Refactor Flemish government provider to support LeerID

.gitignore

@@ -59,3 +59,5 @@ junit.xml
 
 /app/assets/builds/*
 !/app/assets/builds/.keep
+
+/config/credentials/production.key

app/controllers/application_controller.rb

@@ -71,9 +71,9 @@ def after_sign_out_path_for(_resource)
   end
 
   Warden::Manager.after_authentication do |user, _auth, _opts|
-    if user.email.blank? && !user.institution&.uses_lti? && !user.institution&.uses_oidc? && !user.institution&.uses_smartschool?
+    if user.email.blank? && !user.institution&.uses_lti? && !user.institution&.uses_flemish_government? && !user.institution&.uses_smartschool?
       raise "User with id #{user.id} should not have a blank email " \
-            'if the provider is not LTI, OIDC or Smartschool'
+            'if the provider is not LTI, ACM-IDM or Smartschool'
     end
     user.touch(:sign_in_at)
   end

app/controllers/auth/authentication_controller.rb

@@ -26,7 +26,7 @@ def sign_in
       Provider.find_by(identifier: 'e638861b-15d9-4de6-a65d-b48789ae1f08') # UCLL
     ].compact
     @other = [
-      Provider.find_by(issuer: 'https://authenticatie.vlaanderen.be/op'),
+      Provider::FlemishGovernment, # Vlaamse Overheid
       Provider::Elixir # Elixir
     ].compact
 

app/controllers/auth/omniauth_callbacks_controller.rb

@@ -33,13 +33,13 @@
     try_login!
   end
 
-  def oidc
-    try_login!
+  def flemish_government
+    generic_oauth
   end
 
   def surf
-    try_login!
+    generic_oauth
   end
 
   def elixir
     try_login!

app/models/institution.rb

@@ -65,8 +65,8 @@ def uses_lti?
     providers.any? { |provider| provider.type == Provider::Lti.name }
   end
 
-  def uses_oidc?
-    providers.any? { |provider| provider.type == Provider::Oidc.name }
+  def uses_flemish_government?
+    providers.any? { |provider| provider.type == Provider::FlemishGovernment.name }
   end
 
   def uses_smartschool?

app/models/provider.rb

@@ -22,7 +22,7 @@
 class Provider < ApplicationRecord
   enum mode: { prefer: 0, redirect: 1, link: 2, secondary: 3 }
 
-  PROVIDERS = [Provider::GSuite, Provider::Lti, Provider::Office365, Provider::Oidc, Provider::Saml, Provider::Smartschool, Provider::Surf, Provider::Elixir].freeze
+  PROVIDERS = [Provider::GSuite, Provider::Lti, Provider::Office365, Provider::FlemishGovernment, Provider::Saml, Provider::Smartschool, Provider::Surf, Provider::Elixir].freeze
 
   belongs_to :institution, inverse_of: :providers, optional: true
 
@@ -31,7 +31,7 @@ class Provider < ApplicationRecord
   scope :gsuite, -> { where(type: Provider::GSuite.name) }
   scope :lti, -> { where(type: Provider::Lti.name) }
   scope :office365, -> { where(type: Provider::Office365.name) }
-  scope :oidc, -> { where(type: Provider::Oidc.name) }
+  scope :flemish_government, -> { where(type: Provider::FlemishGovernment.name) }
   scope :saml, -> { where(type: Provider::Saml.name) }
   scope :smartschool, -> { where(type: Provider::Smartschool.name) }
   scope :surf, -> { where(type: Provider::Surf.name) }

app/models/provider/oidc.rb → app/models/provider/flemish_government.rb

@@ -19,12 +19,28 @@
 #  issuer            :string(255)
 #  jwks_uri          :string(255)
 #
-class Provider::Oidc < Provider
+class Provider::FlemishGovernment < Provider
   validates :certificate, :entity_id, :sso_url, :slo_url, absence: true
-  validates :identifier, absence: true
-  validates :client_id, :issuer, presence: true
+  validates :identifier, uniqueness: { case_sensitive: false }
+  validates :client_id, :issuer, absence: true
 
   def self.sym
-    :oidc
+    :flemish_government
+  end
+
+  def self.logo
+    'vlaamse-overheid.png'
+  end
+
+  def self.readable_name
+    'Vlaamse Overheid'
+  end
+
+  def self.extract_institution_name(auth_hash)
+    institution_name = auth_hash&.info&.institution_name
+
+    return Provider.extract_institution_name(auth_hash) if institution_name.nil?
+
+    [institution_name, institution_name]
   end
 end

app/models/user.rb

@@ -118,7 +118,7 @@ class User < ApplicationRecord
   has_many :annotations, dependent: :restrict_with_error
   has_many :questions, dependent: :restrict_with_error
 
