rodauth-omniauth 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 99f2cd5c47082f18ff2b0feeea0106c104edf6454e354fb04f8c74044b7796b2
+  data.tar.gz: 58c096a1176cce8c2aa1ef0741c35e0ec81a36fb1d3d7bf9350b01c143daffdb
+SHA512:
+  metadata.gz: 3ee9f500a18535a215d74d6cbc250561a7d0b61cc5818166e7bf481b74bf67dedf2547228ffbec177273715d1001cce2178e7590cadc8c21b102ef1b9585f9c5
+  data.tar.gz: fe0337fdc2ef82ea53c5b8514383df10d60433900deaa35fa519ffe0e846c3a5e79deead46b1e790e29a35ffac0a00a2301c6437376d8fd91832d8ee1cb49a8e

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2020 Janko Marohnić
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,364 @@
+# rodauth-omniauth
+
+[Rodauth] feature that offers login and registration via multiple external providers using [OmniAuth]. The external identities are automatically stored in the database, and associated to the main account record.
+
+## Installation
+
+Add the gem to your project:
+
+```sh
+$ bundle add rodauth-omniauth
+```
+
+## Usage
+
+You'll first need to create the table for storing external identities:
+
+```rb
+Sequel.migration do                       # class CreateAccountIdentities < ActiveRecord::Migration
+  change do                               #   def change
+    create_table :account_identities do   #     create_table :account_identities do |t|
+      primary_key :id                     #       t.references :account, null: false, foreign_key: { on_delete: :cascade }
+      foreign_key :account_id, :accounts  #       t.string :provider, null: false
+      String :provider, null: false       #       t.string :uid, null: false
+      String :uid, null: false            #       t.index [:provider, :uid], unique: true
+      unique [:provider, :uid]            #     end
+    end                                   #   end
+  end                                     # end
+end
+```
+
+Then enable the `omniauth` feature and register providers in your Rodauth configuration:
+
+```sh
+$ bundle add omniauth-facebook omniauth-twitter, omniauth-google_oauth2
+```
+```rb
+plugin :rodauth do
+  enable :omniauth
+
+  omniauth_provider :facebook, ENV["FACEBOOK_APP_ID"], ENV["FACEBOOK_APP_SECRET"], scope: "email"
+  omniauth_provider :twitter, ENV["TWITTER_API_KEY"], ENV["TWITTER_API_SECRET"]
+  omniauth_provider :google_oauth2, ENV["GOOGLE_CLIENT_ID"], ENV["GOOGLE_CLIENT_SECRET"], name: :google
+end
+```
+
+You can now add authentication links to your login form:
+
+```erb
+<!-- app/views/rodauth/_login_form_footer.html.erb -->
+<%== rodauth.login_form_footer_links_heading %>
+
+<ul>
+  <li><%= button_to "Login via Facebook", rodauth.omniauth_request_path(:facebook), method: :post, data: { turbo: false }, class: "btn btn-link p-0" %></li>
+  <li><%= button_to "Login via Twitter", rodauth.omniauth_request_path(:twitter), method: :post, data: { turbo: false }, class: "btn btn-link p-0" %></li>
+  <li><%= button_to "Login via Google", rodauth.omniauth_request_path(:google), method: :post, data: { turbo: false }, class: "btn btn-link p-0" %></li>
+  <% rodauth.login_form_footer_links.each do |_, link, text| %>
+    <li><%= link_to text, link %></li>
+  <% end %>
+</ul>
+```
+
+Assuming you configured the providers correctly, you should now be able to authenticate via an external provider. The `omniauth` feature handles the callback request, automatically creating new identities and verified accounts from those identities as needed.
+
+```rb
+DB[:accounts].all
+#=> [{ id: 123, status_id: 2, email: "user@example.com" }]
+DB[:account_identities].all
+#=> [{ id: 456, account_id: 123, provider: "facebook", uid: "984346198764" },
+#    { id: 789, account_id: 123, provider: "google", uid: "5871623487134"}]
+```
+
+Currently, provider login is required to return the user's email address, and account creation is assumed not to require additional fields that need to be entered manually. There is currently also no built-in functionality for connecting/removing external identities when signed in. Both features are planned for future versions.
