From 2309b3cfb1fb1498f9cc22b725a189d85fe7dd1e Mon Sep 17 00:00:00 2001
From: Mattias Wadman <mattias.wadman@gmail.com>
Date: Thu, 30 Jul 2015 15:13:12 +0200
Subject: [PATCH] Allow passing custom authorization uri option

Useful when migrating from OpenID to OpenID connect.
---
 README.md                                           | 2 ++
 lib/omniauth/strategies/openid_connect.rb           | 6 ++++--
 test/lib/omniauth/strategies/openid_connect_test.rb | 6 ++++++
 3 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 2ddfdcf5..b93a4ff3 100644
--- a/README.md
+++ b/README.md
@@ -58,6 +58,8 @@ Configuration details:
   If provider does not have Webfinger endpoint, You can specify "Issuer" to option.  
   e.g. `issuer: "myprovider.com"`  
   It means to get configuration from "https://myprovider.com/.well-known/openid-configuration".
+  * `authorization_opts` if you want to pass custom authorization options
+  e.g. `{:'openid.realm' => "..."}`
 
 For the full low down on OpenID Connect, please check out
 [the spec](http://openid.net/specs/openid-connect-core-1_0.html).
diff --git a/lib/omniauth/strategies/openid_connect.rb b/lib/omniauth/strategies/openid_connect.rb
index aca7d69b..41cf12c3 100644
--- a/lib/omniauth/strategies/openid_connect.rb
+++ b/lib/omniauth/strategies/openid_connect.rb
@@ -40,6 +40,7 @@ class OpenIDConnect
       option :acr_values
       option :send_nonce, true
       option :client_auth_method
+      option :authorization_opts, {}
 
       uid { user_info.sub }
 
@@ -116,12 +117,13 @@ def authorization_code
 
       def authorize_uri
         client.redirect_uri = client_options.redirect_uri
-        opts = {
+        # to_hash as authorization_opts is a Hashi::mash causing dup query keys
+        opts = options.authorization_opts.to_hash.merge({
             response_type: options.response_type,
             scope: options.scope,
             state: new_state,
             nonce: (new_nonce if options.send_nonce),
-        }
+        })
         client.authorization_uri(opts.reject{|k,v| v.nil?})
       end
 
diff --git a/test/lib/omniauth/strategies/openid_connect_test.rb b/test/lib/omniauth/strategies/openid_connect_test.rb
index ee8b8661..ca81b7af 100644
--- a/test/lib/omniauth/strategies/openid_connect_test.rb
+++ b/test/lib/omniauth/strategies/openid_connect_test.rb
@@ -323,4 +323,10 @@ def test_public_key_with_hmac
     strategy.options.client_signing_alg = :HS256
     assert_equal strategy.options.client_options.secret, strategy.public_key
   end
+
+  def test_option_authorization_opts
+    strategy.options.client_options[:host] = "example.com"
+    strategy.options.authorization_opts = {:'openid.realm' => 'realm'}
+    assert(strategy.authorize_uri =~ /^https:\/\/example\.com\/authorize\?client_id=1234&nonce=[\w\d]{32}&openid\.realm=realm&response_type=code&scope=openid&state=[\w\d]{32}$/, "URI must contain openid.realm")
+  end
 end