-  devise :omniauthable, omniauth_providers: %i[google_oauth2 lti office365 oidc saml smartschool surf elixir]
+  devise :omniauthable, omniauth_providers: %i[google_oauth2 lti office365 flemish_government saml smartschool surf elixir]
 
   validates :username, uniqueness: { case_sensitive: false, allow_blank: true, scope: :institution }
   validates :email, uniqueness: { case_sensitive: false, allow_blank: true, scope: :institution }
@@ -212,7 +212,7 @@ class User < ApplicationRecord
   }
 
   def provider_allows_blank_email
-    return if institution&.uses_lti? || institution&.uses_oidc? || institution&.uses_smartschool?
+    return if institution&.uses_lti? || institution&.uses_flemish_government? || institution&.uses_smartschool?
 
     errors.add(:email, 'should not be blank') if email.blank?
   end

app/views/auth/_provider_button.html.erb

@@ -29,20 +29,6 @@
         <div><i class="mdi mdi-chevron-right"></i></div>
       </div>
     <% end %>
-  <% elsif provider.type == "Provider::Oidc" %>
-    <%= link_to omniauth_authorize_path(:user, Provider::Oidc.sym, provider: provider), method: :post, class: 'institution-sign-in col-md-6 col-xl-4' do %>
-      <div class="option-btn">
-        <div class="option-btn-img">
-          <%= image_tag institution_logo(institution.logo), class: "img-fluid" %>
-        </div>
-        <div class="option-btn-title">
-          <h3><%= institution.short_name %><br>
-            <small><%= institution.name %></small>
-          </h3>
-        </div>
-        <div><i class="mdi mdi-chevron-right"></i></div>
-      </div>
-    <% end %>
   <% else %>
     <%= link_to omniauth_authorize_path(:user, provider.class.sym), method: :post, class: 'institution-sign-in col-md-6 col-xl-4' do %>
       <div class="option-btn">

