Expand TARA auth flow to registrant portal

config/application.yml.sample

@@ -163,6 +163,10 @@ tara_secret: 'secret'
 tara_redirect_uri: 'redirect_url'
 tara_keys: "{\"kty\":\"RSA\",\"kid\":\"de6cc4\",\"n\":\"jWwAjT_03ypme9ZWeSe7c-jY26NO50Wo5I1LBnPW2JLc0dPMj8v7y4ehiRpClYNTaSWcLd4DJmlKXDXXudEUWwXa7TtjBFJfzlZ-1u0tDvJ-H9zv9MzO7UhUFytztUEMTrtStdhGbzkzdEZZCgFYeo2i33eXxzIR1nGvI05d9Y-e_LHnNE2ZKTa89BC7ZiCXq5nfAaCgQna_knh4kFAX-KgiPRAtsiDHcAWKcBY3qUVcb-5XAX8p668MlGLukzsh5tFkQCbJVyNtmlbIHdbGvVHPb8C0H3oLYciv1Fjy_tS1lO7OT_cb3GVp6Ql-CG0uED_8pkpVtfsGRviub4_ElQ\",\"e\":\"AQAB\"}"
 
+tara_rant_identifier: 'identifier'
+tara_rant_secret: 'secret'
+tara_rant_redirect_uri: 'redirect_uri'
+
 # Since the keys for staging are absent from the repo, we need to supply them separate for testing.
 test:
   payments_seb_bank_certificate: 'test/fixtures/files/seb_bank_cert.pem'

config/initializers/omniauth.rb

@@ -16,6 +16,10 @@ identifier = ENV['tara_identifier']
 secret = ENV['tara_secret']
 redirect_uri = ENV['tara_redirect_uri']
 
+registrant_identifier = ENV['tara_rant_identifier']
+registrant_secret = ENV['tara_rant_secret']
+registrant_redirect_uri = ENV['tara_rant_redirect_uri']
+
 Rails.application.config.middleware.use OmniAuth::Builder do
   provider "tara", {
       callback_path: '/registrar/open_id/callback',
@@ -43,4 +47,31 @@ Rails.application.config.middleware.use OmniAuth::Builder do
           redirect_uri: redirect_uri,
       },
   }
+
+  provider "tara", {
+      callback_path: '/registrant/open_id/callback',
+      name: 'rant_tara',
+      scope: ['openid'],
+      state: Proc.new{ SecureRandom.hex(10) },
+      client_signing_alg: :RS256,
+      client_jwk_signing_key: signing_keys,
+      send_scope_to_token_endpoint: false,
+      send_nonce: true,
+      issuer: issuer,
+
+      client_options: {
+          scheme: 'https',
+          host: host,
+
+          authorization_endpoint: '/oidc/authorize',
+          token_endpoint: '/oidc/token',
+          userinfo_endpoint: nil, # Not implemented
+          jwks_uri: '/oidc/jwks',
+
+          # Registry
+          identifier: registrant_identifier,
+          secret: registrant_secret,
+          redirect_uri: registrant_redirect_uri,
+      },
+  }
 end

config/locales/registrant/sessions.en.yml

@@ -2,11 +2,7 @@ en:
   registrant:
     sessions:
       new:
-        header: Log in
+        header: Sign in with identity document
         hint:  >-
-          Access currently available only to Estonian citizens and e-residents with Estonian ID-card
-          or Mobile-ID.
-
-      login_mid:
-        header: Log in with mobile-id
-        submit_btn: Login
+          Sign in using Estonian (incl. e-residents) ID card, mobile ID,
+          Bank link or other EU citizen's electronic ID supported by EIDAS.

config/routes.rb

@@ -176,6 +176,9 @@ Rails.application.routes.draw do
       # Client certificate is asked only on login form submission, therefore the path must be different from the one in
       # `new_registrant_user_session_path` route, in case some other auth type will be implemented
       post 'id' => 'sessions#create', as: :id_card_sign_in
+      match '/open_id/callback', via: %i[get post], to: 'tara#callback', as: :tara_registrant_callback
+      match '/open_id/cancel', via: %i[get post delete], to: 'tara#cancel',
+            as: :tara_registrant_cancel
     end
 
     resources :registrars, only: :show