Project

omniauth_govuk_one_login

0.0
No release in over 3 years
omniauth_govuk_one_loginrubenarakelyan/omniauth-govuk-one-loginHomepageDocumentationSource CodeBug TrackerWiki
An OmniAuth strategy for GOV.UK One Login
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
 Popularity
Downloads
729
Stars
1
Forks
0
Watchers
0
 Releases
Current version
1.2.0
Total releases
5
First release
1980-01-02
Latest release
1980-01-02
 Pull Requests
Open Pull Requests
1
Closed Pull Requests
0
Merged Pull Requests
0
Pull Request Acceptance Rate
0%
 Development
Primary Language
Ruby
Licenses
MIT
Average date of last 50 commits
2025-06-06
Reverse Dependencies
0

 Dependencies

Development

activesupport
~> 8.0
pry-byebug
~> 3.11
rake
~> 13.3
rspec
~> 3.13
simplecov
~> 0.22
webmock
~> 3.25
rubocop
~> 1.76

Runtime

faraday
~> 2.13
jwt
~> 2.10
omniauth
~> 2.1
 Project Readme

GOV.UK One Login OmniAuth strategy

Gem Version

This gem is an OmniAuth strategy to provide authentication with GOV.UK One Login using the OpenID Connect protocol.

Heavily inspired by omniauth_login_dot_gov.

Getting started in a Rails app

There is excellent documentation at https://docs.sign-in.service.gov.uk/ for getting started with GOV.UK One Login as well as explanations of all the options and the login/logout flows.

Generate your keypair

openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048
openssl rsa -pubout -in private_key.pem -out public_key.pem

Sign up for GOV.UK One Login and configure your service

  1. Visit https://admin.sign-in.service.gov.uk/ and sign up with an eligible government email address.
  2. Create a new service to get your client ID.
  3. Add http://localhost:3000/auth/govuk_one_login/callback as a redirect URI.
  4. Add your public key.

Configure your app

  1. Add environment variables to your application for details needed by this gem:
GOVUK_ONE_LOGIN_CLIENT_ID=clientid
GOVUK_ONE_LOGIN_BASE_URL=https://oidc.integration.account.gov.uk/
GOVUK_ONE_LOGIN_REDIRECT_URI=http://localhost:3000/auth/govuk_one_login/callback
GOVUK_ONE_LOGIN_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----
blah
-----END PRIVATE KEY-----"
  1. Add this gem to the Gemfile:
gem "omniauth_govuk_one_login"
  1. Additionally, add the OmniAuth CSRF protection gem to the Gemfile:
gem "omniauth-rails_csrf_protection"
  1. Install these gems and dependencies with bundle install
  2. Now, configure the OmniAuth middleware with an initializer:
# config/initializers/omniauth.rb
Rails.application.config.middleware.use OmniAuth::Builder do
  provider :govuk_one_login, {
    name: :govuk_one_login,
    client_id: ENV["GOVUK_ONE_LOGIN_CLIENT_ID"], # your client ID from the GOV.UK One Login admin tool
    idp_base_url: ENV["GOVUK_ONE_LOGIN_BASE_URL"],
    private_key: OpenSSL::PKey::RSA.new(ENV["GOVUK_ONE_LOGIN_PRIVATE_KEY"]), # the private key you generated above in PEM format
    redirect_uri: ENV["GOVUK_ONE_LOGIN_REDIRECT_URI"],
    # these are optional - shown here with their default values if omitted
    scope: "openid,email", # comma-separated; must include at least `openid` and `email`
    ui_locales: "en", # comma-separated; can also include `cy` for Welsh UI
    vtr: ["Cl.Cm"], # array with one element; dot-separated; can also include identity vectors such as `P2` (eg. `Cl.Cm.P2`)
    pkce: false, # set to `true` to enable "Proof Key for Code Exchange"
    userinfo_claims: [] # array of URLs; see https://docs.sign-in.service.gov.uk/integrate-with-integration-environment/authenticate-your-user/#create-a-url-encoded-json-object-for-lt-claims-request-gt
  }

  # will call `Users::OmniauthController#failure` if there are any errors during the login process
  on_failure { |env| Users::OmniauthController.action(:failure).call(env) }
end
  1. Create a controller for handling the callback, such as this:
# app/controllers/users/omniauth_controller.rb
module Users
  class OmniauthController < ApplicationController
    def callback
      omniauth_info = request.env["omniauth.auth"]["info"]
      @user = User.find_by(email: omniauth_info["email"])
      if @user
        @user.update!(uuid: omniauth_info["uuid"])
        sign_in @user
        redirect_to service_providers_path

      # Can't find an account, tell user to contact GOV.UK One Login
      else
        redirect_to users_none_url
      end
    end

    def failure
      # do something here
    end
  end
end
  1. Add the callback route to routes.rb 
get "/auth/govuk_one_login/callback", to: "users/omniauth#callback"
  1. Start your application and send a POST request to: /auth/govuk_one_login (eg. http://localhost:3000/auth/govuk_one_login) to initiate authentication with GOV.UK One Login.

More information and examples

The wiki contains more information and examples of using this gem in your application, including existing user migrations.

Note on gem signing and verification

This gem is cryptographically signed. To be sure the gem you install hasn’t been tampered with, run:

gem cert --add <(curl -Ls https://raw.github.com/rubenarakelyan/omniauth-govuk-one-login/main/certs/rubena.pem)
gem install omniauth_govuk_one_login -P MediumSecurity

The MediumSecurity trust profile will verify signed gems, but allow the installation of unsigned dependencies.

This is necessary because not all of this gem’s dependencies are signed, so we cannot use HighSecurity.

Licence

This gem is licensed under the MIT licence.