CMSgov · manojwadhwa81 · Dec 26, 2025 · Dec 26, 2025 · Dec 29, 2025 · Dec 29, 2025
@@ -142,7 +142,8 @@ services:
       - DATABASE_CLEANER_ALLOW_REMOTE_DATABASE_URL=true
       - CPI_API_GW_BASE_URL=http://localhost:4567/
       - CMS_IDM_OAUTH_URL=http://localhost:4567/
-      - IDP_HOST=idp.int.identitysandbox.gov
+      - IDP_ID_ME_HOST=api.idmelabs.com
+      - IDP_ID_ME_CLIENT_ID=925bb2985ccf623114359caa76228919
       - RUBY_YJIT_ENABLE=1
       - ENV=local
       - NEW_RELIC_MONITOR_MODE=false

@@ -0,0 +1,20 @@
+# Application settings 
+DATABASE_URL=postgresql://localhost:5432/dpc-portal_development
+TEST_DATABASE_URL=postgresql://localhost:5432/dpc-portal_test
+GOLDEN_MACAROON=${GOLDEN_MACAROON}
+API_METADATA_URL=http://localhost:3002/api/v1
+API_ADMIN_URL=http://localhost:9900
+DB_USER=postgres
+DB_PASS=dpc-safe
+DATABASE_CLEANER_ALLOW_REMOTE_DATABASE_URL=true
+CPI_API_GW_BASE_URL=http://localhost:4567/
+CMS_IDM_OAUTH_URL=http://localhost:4567/
+IDP_ID_ME_HOST=api.idmelabs.com
+IDP_LOGIN_DOT_GOV_HOST=idp.int.identitysandbox.gov
+RUBY_YJIT_ENABLE=1
+ENV=local
+RAILS_ENV=development
+NEW_RELIC_MONITOR_MODE=false
+DISABLE_JSON_LOGGER=true
+RAILS_DEVELOPMENT_HOSTS=host.docker.internal
+SKIP_SIMPLE_COV=${SKIP_SIMPLE_COV:-}
@@ -1,2 +1,4 @@
 --require spec_helper
 --order rand
+-I .
+-I spec
@@ -38,7 +38,7 @@ gem 'macaroons'
 gem 'net-imap', '>= 0.5.14'
 gem 'newrelic_rpm', '~> 8.10'
 gem 'nokogiri', '>= 1.19.3'
-gem 'omniauth_openid_connect'
+gem 'omniauth_openid_connect', '~> 0.8.0'
 gem 'omniauth-rails_csrf_protection'
 gem 'pg', '>= 0.18', '< 2.0'
 gem 'puma', '~> 6.4.3'
@@ -80,9 +80,13 @@ group :development do
   gem 'rubocop-performance', require: false
 
   # Version 0.18 has a breaking change for sonarqube
+  gem 'debug', '~> 1.6.0', require: false
+  gem 'httplog'
   gem 'simplecov', '<= 0.17'
   gem 'spring'
   gem 'spring-watcher-listen', '~> 2.1.0'
+
+  gem 'ruby-lsp-rspec'
 end
 