+
+### Login
+
+If the local account associated to the external identity exists and is unverified (e.g. it was created through normal registration), the external login will abort during the callback phase. You can change the default error flash and redirect location in this case:
+
+```rb
+omniauth_login_unverified_account_error_flash "The account matching the external identity is currently awaiting verification"
+omniauth_login_failure_redirect { require_login_redirect }
+```
+
+### Account creation
+
+Since provider accounts have verified the email address, local accounts created via external logins are automatically considered verified.
+
+If you want to use extra user information for account creation, you can do so via hooks:
+
+```rb
+before_omniauth_create_account { account[:name] = omniauth_name }
+# or
+after_omniauth_create_account do
+  Profile.create(account_id: account_id, bio: omniauth_info["description"], image_url: omniauth_info["image"])
+end
+```
+
+When the account is closed, its external identities are automatically cleared from the database.
+
+### Identity data
+
+You can also store extra data on the external identities. For example, we could override the update hash to store `info`, `credentials`, and `extra` data from the auth hash into separate columns:
+
+```rb
+alter_table :account_identities do
+  add_column :info, :json, default: "{}"
+  add_column :credentials, :json, default: "{}"
+  add_column :extra, :json, default: "{}"
+end
+```
+```rb
+# this data will be refreshed on each login
+omniauth_identity_update_hash do
+  {
+    info: omniauth_info.to_json,
+    credentials: omniauth_credentials.to_json,
+    extra: omniauth_extra.to_json,
+  }
+end
+```
+
+With this configuration, the identity record will be automatically synced with most recent state on each provider login. If you would like to only save provider data on first login, you can override the insert hash instead:
+
+```rb
+# this data will be stored only on first login
+omniauth_identity_insert_hash do
+  super().merge(
+    info: omniauth_info.to_json,
+    credentials: omniauth_credentials.to_json,
+    extra: omniauth_extra.to_json,
+  }
+end
+```
+
+### Model associations
+
+When using the [rodauth-model] gem, an `identities` one-to-many association will be defined on the account model:
+
+```rb
+require "rodauth/model"
+
+class Account < Sequel::Model
+  include Rodauth::Model(RodauthApp.rodauth)
+end
+```
+```rb
+Account.first.identities #=>
+# [
+#   #<Account::Identity id=123 provider="facebook" uid="987434628">,
+#   #<Account::Identity id=456 provider="google" uid="274673644">
+# ]
+```
+
+## Base
+
+The `omniauth` feature builds on top of the `omniauth_base` feature, which sets up OmniAuth and routes its requests, but has no interaction with the database. So, if you would prefer to handle external logins differently, you can load just the `omniauth_base` feature, and implement your own callbacks.
+
+```rb
+plugin :rodauth do
+  enable :omniauth_base
+
+  omniauth_provider :github, ENV["GITHUB_KEY"], ENV["GITHUB_SECRET"], scope: "user"
+  omniauth_provider :apple, ENV["CLIENT_ID"], { scope: "email name", ... }
+end
+
+route do |r|
+  r.rodauth # routes Rodauth and OmniAuth requests
+
+  r.get "auth", String, "callback" do
+    # ... handle callback request ...