config/credentials.yml.enc

@@ -1 +1 @@
-HK5nEb7Obp66Y79JPxk8eDcvdMkiKxX49gZstAf3db6Da6bpOeuEr9biEKow07kOuhd/OqWdODtrk9Iz2Clilk2HbpaEqGXQxPPISnG3UY+r/vuLzkULbyPJlPxDVq0MsaSifVDqZAtkNhaO/p28YtNNl04+tDtYs/No00HvkEhbFwUOuPX6DQkOB5PG547v2rUVvLZ0K6O5PuNS+8VA4N21cgGrLtVTLPsjY0CghJ/A4fqLGkEypJuEQyaVUlEkaMb36lWTUZap4Xr6DHXOusGxX0698UlThK4GKmEhxZR0UsMtp5djZa6/v0YR1O5cjzl82Pe/3tOgrN3BupfSa7yeIuhH3DoHPwNHo3JrwyypW2FMcuhxjO8VCfAyYEBky/TJLqUdJnbx7++zjKTedC0UNLIxU9rKSsGsjDm+zK5UcF7dbpLFVBtH/ZdfeWnaZL/CiZPcBmOrtrVGMQkWp0921kLPbLWzxURA1H4cVJ3Zj/wOzqJhb253kFH9mTkN8+r8uKjcH4mp/bBk0R0USBmqy6ewEgb8NTHKPBJb9smHZywA2bVQGjFm3fUL0Tb0YCcZqs+CdRgaXzc/ShMj758YiXK6o5n6yrAlumbLoS1wMCaxzgbLmFcD8s3FeCI79fcpoiTkUQLzPAi7seUh5euU/W665vKe6Sc4LzRP5Tmh8Y2dz2TnQmCWYr9Z2QfUZlMRYCdUfILPinv1XkmfgZ+dSljTupaBLdSmcV/ssQbgGXUitEDHlN3ZYlIXALDckmL701E1/jM9xoMQg7QQ90NYQjcmYSuiORTBapLoy5lUMjSBXv8p8JXQ/zR3R26P9C9ODYMYJzePJB6+NC01zT2qfET6/XpU0M89kGxmahdopu/27YCe6DZFTPnIrQ7lFgWOdM8CJF9wdaVozfg0P8Ck/tS0EjZiQ1U6oC7NXBk67zr9+OZZixTOTUKBHO0tzmeX4/11kOAwg1FUAMeaP/CztdrDIMa/1olUMTPAzI4OY3+I+WoOOotOvv64lie/JJqm9LRQvjbGIQY6/T21wKR8K//rkKN53ODogAjBHEbLNFTjXTVkxKuXIkpJ+aSIxd9+CTANb44DKeLXB0FLz+fmMRoiZFbFMW1c45CaPAlROxiklqvOqyget/oAjbm6XCHEi4k9fruLqwWMsRgLkG2tUArBusybqsdKi6K7o0Esm0JrLVy1ACh2APadGhWMgtY2Wqwo+IQeZEdUCm2rLRYkuaXEKeNrSK2dJYFYoCEtzmiuTqIpocikMhLhVp/FW6xCxn+1PNqNIfw2fq52Zb/cEfIllDT9ZCEXTdAsPjy8/MY0jBAh/E1WvCBXaZSSfi3xLv79fEVq/eBKV7mmB7eVGCXT9gDn+A0mIuNkGlXjVaJCBbKnwByK0BF5Q1LhwJI8Nl+Y0FLiSmmW/Uf7GUnPcUoVeIBAiqj0LvYk3dmcjKWSqRGPwnjPa1qz--SMu6mv2AvOVU+3ZM--W7kqAiucIEpkAl4PMCk1sw==
+dl1376ElzC5rNNepOA36nOFqB6cB4mIK6FrbQ8DCUb/tqzFNZ+b0Pl1ttB9GP832ilatyNGYGY+ofSbAOU86b7fx7xACJ4Zembms8Yvg547YDuYlWwxr1uS1hJd+Jimp3Nhgxh2zxwgnc/VZYFM7jaWu1sFkld+IEn794tz1qUvvRgvQKaC4kazJii+apG39ccB6L/UE90kiQlR4gWNtG5EzPfSLuWe8QW1BCSDc9cjC0GOQB5Tw7julgwkGa3Zgq8qScQ3wavVe5a6w8B/QAppxBH4sZUCDnVdVXLk/0dmA/8C1IQeHaLrklllOC0KCF/YQrDVNArVQXorQoXEP5s2VQkaDG6vvxBFxcgS642hXJEvq6HT+sk4Pa2+WDiZKBGDvS8ZDQR5NpdDNeXRjgDrsoPw26VYDBqPD6SUkeB59bMDPSAyVhzkgbEpLsTQ8SF9Rw1W/D3Xo28JRefo19xDcTVCjLEJ+LCNpDc32qvOEact6Ss/KrtH+wVBKWMnzEOp0pcgaZTSwcGLR5cnh/XtYbtuuERVL5EiT7p+eJAXHSyH04nfsSpTzMDWTfLDx8yyEkG4Yv1rEtCZ5tVTHvJb2Hx2JDsF9tovqCD01AQwWComPxcnzOWzCl6zmA4kHyjMpkd/9dHYbHdJIGdsm18zxXQat6+148YVH8F2iiFpV+Hr/njlGGK99aFFlthrBvWI9JpNQ2+RBUDMuFqXEu8o9R9SAOzpkU3dtygGRptE3WYWOvUmP3cHQh8S22cM1gJRdcOXvzPujLE0IJzPtNLE1eF7/XeVMzQuBt3/ZtKaNaStXYD6eKYrqs7yWeGGQGAfx/aJpDvePVrpwIYR6n7B1aYfnFiWalsz9di3mu+lccn6gl6Nlayp6lQAQE7pAWtvH+OgQpVWoeShEFE3iQyLwTDQ1xyHgaNquqQ8xU6m6TrhuU0c4Yrt8+G6ucIVjBRWR5E7D7k6FnsD37E/Ad+FbDFjkVXZ7dLYES/ezczkQONvqzrbO6T0p2Kx9nJieZu7/0ZWxA8pwcDH70831O/htRxX+iU+kMmKm6D9jYZQ0WiEN5tlJKLUaK2PogDdZbkDT1T0bso2fXQv17z84PPsMMEYQHPln6vkCFonLBgBJvdDGvDC2IzZDNZ+OCHVtGLg0IoDWgqFQknsh+TgDz6c0esOox/ZFcrhINFyUrQc+AnNq0yhGL+29E89ly0mhpTsO9SEYBBOZj8GVvXYu0vrtENkwqVCRGS4AyREvBVGq0y8nXGYagnzETtUdDZt4ZnjDlZBa1WL/CVYOTJL6n1xkyHpVH+D3hX8X5Ofwzx49tVtbyAcFflGUrNIx03VEqfW6veRMGvjRun4hW+lpY3qSq/CTXf34di/6SqHzePWaQ4JConQ2BHt7gMEBNEe0j7z56Nrmpkya4yIx5sjdgDQiI5eQjQHgphvHemjPyzz/DOXmNEYJQROXS//anfV2CjFDVSUGbxrYxDV/KyD9mHTcqawwMk1cz62uSwvDdhoGZpe9t/3wRVg93C/jEGTw7qZAxaw5/A==--uSkQjmMwf1jNxea4--Wd/v5VDHQD+u86QjDZHWyw==

