./spec/omniauth/strategies/vitsme_spec.rb[1:4:2]  | passed | 0.00031 seconds |
+./spec/omniauth/strategies/vitsme_spec.rb[1:4:3]  | passed | 0.0003 seconds  |
+./spec/omniauth/strategies/vitsme_spec.rb[1:4:4]  | passed | 0.00031 seconds |
+./spec/omniauth/strategies/vitsme_spec.rb[1:4:5]  | passed | 0.00033 seconds |
+./spec/omniauth/strategies/vitsme_spec.rb[1:4:6]  | passed | 0.00031 seconds |
+./spec/omniauth/strategies/vitsme_spec.rb[1:4:7]  | passed | 0.00033 seconds |
+./spec/omniauth/strategies/vitsme_spec.rb[1:4:8]  | passed | 0.00042 seconds |
+./spec/omniauth/strategies/vitsme_spec.rb[1:4:9]  | passed | 0.00098 seconds |
+./spec/omniauth/strategies/vitsme_spec.rb[1:4:10] | passed | 0.00022 seconds |
+./spec/omniauth/strategies/vitsme_spec.rb[1:5:1]  | passed | 0.00266 seconds |

data/.rubocop.yml

@@ -0,0 +1,39 @@
+plugins:
+  - rubocop-rspec
+
+AllCops:
+  TargetRubyVersion: 3.0
+  NewCops: enable
+  SuggestExtensions: false
+
+Style/Documentation:
+  Enabled: false
+
+Style/OpenStructUse:
+  Exclude:
+    - "spec/**/*"
+
+Naming/FileName:
+  Exclude:
+    - "lib/omniauth-vitsme.rb"
+
+Naming/VariableNumber:
+  Enabled: false
+
+Metrics/BlockLength:
+  Exclude:
+    - "spec/**/*"
+    - "*.gemspec"
+
+Metrics/ModuleLength:
+  Exclude:
+    - "spec/**/*"
+
+RSpec/ExampleLength:
+  Max: 10
+
+RSpec/MultipleExpectations:
+  Max: 5
+
+RSpec/NestedGroups:
+  Max: 4

data/CHANGELOG.md

@@ -0,0 +1,17 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [0.1.0] - 2026-02-11
+
+### Added
+
+- Initial release
+- OmniAuth strategy for vits.me OpenID Connect provider
+- OIDC discovery enabled by default
+- RS256 token signing
+- Support for vits.me scopes: openid, name, nationality, age verification, birthday
+- Convenience `client_id` / `client_secret` top-level options