+  end
+end
+```
+
+### Helpers
+
+There are various helper methods available for reading OmniAuth data:
+
+```rb
+# retrieving the auth hash:
+rodauth.omniauth_auth #=> { "provider" => "twitter", "uid" => "49823724", "info" => { "email" => "user@example.com", "name" => "John Smith", ... }, ... }
+rodauth.omniauth_provider #=> "twitter"
+rodauth.omniauth_uid #=> "49823724"
+rodauth.omniauth_info #=> { "email" => "user@example.com", "name" => "John Smith", ... }
+rodauth.omniauth_email #=> "user@example.com"
+rodauth.omniauth_name #=> "John Smith"
+rodauth.omniauth_credentials #=> returns "credentials" value from auth hash
+rodauth.omniauth_extra #=> returns "extra" value from auth hash
+
+# retrieving additional information:
+rodauth.omniauth_strategy #=> #<OmniAuth::Strategies::Twitter ...>
+rodauth.omniauth_params # returns GET params from request phase
+rodauth.omniauth_origin # returns origin from request phase (usually referrer)
+
+# retrieving error information in case of a login failure
+rodauth.omniauth_error # returns the exception object
+rodauth.omniauth_error_type # returns the error type symbol (strategy-specific)
+rodauth.omniauth_error_strategy # returns the strategy for which the error occured
+```
+
+### URLs
+
+URL helpers are provided as well:
+
+```rb
+rodauth.prefix #=> "/user"
+rodauth.omniauth_prefix #=> "/auth"
+
+rodauth.omniauth_request_route #=> "auth/facebook"
+rodauth.omniauth_request_path #=> "/user/auth/facebook"
+rodauth.omniauth_request_url #=> "https://example.com/user/auth/facebook"
+
+rodauth.omniauth_callback_route #=> "auth/facebook/callback"
+rodauth.omniauth_callback_path #=> "/user/auth/facebook/callback"
+rodauth.omniauth_callback_url #=> "https://example.com/user/auth/facebook/callback"
+```
+
+The prefix for the OmniAuth app can be changed:
+
+```rb
+omniauth_prefix "/external"
+```
+
+### Hooks
+
+OmniAuth configuration has global hooks for various phases, which get called with the Rack env hash. Here you can use corresponding Rodauth configuration methods, which are executed in Rodauth context:
+
+```rb
+omniauth_setup { ... }
+omniauth_request_validation_phase { ... }
+omniauth_before_request_phase { ... }
+omniauth_before_callback_phase { ... }
+omniauth_on_failure { ... }
+```
+
+You can use the `omniauth_strategy` helper method to differentiate between strategies:
+
+```rb
+omniauth_setup do
+  if omniauth_strategy.name == :github
+    omniauth_strategy.options[:foo] = "bar"
+  end
+end
+```
+
+#### Failure
+
+The default reaction to login failure is to redirect to the root page with an error flash message. You can change the configuration:
+
+```rb
+omniauth_failure_error_flash "There was an error logging in with the external provider"
+omniauth_failure_redirect { default_redirect }
+omniauth_failure_error_status 500 # for JSON API
+```
+
+Or provide your own implementation:
+
+```rb
+omniauth_on_failure do
+  case omniauth_error_type
+  when :no_authorization_code then ...
+  when :uknown_signature_algorithm then ...
+  else ...
+  end
+end
+```
+
+#### CSRF protection
+
+The default request validation phase uses Rodauth's configured CSRF protection, so there is no need for external gems such as `omniauth-rails_csrf_protection`.
+
+### Inheritance
+
+The registered providers are inherited between Rodauth auth classes, so you can have fine-grained configuration for different account types.
+
+```rb
+class RodauthBase < Rodauth::Auth
+  configure do
+    enable :omniauth_base
+    omniauth_provider :google_oauth2, ...
+  end
+end
+```
+```rb
+class RodauthMain < RodauthBase
+  configure do
+    omniauth_provider :facebook, ...
+  end
+end
+```
+```rb
+class RodauthAdmin < RodauthBase
+  configure do
+    omniauth_provider :twitter, ...
+    omniauth_provider :github, ...