config/credentials/staging.yml.enc

@@ -1 +1 @@
-FtEacz67m78JlWej2mS79IyO8jDCtCb0q5VAgrfzcRMwUrhd/npLcaxUC5lju07PRmvS23o2yR4iv6twgZ++YuU52j3VUkrBA+tpjO/JQjZIxYmF3YH88OOgludhGJDsKO3Piz12Ha6PFup6dcX0sOJInJeA8OFnJgGB2L+j4xULDidBfVvN9qBRECmHIcx4DrCPBNa30CbtPWpnM8fxtCQdqI9w0gZdQTTLvf8AYD7fQHsJjZ/JQdkJlyixHlFK2nCwJht9zj6a4VK+JwXzNueKR1XolVijXgPo/vx9RK3ZFfvieVhoRx8A/yZtmHxdDMLRoWWdjq5ruudUSM91z+7a6IZTncuf4bx/Q9gGMdFI9P1Ly9JnfhqJ+6yeeqlbo9As3wrjPIdGD54OSJE/vpvmle9cbop2GU7pq/9YwQC9yKoJizPOGqdDsqZUXgU99mKP9UjFDs2e1w849rJn3IyPcYlWN4s/ha/Z4nQAMkXoU4SzGyImNZv1Ne2oLPVEUCHvPppsal/lS4EjOFoKOVQ9n98DUu2VryFUUW7EoBZdobdHlhE7+sMd7j7Knrd8o3kEiddK9aVPBny9wOzu1D1Bv+zM3dKE+tLUIbJxN/Y9upGwdDo3Lo2BIIYE/gyGIc4i5W4nG8aXqhRFrmdKhhY2iQRM5RXY1UGOCwjX9AZTGzm8k0ru4me6r8KbOAOs7DxrE1SzzjQuc036yEsCPb8bT2G5uWFf80D4ZEUaEQmBgNeoZ6GtSJt5Oi8wfl9ZpDD1gYHaXSDaDAXlH/8N1A2SqW2sOgBaGCvNdZQnOtfsvnwDblc/Cufz4oYp0IPgJL9usAVCsSRaJb+FE0E6lGBdTALcFQ4TRd3DGhHOOcPXRD4nvkuxcDQdijHYkPBz5mhUYZQqSURNopZPMA1dRh1Q6rXVDHdJTE+FeN9N7mUwJi7ALeFlyREODirSUW/Kls9oZKPTEDPDxIJ9fkbqtqXY+wKkXIJVmOsVERlh055HeYWMXB+nD3kyaqK41qcdVKb7uH7gtLDdxKL2oVZMEQb1vD/jN8AKv9kaSlnR3mV0SWEZVls8La+ZMlh7MI7DHcHgIc06gBO4yDGgzh6LDeaBwa5dMvvK--gylYIlQZnfRkadmD--50UxMH/J6luJOiKmTdDNfQ==
+R3/CJKHc7eg6SwhmKUg/iD3afrPlqR/QqLPDrzHK1W0K+fpawBmVTBvs+0E5xtZq0bDxYQUfV8dFPsnRzc8208tPtneg2tzXWojkxu7CaWKL63IgBnDRAj1mY6iRA398lZREa1xOnnrsBOUFMkHz2BxK8KzTWfiLMjn5zaPNq5ZpTIjqf+e78b+u/587aLKyfnHp2fKCtSIXwYZgK3iItTcxMybiX7jr3YXe65oRGV5mLsbcdr/N1WrhjVFD9m7NOnhjI7XUw2Y78/4YwJcHjKA7tSLwuAz9BHEBLqBzgpr4DNHTioK4iL3Bu321ia1ZK+aQI8D1tBrzNpH9w2Jr/3AwabTwwpIMtyVX+TslcuvmBQ62BRCCcVecdllNc6VV/KSG5pWy2yiRZ04eQOoti2S1P8X8fdwxzb4jQ/eiL4640Mfi6RZj+NLSRQUVt52TInC2fL9uIFMtk+xETOT8jGpFzH64rw8A+Bh6zq3vQQSedr8w4pGxRupFNE8zwpoXYiHGI3bkQFr7Mu5sRay8Aj+iGURGxnBU7r9Xz1Jq32iDqpRJjifI5iOhb/azEUJ/G+Z/TERPg31NgeYI7KlfPUqGo5Gfc/h9zq6wCFQ3UXe4NcJIJ3guMCFAknI5bgIChAIDr8UnLcTPf2PjA3R36L+NHLD8zvgxwKbcgkLpSHECYiKzbRifkkkYEdwLr9f7iJ5vkrFgrfwGdJMc94/doCckRAjUjsHD0D5tcK8QCjdmq5O47LajM41KG4/ADF7BXIfMdu7IFlNP1mTXTnLdGJ6epAjIbJ2WT55AeYqEKNFMcrIK1TOY+M4BqdcMX2+hC6pbAm4/m4bdfIsvOKlpkD73IfCt7sBFYltmMfyBph0uQGi8E35huXB59QXlwnB3NaHkYZTdSh1tUasi+qlCOWdmtaHiCUgiUH/4CQtz9HyDFYnGlk3WKKGoCvUhxN78eGA9Aai5Hrl9hQDKLHhXRlw53kWVUpDHTgWNG7FkGHysOXL9Efjqw2ktYUk1pfHxNgLYvM+A79rU+Meo9RGCoa7PXRAAHskMMSBKFOiKX7zOqdq5YQDnU1S5gAQnvYla0Z3xWMGAS0/5JtKeNvnzQTwzll3wLoWagYvQt/bxPF2nGIfPnSspehgcyUjuNFUwAiSbJcG8NIFqU23Z8pupIN7fyI5iGykDkA1VCEeaYbtF--4ZnDJyUUYZ4bBWXv--RAbKFPok4P+ERq999nDiiA==