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2026 omniauth-vitsme contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,182 @@
+# OmniAuth vits.me
+
+OmniAuth strategy for [vits.me](https://vits.me) (itsme), global digital identity verification platform.
+
+Wraps [omniauth_openid_connect](https://github.com/omniauth/omniauth_openid_connect) with vits.me-specific defaults so you only need to supply `client_id` and `client_secret`.
+
+## Installation
+
+Add to your Gemfile:
+
+```ruby
+gem "omniauth-vitsme", "~> 0.1"
+```
+
+Then run:
+
+```
+bundle install
+```
+
+## Usage
+
+### Rails (Rack middleware)
+
+```ruby
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider :vitsme,
+    client_id: ENV["VITSME_CLIENT_ID"],
+    client_secret: ENV["VITSME_CLIENT_SECRET"]
+end
+```
+
+### With additional scopes
+
+```ruby
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider :vitsme,
+    client_id: ENV["VITSME_CLIENT_ID"],
+    client_secret: ENV["VITSME_CLIENT_SECRET"],
+    scope: [:openid, :name, :age__over_18, :nationality]
+end
+```
+
+### Devise integration
+
+```ruby
+Devise.setup do |config|
+  config.omniauth :vitsme,
+    client_id: ENV["VITSME_CLIENT_ID"],
+    client_secret: ENV["VITSME_CLIENT_SECRET"],
+    scope: [:openid, :name]
+end
+```
+
+## Available Scopes
+
+| Scope | Description |
+|---|---|
+| `openid` | Required. Returns the subject identifier (`sub`). |
+| `name` | Given name and family name |
+| `name__full` | Full name as a single string |
+| `nationality` | ISO country code |
+| `nationality__in_eu` | Whether the user is an EU national |
+| `birthday` / `birthdate` | Date of birth |
+| `birthyear` | Year of birth |
+| `age__over_13` | Age verification (13+) |
+| `age__over_18` | Age verification (18+) |
+| `age__over_21` | Age verification (21+) |
+
+## Auth Hash
+
+The auth hash returned in the callback looks like:
+
+```ruby
+{
+  provider: "vitsme",
+  uid: "pairwise-subject-identifier",
+  info: {
+    name: "Jane Doe",
+    first_name: "Jane",
+    last_name: "Doe",
+    email: "jane@example.com",
+    birthday: "1990-01-15",
+    nationality: "IL",
+    age_over_13: true,
+    age_over_18: true,
+    age_over_21: true
+  },
+  credentials: {
+    id_token: "eyJ...",
+    token: "access_token_value",
+    refresh_token: "refresh_token_value",
+    expires_in: 3600,
+    scope: "openid name"
+  },
+  extra: {
+    raw_info: {
+      sub: "pairwise-subject-identifier",
+      name: "Jane Doe",
+      # ... all raw claims from the userinfo endpoint
+    }
+  }
+}
+```
+
+Only requested scopes will appear in `info`. Nil values are omitted via `.compact`.
+
+Note: vits.me uses **pairwise subject identifiers** -- the same person will have a different `uid` for each registered client application.
+
+## Configuration
+
+This gem is a wrapper for [omniauth_openid_connect](https://github.com/omniauth/omniauth_openid_connect). All configuration options available for `omniauth_openid_connect` can be used with `omniauth-vitsme`. The most common options are listed below.
+
+| Option | Default | Description |
+|---|---|---|
+| `client_id` | *required* | Your vits.me client ID |
+| `client_secret` | *required* | Your vits.me client secret |
+| `scope` | `[:openid]` | OIDC scopes to request |
+| `discovery` | `true` | Fetch endpoints from `.well-known/openid-configuration` |
+| `issuer` | `https://vits.me` | OIDC issuer URL |
+| `response_type` | `code` | OAuth response type (Authorization Code Flow) |
+
+## Environments
+
+For development or staging environments, Vits.me may provide a separate set of endpoints. You can configure these by overriding the `client_options`.
+
+```ruby
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider :vitsme,
+    name: 'vitsme_staging', # Give it a unique name
+    client_id: ENV["VITSME_STAGING_CLIENT_ID"],
+    client_secret: ENV["VITSME_STAGING_CLIENT_SECRET"],
+    client_options: {
+      site: 'https://staging.vits.me',
+      authorize_url: 'https://staging.vits.me/oauth/authorize',
+      token_url: 'https://staging.vits.me/oauth/token',
+      userinfo_endpoint: 'https://staging.vits.me/userinfo'
+    }
+end
+```
+**Note:** The URLs in the example above are placeholders. Please refer to the official Vits.me documentation for the correct staging URLs.
+
+## Authentication Failures
+
+If the user denies the authentication request or if there's a misconfiguration, OmniAuth will redirect to the `/auth/failure` path in your application. The `omniauth.error` and `omniauth.error.type` variables will be set in the Rack environment.
+
+You can catch these failures by creating a `FailureEndpoint` in your application, for example, by routing `/auth/failure` to a specific controller action.
+
+In a Rails application, you can handle this in your `OmniAuth::FailureEndpoint`:
+
+```ruby
+# config/initializers/omniauth.rb
+OmniAuth.config.on_failure = Proc.new { |env|
+  OmniAuth::FailureEndpoint.new(env).redirect_to_failure
+}
+```
+
+```ruby
+# app/controllers/omniauth_callbacks_controller.rb
+class OmniauthCallbacksController < Devise::OmniauthCallbacksController
+  def failure
+    # Your custom failure logic here.
+    # For example, redirect to the root path with an error message.
+    redirect_to root_path, alert: "Authentication failed: #{params[:message]}"
+  end
+end
+```
+
+The `params[:message]` will contain a description of the error (e.g., `invalid_credentials`).
+
+## Development
+
+```
+bundle install
+bundle exec rspec
+bundle exec rubocop
+bundle exec rake        # runs both
+```
+
+## License
+
+MIT License. See [LICENSE.txt](LICENSE.txt).