+  end
+end
+```
+```rb
+class RodauthApp < Roda
+  plugin :rodauth, auth_class: RodauthMain
+  plugin :rodauth, auth_class: RodauthAdmin, name: :admin
+end
+```
+```rb
+rodauth.omniauth_providers #=> [:google_oauth2, :facebook]
+rodauth(:admin).omniauth_providers #=> [:google_oauth2, :twitter, :github]
+```
+
+### JSON
+
+JSON requests are supported for the request and callback phases. The request phase endpoint will return the authorize URL:
+
+```http
+POST /auth/facebook
+Accept: application/json
+Content-Type: application/json
+
+200 OK
+Content-Type: application/json
+{ "authorize_url": "https://external.com/login" }
+```
+
+If there was a login failure, the error type will be included in the response:
+
+```http
+POST /auth/facebook/callback
+Accept: application/json
+Content-Type: application/json
+
+500 Internal Server Error
+Content-Type: application/json
+{ "error_type": "some_error", "error": "There was an error logging in with the external provider" }
+```
+
+You can change authorize URL and error type keys:
+
+```rb
+omniauth_authorize_url_key "authorize_url"
+omniauth_error_type_key "error_type"
+```
+
+### JWT
+
+JWT requests are supported for the request and callback phases. OmniAuth information will be stored in JWT session data during the request phase, and restored during the callback phase, as long as the updated JWT token is passed.
+
+## Development
+
+Run tests with Rake:
+
+```sh
+$ bundle exec rake test
+```
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
+
+## Code of Conduct
+
+Everyone interacting in the rodauth-omniauth project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/janko/rodauth-pwned/blob/master/CODE_OF_CONDUCT.md).
+
+[Rodauth]: https://github.com/jeremyevans/rodauth
+[OmniAuth]: https://github.com/omniauth/omniauth
+[rodauth-model]: https://github.com/janko/rodauth-model

data/lib/rodauth/features/omniauth.rb

@@ -0,0 +1,195 @@
+# frozen_string_literal: true
+
+require "omniauth"
+
+module Rodauth
+  Feature.define(:omniauth, :Omniauth) do
+    depends :omniauth_base, :login
+
+    before :omniauth_callback_route
+    before :omniauth_create_account
+    after :omniauth_create_account
+
+    error_flash "The account matching the external identity is currently awaiting verification", :omniauth_login_unverified_account
+
+    redirect(:omniauth_login_failure) { require_login_redirect }
+
+    auth_value_method :omniauth_identities_table, :account_identities
+    auth_value_method :omniauth_identities_id_column, :id
+    auth_value_method :omniauth_identities_account_id_column, :account_id
+    auth_value_method :omniauth_identities_provider_column, :provider
+    auth_value_method :omniauth_identities_uid_column, :uid
+
+    auth_methods(
+      :create_omniauth_identity,
+      :omniauth_identity_insert_hash,
+      :omniauth_identity_update_hash,
+      :remove_omniauth_identities,
+      :update_omniauth_identity,
+      :omniauth_save_account,
+    )
+
+    auth_private_methods(
+      :retrieve_omniauth_identity,
+      :account_from_omniauth_identity,
+      :omniauth_new_account,
+    )
+
+    def route_omniauth!
+      result = super
+      handle_omniauth_callback if omniauth_request?
+      result
+    end
+
+    def handle_omniauth_callback
+      request.is omniauth_callback_route(omniauth_provider) do
+        _handle_omniauth_callback
+      end
+    end
+
+    def _handle_omniauth_callback
+      before_omniauth_callback_route
+
+      retrieve_omniauth_identity
+
+      if !account && omniauth_identity
+        account_from_omniauth_identity
+      end
+
+      unless account
+        account_from_login(omniauth_email)
+      end
+
+      if account && !open_account?
+        set_redirect_error_status unopen_account_error_status
+        set_redirect_error_flash omniauth_login_unverified_account_error_flash
+        redirect omniauth_login_failure_redirect
+      end
+
+      transaction do
+        unless account
+          omniauth_new_account
+          before_omniauth_create_account
+          omniauth_save_account
+          after_omniauth_create_account
+        end
+
+        if omniauth_identity
+          update_omniauth_identity
+        else
+          create_omniauth_identity
+        end
+      end
+
+      login("omniauth")
+    end
+
+    def retrieve_omniauth_identity
+      @omniauth_identity = _retrieve_omniauth_identity(omniauth_provider, omniauth_uid)
+    end
+
+    def account_from_omniauth_identity
+      @account = _account_from_omniauth_identity
+    end
+
+    def omniauth_new_account
+      @account = _omniauth_new_account(omniauth_email)
+    end
+
+    def omniauth_save_account
+      account[account_id_column] = db[accounts_table].insert(account)
+    end
+
+    def remove_omniauth_identities
+      omniauth_account_identities_ds.delete
+    end
+
+    def possible_authentication_methods
+      methods = super
+      methods << "omniauth" unless methods.include?("password") || omniauth_account_identities_ds.empty?
