Thoryn

Quickstarts · rails

Rails 7 — Hub login with `omniauth-openid_connect`

Wire OAuth2 / OIDC into a Rails 7 app via OmniAuth. Five steps, ~25 lines of config.

Tested against:framework: Rails 7.1omniauth: omniauth-openid_connect@0.7

Rails + Thoryn quickstart architecture — omniauth-openid-connect routes through Hub to your federation member; current_user is the OIDC-authenticated session

Prereqs

  • Ruby 3.2+
  • Rails 7+
  • A Thoryn account

Step 1 — Register a confidential client

hub clients create \
  --name "My Rails app" \
  --redirect-uri "http://localhost:3000/auth/thoryn/callback" \
  --grant-types authorization_code,refresh_token \
  --scopes "openid email profile"

Step 2 — Add the gem

Gemfile:

gem "omniauth"
gem "omniauth-openid_connect"
gem "omniauth-rails_csrf_protection"
bundle install

Step 3 — Configure

config/initializers/omniauth.rb:

Rails.application.config.middleware.use OmniAuth::Builder do
  provider :openid_connect, {
    name: :thoryn,
    issuer: "https://hub.thoryn.org",
    discovery: true,
    scope: [:openid, :email, :profile],
    response_type: :code,
    client_options: {
      identifier: ENV["THORYN_CLIENT_ID"],
      secret: ENV["THORYN_CLIENT_SECRET"],
      redirect_uri: "http://localhost:3000/auth/thoryn/callback",
    }
  }
end

Step 4 — Routes + callback

config/routes.rb:

Rails.application.routes.draw do
  get "/auth/:provider/callback", to: "sessions#create"
  post "/login", to: redirect("/auth/thoryn")
  delete "/logout", to: "sessions#destroy"
  root "home#index"
end

app/controllers/sessions_controller.rb:

class SessionsController < ApplicationController
  skip_before_action :verify_authenticity_token, only: :create
 
  def create
    auth = request.env["omniauth.auth"]
    session[:user] = {
      uid: auth.uid,
      email: auth.info.email,
      name: auth.info.name,
    }
    redirect_to root_path
  end
 
  def destroy
    reset_session
    redirect_to root_path
  end
end

Step 5 — Run it

THORYN_CLIENT_ID=... THORYN_CLIENT_SECRET=... bin/rails server

What's next

Troubleshooting

  • invalid_redirect_uri: omniauth-rails_csrf_protection wraps the login route — make sure you're POSTing to /login, not GETting /auth/thoryn.
  • State mismatch: usually a session-store config issue. Use :cookie_store or Redis-backed sessions; not memory.

More quickstarts