data/Rakefile

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+require 'rspec/core/rake_task'
+require 'rubocop/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+RuboCop::RakeTask.new(:rubocop)
+
+task default: %i[spec rubocop]

data/lib/omniauth/strategies/vitsme.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+require 'omniauth_openid_connect'
+
+module OmniAuth
+  module Strategies
+    class Vitsme < OpenIDConnect
+      option :name, 'vitsme'
+
+      option :discovery, true
+      option :issuer, 'https://vits.me'
+      option :client_signing_alg, :RS256
+      option :scope, [:openid]
+      option :response_type, 'code'
+      option :response_mode, 'query'
+
+      option :client_options, {
+        identifier: nil,
+        secret: nil,
+        scheme: 'https',
+        host: 'vits.me',
+        port: 443,
+        authorization_endpoint: '/oauth/authorize',
+        token_endpoint: '/oauth/token',
+        userinfo_endpoint: '/oauth/userinfo',
+        jwks_uri: '/oauth/discovery/keys'
+      }
+
+      option :client_id, nil
+      option :client_secret, nil
+
+      def uid
+        raw_info['sub']
+      end
+
+      info do
+        {
+          name: raw_info['name'] || raw_info['name__full'],
+          first_name: raw_info['given_name'],
+          last_name: raw_info['family_name'],
+          email: raw_info['email'],
+          birthday: raw_info['birthdate'] || raw_info['birthday'],
+          nationality: raw_info['nationality'],
+          age_over_13: raw_info['age__over_13'],
+          age_over_18: raw_info['age__over_18'],
+          age_over_21: raw_info['age__over_21']
+        }.compact
+      end
+
+      extra do
+        { raw_info: raw_info }
+      end
+
+      def raw_info
+        @raw_info ||= user_info.raw_attributes
+      end
+
+      private
+
+      def client_options
+        opts = options.client_options
+        opts.identifier ||= options.client_id if options.client_id
+        opts.secret ||= options.client_secret if options.client_secret
+        opts
+      end
+    end
+  end
+end

data/lib/omniauth/vitsme/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module OmniAuth
+  module Vitsme
+    VERSION = '0.1.0'
+  end
+end

data/lib/omniauth/vitsme.rb

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+require 'omniauth/vitsme/version'
+require 'omniauth/strategies/vitsme'

data/lib/omniauth-vitsme.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+require 'omniauth/vitsme'

data/omniauth-vitsme.gemspec

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+require_relative 'lib/omniauth/vitsme/version'
+
+Gem::Specification.new do |spec|
+  spec.name = 'omniauth-vitsme'
+  spec.version = OmniAuth::Vitsme::VERSION
+  spec.authors = ['Yuval Tobias']
+  spec.email = ['yuval@mattyr.com']
+
+  spec.summary = 'OmniAuth strategy for vits.me identity verification'
+  spec.description = 'OmniAuth OpenID Connect strategy for vits.me, ' \
+                     'digital identity platform.'
+  spec.homepage = 'https://github.com/yuvaltobias/omniauth-vitsme'
+  spec.license = 'MIT'
+  spec.required_ruby_version = '>= 3.0.0'
+
+  spec.metadata['homepage_uri'] = spec.homepage
+  spec.metadata['source_code_uri'] = spec.homepage
+  spec.metadata['changelog_uri'] = "#{spec.homepage}/blob/main/CHANGELOG.md"
+  spec.metadata['rubygems_mfa_required'] = 'true'
+
+  spec.files = Dir.chdir(__dir__) do
+    `git ls-files -z`.split("\x0").reject do |f|
+      (File.expand_path(f) == __FILE__) ||
+        f.start_with?('spec/', 'test/', '.git', '.github', 'Gemfile')
+    end
+  end
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'omniauth_openid_connect', '~> 0.8'
+end

metadata

@@ -0,0 +1,71 @@
+--- !ruby/object:Gem::Specification
+name: omniauth-vitsme
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Yuval Tobias
+bindir: bin
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: omniauth_openid_connect
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.8'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.8'
+description: OmniAuth OpenID Connect strategy for vits.me, digital identity platform.
+email:
+- yuval@mattyr.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".claude/settings.local.json"
+- ".rspec"
+- ".rspec_status"
+- ".rubocop.yml"
+- CHANGELOG.md
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/omniauth-vitsme.rb
+- lib/omniauth/strategies/vitsme.rb
+- lib/omniauth/vitsme.rb
+- lib/omniauth/vitsme/version.rb
+- omniauth-vitsme.gemspec
+homepage: https://github.com/yuvaltobias/omniauth-vitsme
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/yuvaltobias/omniauth-vitsme
+  source_code_uri: https://github.com/yuvaltobias/omniauth-vitsme
+  changelog_uri: https://github.com/yuvaltobias/omniauth-vitsme/blob/main/CHANGELOG.md
+  rubygems_mfa_required: 'true'
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.0.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.7.0
+specification_version: 4
+summary: OmniAuth strategy for vits.me identity verification
+test_files: []