+      methods
+    end
+
+    private
+
+    def allow_email_auth?
+      (defined?(super) ? super : true) && omniauth_account_identities_ds.empty?
+    end
+
+    attr_reader :omniauth_identity
+
+    def _omniauth_new_account(login)
+      acc = { login_column => login }
+      unless skip_status_checks?
+        acc[account_status_column] = account_open_status_value
+      end
+      acc
+    end
+
+    def create_omniauth_identity
+      identity_id = omniauth_identities_ds.insert(omniauth_identity_insert_hash)
+      @omniauth_identity = { omniauth_identities_id_column => identity_id }
+    end
+
+    def update_omniauth_identity(identity_id = omniauth_identity_id)
+      update_hash = omniauth_identity_update_hash
+      return if update_hash.empty?
+
+      omniauth_identities_ds
+        .where(omniauth_identities_id_column => identity_id)
+        .update(update_hash)
+    end
+
+    def omniauth_identity_insert_hash
+      {
+        omniauth_identities_account_id_column => account_id,
+        omniauth_identities_provider_column => omniauth_provider.to_s,
+        omniauth_identities_uid_column => omniauth_uid,
+      }.merge(omniauth_identity_update_hash)
+    end
+
+    def omniauth_identity_update_hash
+      {}
+    end
+
+    def _retrieve_omniauth_identity(provider, uid)
+      omniauth_identities_ds.first(
+        omniauth_identities_provider_column => provider.to_s,
+        omniauth_identities_uid_column => uid,
+      )
+    end
+
+    def _account_from_omniauth_identity
+      account_ds(omniauth_identity_account_id).first
+    end
+
+    def after_close_account
+      super if defined?(super)
+      remove_omniauth_identities
+    end
+
+    def omniauth_identity_id
+      omniauth_identity[omniauth_identities_id_column]
+    end
+
+    def omniauth_identity_account_id
+      omniauth_identity[omniauth_identities_account_id_column]
+    end
+
+    def omniauth_account_identities_ds(acct_id = nil)
+      acct_id ||= account ? account_id : session_value
+
+      omniauth_identities_ds.where(omniauth_identities_account_id_column => acct_id)
+    end
+
+    def omniauth_identities_ds
+      db[omniauth_identities_table]
+    end
+  end
+end
+
+if defined?(Rodauth::Model)
+  Rodauth::Model.register_association(:identities) do
+    { name: :identities, type: :many, table: omniauth_identities_table, key: omniauth_identities_id_column }
+  end
+end

data/lib/rodauth/features/omniauth_base.rb

@@ -0,0 +1,213 @@
+# frozen_string_literal: true
+
+require "omniauth"
+
+module Rodauth
+  Feature.define(:omniauth_base, :OmniauthBase) do
+    error_flash "There was an error logging in with the external provider", :omniauth_failure
+
+    redirect :omniauth_failure
+
+    auth_value_method :omniauth_prefix, OmniAuth.config.path_prefix
+    auth_value_method :omniauth_failure_error_status, 500
+
+    auth_value_method :omniauth_authorize_url_key, "authorize_url"
+    auth_value_method :omniauth_error_type_key, "error_type"
+
+    auth_methods(
+      :build_omniauth_app,
+      :omniauth_before_callback_phase,
+      :omniauth_before_request_phase,
+      :omniauth_on_failure,
+      :omniauth_request_validation_phase,
+      :omniauth_setup,
+    )
+
+    configuration_module_eval do
+      def omniauth_provider(provider, *args)
+        @auth.instance_exec { @omniauth_providers << [provider, *args] }
+      end
+    end
+
+    def post_configure
+      super
+
+      omniauth_app = build_omniauth_app.to_app
+      self.class.send(:define_method, :omniauth_app) { omniauth_app }
+
+      self.class.roda_class.plugin :run_handler
+    end
+
+    def route!
