sorcery_initializer.rb

# Comments removed for brevity

# No need to declare which submodules are in use beforehand
Rails.application.config.sorcery.configure do |config|
  config.not_authenticated_action = :not_authenticated
  config.save_return_to_url = true
  config.cookie_domain = nil
  config.remember_me_httponly = true
  config.token_randomness = 15

  config.load_plugins(
    session_timeout: {
      :session_timeout,
      session_timeout: 3600,
      session_timeout_from_last_action: false,
      session_timeout_invalidate_active_sessions_enabled: false
    }
    http_basic_auth: {
      controller_to_realm_map: {
        application: 'Application'
      }
    },
    activity_logging: {
      register_login_time: true,
      register_logout_time: true,
      register_last_activity_time: true,
    },
    external: {
      # Since the callback URLs are nearly always the same, why not set it once and make it
      # overrideable on a per-provider basis if necessary?
      callback_url: 'http://0.0.0.0:3000/oauth/callback?provider=:provider',
      authentications_class: nil,
      user_id_attribute_name: :user_id,
      provider_attribute_name: :provider,
      provider_uid_attribute_name: :uid
    }
  )

  # Load a single plugin
  config.load_plugin(
    :magic_login,
    token_attribute_name: :magic_login_token,
    token_expires_at_attribute_name: :magic_login_token_expires_at,
    email_sent_at_attribute_name: :magic_login_email_sent_at,
    mailer_class: nil,
    email_method_name: :magic_login_email,
    mailer_disabled: true,
    expiration_period: nil,
    time_between_emails: 5 * 60
  )

  # Load a plugin from a separate gem
  config.load_plugin MultiFactorAuthenticationPlugin, some_custom_setting: true

  # Instead of setting the key and secret in the config file, possibly read from
  # `Rails.application.credentials` by default, and fall back to the old way if they're not found

  # Pass the enabled providers as a hash instead of class attributes - the keys are constantized
  # into Sorcery::Providers::Whatever and the values are passed as their configuration.
  #
  # I don't think I like this as a single call - I prefer separate calls as seen further down.
  config.load_providers(
    auth0: {
      site: 'https://example.auth0.com',
    },
    discord: {
      scope: 'email guilds',
    },
    facebook: {
      user_info_path: 'me?fields=email',
      user_info_mapping: {
        email: 'email'
      },
      access_permissions: %w[email],
      display: 'page',
      api_version: 'v2.3',
      parse: :json
    },
    github: {
      user_info_mapping: {
        email: 'name',
        scope: ''
      }
    },
    google: {
      user_info_mapping: {
        email: 'email',
        username: 'name'
      },
      scope: 'https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile'
    },
    instagram: {
      user_info_mapping: {
        email: 'username',
        access_permissions: %w[basic public_content follower_list comments relationships likes]
      }
    },
    jira: {
      site: 'http://localhost:2990/jira/plugins/servlet/oauth',
      signature_method:  'RSA-SHA1',
      private_key_file: 'rsakey.pem'
    },
    # An empty hash for a provider with no custom configuration, or just `true`? This would be
    # better as an `add_provider` call as seen below.
    line: {},
    linkedin: {
      user_info_mapping: {
        first_name: 'localizedFirstName',
        last_name: 'localizedLastName',
        email: 'emailAddress'
      },
      scope: 'r_liteprofile r_emailaddress'
    },
    liveid: {
      user_info_mapping: {
        username: "name"
      }
    },
    microsoft: {
      user_info_mapping: {
        email: 'userPrincipalName',
        username: 'displayName'
      },
      scope: 'openid email https://graph.microsoft.com/User.Read'
    },
    paypal: {
      user_info_mapping: {
        email: 'email'
      }
    },
    salesforce: {
      scope: 'full',
      user_info_mapping: {
        email: 'email'
      }
    },
    slack: {
      user_info_mapping: {
        email: 'email'
      }
    },
    twitter: {
      user_info_mapping: {
        email: 'screen_name'
      }
    },
    vk: {
      user_info_mapping: {
        login: 'domain',
        name: 'full_name'
      },
      api_version: '5.71'
    },
    # An empty hash for a provider with no custom configuration, or just `true`? This would be
    # better as an `add_provider` call as seen below.
    wechat: {},
    xing: {
      user_info_mapping: {
        first_name: 'first_name',
        last_name: 'last_name'
      }
    }
  )

  # Load a provider from a separate gem
  config.add_provider(
    MyAmazonProvider,
    user_info_mapping: {
      first_name: 'localizedFirstName',
      last_name: 'localizedLastName',
      email: 'emailAddress'
    },
    scope: 'r_liteprofile r_emailaddress'
  )

  # Could also load a single built-in provider this way, if the mega-hash is too unwieldy
  config.add_provider(
    :facebook,
    user_info_path: 'me?fields=email',
    user_info_mapping: {
      email: 'email'
    },
    access_permissions: %w[email],
    display: 'page',
    api_version: 'v2.3',
    parse: :json
  )

  # Thinking out loud, do we really need two separate configs? Can't the user config just be part
  # of the config for the individual plugins?
  config.user_config do |user|
    # ...
  end

  config.user_class = 'MyUserClass'
end

I was wondering how to clean up the config, and this gives an excellent starting point. Thank you @Fustrate!!