 group :test do

@@ -167,6 +167,9 @@ GEM
       addressable
     date (3.5.1)
     date_time_precision (0.8.1)
+    debug (1.6.3)
+      irb (>= 1.3.6)
+      reline (>= 0.3.1)
     descendants_tracker (0.0.4)
       thread_safe (~> 0.3, >= 0.3.1)
     diff-lcs (1.5.1)
@@ -217,6 +220,10 @@ GEM
       railties (>= 5.0)
     htmlbeautifier (1.4.3)
     htmlentities (4.3.4)
+    httplog (1.8.0)
+      benchmark
+      rack (>= 2.0)
+      rainbow (>= 2.0.0)
     i18n (1.14.8)
       concurrent-ruby (~> 1.0)
     ice_nine (0.11.2)
@@ -347,7 +354,7 @@ GEM
     omniauth_openid_connect (0.8.0)
       omniauth (>= 1.9, < 3)
       openid_connect (~> 2.2)
-    openid_connect (2.3.0)
+    openid_connect (2.3.1)
       activemodel
       attr_required (>= 1.0.0)
       email_validator
@@ -387,7 +394,7 @@ GEM
     raabro (1.4.0)
     racc (1.8.1)
     rack (3.2.6)
-    rack-oauth2 (2.2.1)
+    rack-oauth2 (2.3.0)
       activesupport
       attr_required
       faraday (~> 2.0)
@@ -434,6 +441,10 @@ GEM
       ffi
     rbnacl-libsodium (1.0.16)
       rbnacl (>= 3.0.1)
+    rbs (4.0.2)
+      logger
+      prism (>= 1.6.0)
+      tsort
     rdoc (7.2.0)
       erb
       psych (>= 4.0.0)
@@ -481,6 +492,12 @@ GEM
     rubocop-performance (1.23.0)
       rubocop (>= 1.48.1, < 2.0)
       rubocop-ast (>= 1.31.1, < 2.0)
+    ruby-lsp (0.26.9)
+      language_server-protocol (~> 3.17.0)
+      prism (>= 1.2, < 2.0)
+      rbs (>= 3, < 5)
+    ruby-lsp-rspec (0.1.29)
+      ruby-lsp (~> 0.26.0)
     ruby-progressbar (1.13.0)
     ruby2_keywords (0.0.5)
     rubyzip (2.3.2)
@@ -610,12 +627,14 @@ DEPENDENCIES
   byebug
   capybara
   climate_control
+  debug (~> 1.6.0)
   dotenv-rails
   factory_bot_rails
   fakefs
   faraday (>= 2.14.2)
   fhir_models
   health_check
+  httplog
   jbuilder (~> 2.7)
   json-jwt (>= 1.16.6)
   jwt (>= 3.2.0)
@@ -628,7 +647,7 @@ DEPENDENCIES
   newrelic_rpm (~> 8.10)
   nokogiri (>= 1.19.3)
   omniauth-rails_csrf_protection
-  omniauth_openid_connect
+  omniauth_openid_connect (~> 0.8.0)
   pg (>= 0.18, < 2.0)
   pg-aws_rds_iam
   pry
@@ -644,6 +663,7 @@ DEPENDENCIES
   rspec-rails
   rubocop
   rubocop-performance
+  ruby-lsp-rspec
   sassc-rails (>= 2.1.2)
   selenium-webdriver
   simplecov (<= 0.17)

@@ -1,10 +1,7 @@
 # frozen_string_literal: true
 
 # Parent class of all controllers
-class ApplicationController < ActionController::Base
-  IDP_HOST = ENV.fetch('IDP_HOST')
-  IDP_CLIENT_ID = "urn:gov:cms:openidconnect.profiles:sp:sso:cms:dpc:#{ENV.fetch('ENV')}".freeze
-
+class ApplicationController < ActionController::Base # rubocop:disable Metrics/ClassLength
   before_action :check_session_length
   before_action :set_current_request_attributes
   before_action :no_store
@@ -27,13 +24,16 @@ def authenticate_user!
     redirect_to sign_in_path
   end
 
-  def sign_in(user)
+  def sign_in(user, csp: 'login_dot_gov')
     session['user'] = user.id
+    session[:csp] = csp.to_s
   end
 
   private
 
   def check_user_verification
+    # puts current_user.inspect
+    # puts "Current user verification status: #{current_user.verification_status}" if current_user
     return unless current_user&.rejected?
 
     render(Page::Utility::AccessDeniedComponent.new(failure_code: "verification.#{current_user.verification_reason}"))
@@ -50,17 +50,38 @@ def tos_accepted
     end
   end
 
+  def url_for_logout(csp)
+    case csp.to_s
+    when :id_me.to_s
+      url_for_id_me_logout
+    when :login_dot_gov.to_s
+      url_for_login_dot_gov_logout
+    else
+      raise UnknownCSPError, csp
+    end
+  end
+
   # Documentation at https://developers.login.gov/oidc/logout/
   def url_for_login_dot_gov_logout
     state = SecureRandom.hex(16)
     session['omniauth.state'] = state
-    URI::HTTPS.build(host: IDP_HOST,
-                     path: '/openid_connect/logout',
-                     query: { client_id: IDP_CLIENT_ID,
+    csp_config = CspConfig.for(:login_dot_gov)
+    URI::HTTPS.build(host: csp_config.host,
+                     path: csp_config.log_out_path,
+                     query: { client_id: csp_config.identifier,
                               post_logout_redirect_uri: "#{root_url}auth/logged_out",
                               state: }.to_query)
   end
 