+      super
+      route_omniauth!
+    end
+
+    def route_omniauth!
+      omniauth_run omniauth_app
+      nil
+    end
+
+    { request: "", callback: "/callback" }.each do |phase, suffix|
+      define_method(:"omniauth_#{phase}_url") do |provider, params = {}|
+        route_url(send(:"omniauth_#{phase}_route", provider), params)
+      end
+
+      define_method(:"omniauth_#{phase}_path") do |provider, params = {}|
+        route_path(send(:"omniauth_#{phase}_route", provider), params)
+      end
+
+      define_method(:"omniauth_#{phase}_route") do |provider|
+        "#{omniauth_prefix[1..-1]}/#{provider}#{suffix}"
+      end
+    end
+
+    %w[email name].each do |info_key|
+      define_method(:"omniauth_#{info_key}") do
+        omniauth_info[info_key]
+      end
+    end
+
+    %w[provider uid info credentials extra].each do |auth_key|
+      define_method(:"omniauth_#{auth_key}") do
+        omniauth_auth.fetch(auth_key)
+      end
+    end
+
+    %w[auth params strategy origin error error_type error_strategy].each do |data|
+      define_method(:"omniauth_#{data}") do
+        request.env.fetch("omniauth.#{data.tr("_", ".")}")
+      end
+    end
+
+    def omniauth_providers
+      self.class.instance_variable_get(:@omniauth_providers).map do |(provider, *args)|
+        options = args.last.is_a?(Hash) ? args.last : {}
+        options[:name] || provider
+      end
+    end
+
+    private
+
+    def omniauth_run(app)
+      omniauth_around_run do
+        request.run app, not_found: :pass do |res|
+          handle_omniauth_response(res)
+        end
+      end
+    end
+
+    # returns rack app with all registered strategies added to the middleware stack
+    def build_omniauth_app
+      builder = OmniAuth::Builder.new
+      builder.options(
+        path_prefix: omniauth_prefix,
+        setup: -> (env) { env["rodauth.omniauth.instance"].send(:omniauth_setup) }
+      )
+      builder.configure do |config|
+        [:request_validation_phase, :before_request_phase, :before_callback_phase, :on_failure].each do |hook|
+          config.send(:"#{hook}=", -> (env) { env["rodauth.omniauth.instance"].send(:"omniauth_#{hook}") })
+        end
+      end
+      self.class.instance_variable_get(:@omniauth_providers).each do |(provider, *args)|
+        options = args.pop if args.last.is_a?(Hash)
+        builder.provider provider, *args, **(options || {})
+      end
+      builder.run -> (env) { [404, {}, []] } # pass through
+      builder
+    end
+
+    def omniauth_request_validation_phase
+      check_csrf if check_csrf?
+    end
+
+    def omniauth_before_request_phase
+      # can be overrridden to perform code before request phase
+    end
+
+    def omniauth_before_callback_phase
+      # can be overrridden to perform code before callback phase
+    end
+
+    def omniauth_setup
+      # can be overridden to setup the strategy
+    end
+
+    def omniauth_on_failure
+      if features.include?(:json) && use_json?
+        json_response[omniauth_error_type_key] = omniauth_error_type
+      end
+
+      set_redirect_error_status omniauth_failure_error_status
+      set_redirect_error_flash omniauth_failure_error_flash
+      redirect omniauth_failure_redirect
+    end
+
+    def omniauth_around_run
+      set_omniauth_rodauth do
+        set_omniauth_session do
+          yield
+        end
+      end
+    end
+
+    # Ensures the OmniAuth app uses the same session as Rodauth.