config/initializers/devise.rb

@@ -1,8 +1,9 @@
 ## LTI.
 require_relative '../../lib/LTI/auth.rb'
 
-## OIDC.
-require_relative '../../lib/OIDC/auth.rb'
+## ACM-IDM.
+require_relative '../../lib/FlemishGovernment/strategy.rb'
+require_relative '../../lib/FlemishGovernment/setup.rb'
 
 ## SAML.
 require_relative '../../lib/SAML/strategy.rb'
@@ -272,7 +273,7 @@
                   Rails.application.credentials.office365_client_id,
                   Rails.application.credentials.office365_client_secret
 
-  config.omniauth :oidc, setup: OIDC::Auth::OmniAuth::Setup
+  config.omniauth :flemish_government, setup: FlemishGovernment::Auth::OmniAuth::Setup
 
   config.omniauth :surf, setup: Surf::Auth::OmniAuth::Setup
 

config/locales/models/en.yml

@@ -159,7 +159,7 @@ en:
         office365: Office 365
         smartschool: Smartschool
         google_oauth2: Google Workspace
-        oidc: OpenID Connect
+        flemish_government: Flemish Government
         lti: LTI
         surf: SURFconext
         elixir: Elixir

config/locales/models/nl.yml

@@ -160,7 +160,7 @@ nl:
         office365: Office 365
         smartschool: Smartschool
         google_oauth2: Google Workspace
-        oidc: OpenID Connect
+        flemish_government: Vlaamse Overheid
         lti: LTI
         surf: SURFconext
         elixir: Elixir

db/seeds.rb

@@ -99,8 +99,8 @@ def fill_series_with_realistic_submissions(s)
   Provider::Smartschool.create institution: slo, identifier: 'https://slow.smartschool.be'
   Provider::Smartschool.create institution: college_ieper, identifier: 'https://college-ieper.smartschool.be'
 
-  # OIDC
-  Provider::Oidc.create institution: vlaanderen, client_id: '12345', issuer: 'https://authenticatie.vlaanderen.be/op'
+  # ACM-IDM
+  Provider::FlemishGovernment.create institution: vlaanderen, identifier: 'vlaamse-overheid'
 
