OmniAuth OAuth2 SSO Authentication (Google, Microsoft)

[Dan Hooper]

I work on a rails project where we use Devise for authentication, with OmniAuth for SSO, with Google and Microsoft as identity providers. While researching some other OAuth2 related things, we stumbled upon a number of resources that insist that using OAuth2 for authentication is bad news. Microsoft and Google's own documentation both advise using OpenID Connect for authentication with their platforms, and specify which parameters to include in the authorization request to facilitate this. Upon checking the options on the authorization requests we initiate, it is apparent that the out-of-the-box options provided by the omniauth-google-oauth2 and omniauth-microsoft-office365 gems do not match those indicated by the providers for their OpenID Connect workflow.

How concerned about this do I need to be? If we're using OmniAuth/OAuth2 for SSO, should we switch to an OpenID Connect-based strategy (e.g. https://github.com/m0n9oose/omniauth_openid_connect)? Or can I just configure our existing strategies to provide the expected parameters? Or is OmniAuth doing some extra magic around the OAuth2 process that is sufficient enough that I shouldn't worry about it?

Any insights anyone can offer to dispel this intimidating and confusing subject are most welcome!