+    def set_omniauth_session(&block)
+      if features.include?(:jwt) && use_jwt?
+        set_omniauth_jwt_session(&block)
+      else
+        session # ensure "rack.session" is set when roda sessions plugin is used
+        yield
+      end
+    end
+
+    # Makes OmniAuth strategies use the JWT session hash.
+    def set_omniauth_jwt_session
+      rack_session = request.env["rack.session"]
+      request.env["rack.session"] = session
+      yield
+    ensure
+      request.env["rack.session"] = rack_session
+    end
+
+    # Makes the Rodauth instance accessible inside OmniAuth strategies
+    # and callbacks.
+    def set_omniauth_rodauth
+      request.env["rodauth.omniauth.instance"] = self
+      yield
+    ensure
+      request.env.delete("rodauth.omniauth.instance")
+    end
+
+    # Returns authorization URL when using the JSON feature.
+    def handle_omniauth_response(res)
+      return unless features.include?(:json) && use_json?
+
+      if res[0] == 302
+        json_response[omniauth_authorize_url_key] = res[1]["Location"]
+        return_json_response
+      end
+    end
+
+    def omniauth_request?
+      request.env.key?("omniauth.strategy")
+    end
+
+    def self.included(auth)
+      auth.extend ClassMethods
+      auth.instance_variable_set(:@omniauth_providers, [])
+    end
+
+    module ClassMethods
+      def inherited(subclass)
+        super
+        subclass.instance_variable_set(:@omniauth_providers, @omniauth_providers.clone)
+      end
+
+      def freeze
+        super
+        @omniauth_providers.freeze
+      end
+    end
+  end
+end

data/rodauth-omniauth.gemspec

@@ -0,0 +1,31 @@
+Gem::Specification.new do |spec|
+  spec.name          = "rodauth-omniauth"
+  spec.version       = "0.1.0"
+  spec.authors       = ["Janko Marohnić"]
+  spec.email         = ["janko@hey.com"]
+
+  spec.summary       = "Rodauth extension for logging in and creating account via OmniAuth authentication."
+  spec.description   = "Rodauth extension for logging in and creating account via OmniAuth authentication."
+  spec.homepage      = "https://github.com/janko/rodauth-omniauth"
+  spec.license       = "MIT"
+
+  spec.required_ruby_version = ">= 2.3"
+
+  spec.metadata["homepage_uri"] = spec.homepage
+  spec.metadata["source_code_uri"] = spec.homepage
+
+  spec.files         = Dir["README.md", "LICENSE.txt", "*.gemspec", "lib/**/*"]
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "rodauth", "~> 2.0"
+  spec.add_dependency "omniauth", "~> 2.0"
+
+  spec.add_development_dependency "minitest"
+  spec.add_development_dependency "minitest-hooks"
+  spec.add_development_dependency "tilt"
+  spec.add_development_dependency "bcrypt"
+  spec.add_development_dependency "mail"
+  spec.add_development_dependency "net-smtp"
+  spec.add_development_dependency "capybara"
+  spec.add_development_dependency "jwt"
+end

metadata

@@ -0,0 +1,190 @@
+--- !ruby/object:Gem::Specification
+name: rodauth-omniauth
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Janko Marohnić
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2022-11-03 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rodauth
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: omniauth
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: minitest-hooks
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: tilt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bcrypt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: mail
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: net-smtp
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: capybara
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Rodauth extension for logging in and creating account via OmniAuth authentication.
+email:
+- janko@hey.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE.txt
+- README.md
+- lib/rodauth/features/omniauth.rb
+- lib/rodauth/features/omniauth_base.rb
+- rodauth-omniauth.gemspec
+homepage: https://github.com/janko/rodauth-omniauth
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/janko/rodauth-omniauth
+  source_code_uri: https://github.com/janko/rodauth-omniauth
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '2.3'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.3.3
+signing_key:
+specification_version: 4
+summary: Rodauth extension for logging in and creating account via OmniAuth authentication.
+test_files: []