   # Personal providers
   Provider::Office365.create identifier: '9188040d-6c67-4c5b-b112-36a304b66dad', institution: nil

lib/OIDC/client.rb → lib/FlemishGovernment/client.rb

@@ -1,7 +1,9 @@
 require "json/jwt"
 require "rack/oauth2/client/grant/authorization_code"
 
-module OIDC
+# Flemish government is an extension upon the OpenIDConnect Protocol
+# Changes are applied to support the specific requirements of ACM IDM.
+module FlemishGovernment
   class Client < OpenIDConnect::Client
     # By default, the JWT grant will set the `grant type` to `jwtbearer`.
     # However, Vlaamse Overheid expects this to be authorization_code; hence we

lib/FlemishGovernment/setup.rb

@@ -0,0 +1,60 @@
+# Flemish government is an extension upon the OpenIDConnect Protocol
+# Changes are applied to support the specific requirements of ACM IDM.
+module FlemishGovernment
+  module Auth
+    module OmniAuth
+      class Setup
+        KEY_PATH = '/home/dodona/key.pem'.freeze
+
+        def self.call(env)
+          new(env).setup
+        end
+
+        def initialize(env)
+          @env = env
+        end
+
+        def setup
+          @env['omniauth.params'] ||= {}
+          @env['omniauth.strategy'].options.merge!(configure)
+        end
+
+        def configure
+          {
+            client_options: {
+              identifier: client_id,
+              private_key: private_key,
+              redirect_uri: "https://#{@env['HTTP_HOST']}/users/auth/flemish_government/callback"
+            },
+            discovery: true,
+            response_mode: :form_post,
+            response_type: :code,
+            scope: [:openid, :profile, :vo, :ov_leerling],
+            client_auth_method: :jwt_bearer,
+            issuer: Rails.env.production? ? "https://authenticatie.vlaanderen.be/op" : "https://authenticatie-ti.vlaanderen.be/op",
+          }
+        end
+
+        private
+
+        def client_id
+          # This function allows to override the key path in tests.
+          Rails.application.credentials.acmidm_client_id
+        end
+
+        def private_key_path
+          # This function allows to override the key path in tests.
+          KEY_PATH
+        end
+
+        def private_key
+          # Only load the key if it exists (staging / production).
+          return nil unless File.file?(private_key_path)
+
+          # Parse the key.
+          @private_key ||= OpenSSL::PKey::RSA.new File.read(private_key_path)
+        end
+      end
+    end
+  end
+end

lib/FlemishGovernment/strategy.rb

@@ -0,0 +1,43 @@
+require_relative 'client.rb'
+require 'openid_connect'
+
+# Flemish government is an extension upon the OpenIDConnect Protocol
+# Changes are applied to support the specific requirements of ACM IDM.
+# This is used by both government officials and LeerID
+module OmniAuth
+  module Strategies
+    class FlemishGovernment < OmniAuth::Strategies::OpenIDConnect
+      option :name, 'flemish_government'
+
+      info do
+        {
+          # No org is provided for flemish government accounts, so we default to 'vlaamse-overheid'
+          institution: user_info.raw_attributes['ov_orgcode'] || "vlaamse-overheid",
+          institution_name: user_info.raw_attributes['ov_orgnaam'] || "Vlaamse Overheid",
+          email: user_info.raw_attributes['vo_email'] # this will be nil for leerid accounts
+        }
+      end
+
+      def client
+        # This logic was added specifically for Vlaamse Overheid. By default,
+        # the audience will be set to the token endpoint (which is compliant to
+        # the OIDC specification). However, Vlaamse Overheid wants this to be
+        # equal to the issuer.
+        #
+        # Token endpoint: https://authenticatie-ti.vlaanderen.be/op/v1/token.
+        # Vlaamse Overheid wants: https://authenticatie-ti.vlaanderen.be/op.
+        @client ||= ::FlemishGovernment::Client.new(client_options.merge(audience: options.issuer))
+      end
+
+      def uid
+        # Leerid accounts do not provide a sub, instead they provide 'ov_account_uuid', 'ov_leerid_uuid' and 'ov_historiek_account_uuid'
+        # We use 'ov_account_uuid' as it is always present
+        # It is important to note that 'ov_account_uuid' could change over time, but this should only happen in edge cases: eg. after merging accounts from foreign students
+        # Should we notice that this causes too much trouble, more complex logic should be implemented
+        # Probably in omniauth_callbacks_controller `find_identity_by_uid`
+        super || user_info.raw_attributes['ov_account_uuid']
+      end
+    end
+  end
+end
+