+  def url_for_id_me_logout
+    state = SecureRandom.hex(16)
+    session['omniauth.state'] = state
+    URI::HTTPS.build(host: CspConfig.for(:id_me).host,
+                     path: CspConfig.for(:id_me).log_out_path,
+                     query: { client_id: CspConfig.for(:id_me).identifier,
+                              redirect_uri: "#{root_url}auth/logged_out" }.to_query)
+  end
+
   # rubocop:disable Metrics/AbcSize
   def check_session_length
     session[:logged_in_at] = Time.now if session[:logged_in_at].nil?
@@ -133,3 +154,10 @@ def log_credential_action(credential_type, dpc_api_credential_id, action)
     logger.error(['CredentialAuditLog failure', { action:, credential_type:, dpc_api_credential_id: }])
   end
 end
+
+# Error class to handle unknow CSP
+class UnknownCSPError < StandardError # rubocop:disable Style/OneClassPerFile
+  def initialize(provider)
+    super("Unknown CSP: #{provider}")
+  end
+end
@@ -78,13 +78,13 @@ def login
                        { actionContext: LoggingConstants::ActionContext::Registration,
                          actionType: LoggingConstants::ActionType::BeginLogin,
                          invitation: @invitation.id }])
-    url = URI::HTTPS.build(host: IDP_HOST,
-                           path: '/openid_connect/authorize',
-                           query: { acr_values: 'http://idmanagement.gov/ns/assurance/ial/2',
-                                    client_id: IDP_CLIENT_ID,
-                                    redirect_uri: "#{my_protocol_host}/auth/login_dot_gov/callback",
+    csp_config = CspConfig.for(:id_me)
+    url = URI::HTTPS.build(host: csp_config.host,
+                           path: '/oauth/authorize',
+                           query: { client_id: csp_config.identifier,
+                                    redirect_uri: "#{my_protocol_host}/auth/id_me/callback",
                                     response_type: 'code',
-                                    scope: 'openid email all_emails profile social_security_number',
+                                    scope: 'openid http://idmanagement.gov/ns/assurance/ial/2/aal/2',
                                     nonce: @nonce,
                                     state: @state }.to_query)
     redirect_to url, allow_other_host: true
@@ -100,8 +100,9 @@ def renew
   end
 
   def set_idp_token
-    session[:login_dot_gov_token] = 'token'
-    session[:login_dot_gov_token_exp] = 2.days.from_now
+    session[:csp] = 'id_me'
+    session[:id_me_token] = 'token'
+    session[:id_me_token_exp] = 2.days.from_now
     head :ok
   end
 
@@ -211,7 +212,12 @@ def user
     user_info = UserInfoService.new.user_info(session)
     find_or_create_user(user_info)
     csp = Csp.find_by(name: @user.provider)
-    CspUser.find_or_create_by!(user: @user, csp: csp, uuid: user_info['sub'])
+    csp_user = CspUser.find_or_create_by!(user: @user, csp: csp, uuid: user_info['sub'])
+
+    # Update emails based upon the latest information in user info.
+    new_emails = user_info['all_emails'] || user_info['emails'] || user_info['emails_confirmed']
+    csp_user.add_or_activate_new_email(new_emails)
+    csp_user.deactivate_old_email(new_emails)
     update_user(user_info)
     @user
   end
@@ -248,7 +254,7 @@ def assign_user_attributes(user_to_create, user_info)
     user_to_create.pac_id = session.delete(:user_pac_id)
 
     # For now we force login.gov, this will have to change once we support multi-CSP.
-    user_to_create.provider = :login_dot_gov
+    user_to_create.provider = session[:csp] || 'login_dot_gov'
     user_to_create.uid = user_info['sub']
   end
 
@@ -308,9 +314,11 @@ def verify_cd_invitation
   end
 
   def check_for_token
-    if session[:login_dot_gov_token].present? &&
-       session[:login_dot_gov_token_exp].present? &&
-       session[:login_dot_gov_token_exp] > Time.now
+    csp = session[:csp]
+    if csp && !csp.empty? &&
+       session["#{csp}_token"].present? &&
+       session["#{csp}_token_exp"].present? &&
+       session["#{csp}_token_exp"] > Time.now
       return
     end