In this attemp I try to use the OpenID discovery document to get the endpoint URLs instead of hardcoding them, and also attempt to use the ID Token returned from the token endpoint, to get the user information, rather than making a request to the userinfo endpoint. What I learnt was that in order to validate the returned ID token you noramally have to use the providers published public keys, so you would have to make a http request to get the keys from the provider. These keys should then be cached so that you would not have to make a request for the keys everytime somebody needs to authenticate. I implemented a very naive caching strategy where I simply cache the keys for 24 hours. This probably should be improved to respect the cache control headers in the provider response for the keys. All in all I think having to cache these keys as well as the discovery document makes this implementation more complex than just using plain oauth as you did in your implementation. Just getting an opaque access token and making a http request with it is very strait forward, and also has the added benefit of not having to introduce an additional dependency on the JWT gem. Let me know what you think and thanks again for the demo you put together and the chance to attempt this.
In this attemp I try to use the OpenID discovery document to get the endpoint URLs instead of hardcoding them, and also attempt to use the ID Token returned from the token endpoint, to get the user information, rather than making a request to the userinfo endpoint. What I learnt was that in order to validate the returned ID token you noramally have to use the providers published public keys, so you would have to make a http request to get the keys from the provider. These keys should then be cached so that you would not have to make a request for the keys everytime somebody needs to authenticate. I implemented a very naive caching strategy where I simply cache the keys for 24 hours. This probably should be improved to respect the cache control headers in the provider response for the keys. All in all I think having to cache these keys as well as the discovery document makes this implementation more complex than just using plain oauth as you did in your implementation. Just getting an opaque access token and making a http request with it is very strait forward, and also has the added benefit of not having to introduce an additional dependency on the JWT gem. Let me know what you think and thanks again for the demo you put together and the chance to attempt this.