Separate Login.gov sandbox configurations by environment

.github/workflows/deploy-application.yml

@@ -60,13 +60,14 @@ jobs:
         env:
           SAM_API_KEY: ${{ secrets.SAM_API_KEY }}
           DJANGO_SECRET_LOGIN_KEY: $${{ secrets.DJANGO_SECRET_LOGIN_KEY }}
+          LOGIN_CLIENT_ID: $${{ secrets.LOGIN_CLIENT_ID }}
           SECRET_KEY: ${{ secrets.SECRET_KEY }}
         with:
           cf_username: ${{ secrets.CF_USERNAME }}
           cf_password: ${{ secrets.CF_PASSWORD }}
           cf_org: gsa-tts-oros-fac
           cf_space: ${{ env.space }}
-          cf_command: update-user-provided-service fac-key-service -p '"{\"SAM_API_KEY\":\"${{ secrets.SAM_API_KEY }}\", \"DJANGO_SECRET_LOGIN_KEY\":\"${{ secrets.DJANGO_SECRET_LOGIN_KEY }}\", \"SECRET_KEY\":\"${{ secrets.SECRET_KEY}}\"}"'
+          cf_command: update-user-provided-service fac-key-service -p '"{\"SAM_API_KEY\":\"${{ secrets.SAM_API_KEY }}\", \"DJANGO_SECRET_LOGIN_KEY\":\"${{ secrets.DJANGO_SECRET_LOGIN_KEY }}\", \"LOGIN_CLIENT_ID\":\"${{ secrets.LOGIN_CLIENT_ID }}\" \"SECRET_KEY\":\"${{ secrets.SECRET_KEY}}\"}"'
 
       - name: Deploy fac to cloud.gov
         uses: cloud-gov/cg-cli-tools@main

.github/workflows/end-to-end-test.yml

@@ -12,6 +12,7 @@ jobs:
       SAM_API_KEY: ${{ secrets.SAM_API_KEY }}
       DJANGO_BASE_URL: 'http://localhost:8000'
       DJANGO_SECRET_LOGIN_KEY: ${{ secrets.DJANGO_SECRET_LOGIN_KEY }}
+      LOGIN_CLIENT_ID: ${{ secrets.LOGIN_CLIENT_ID }}
       SECRET_KEY: ${{ secrets.SECRET_KEY }}
       ALLOWED_HOSTS: '0.0.0.0 127.0.0.1 localhost'
       DISABLE_AUTH: False

.github/workflows/testing-from-build.yml

@@ -12,6 +12,7 @@ jobs:
       SAM_API_KEY: ${{ secrets.SAM_API_KEY }}
       DJANGO_BASE_URL: 'http://localhost:8000'
       DJANGO_SECRET_LOGIN_KEY: ${{ secrets.DJANGO_SECRET_LOGIN_KEY }}
+      LOGIN_CLIENT_ID: ${{ secrets.LOGIN_CLIENT_ID }}
       SECRET_KEY: ${{ secrets.SECRET_KEY }}
       ALLOWED_HOSTS: '0.0.0.0 127.0.0.1 localhost'
       DISABLE_AUTH: False
@@ -59,6 +60,7 @@ jobs:
       SAM_API_KEY: ${{ secrets.SAM_API_KEY }}
       DJANGO_BASE_URL: 'http://localhost:8000'
       DJANGO_SECRET_LOGIN_KEY: ${{ secrets.DJANGO_SECRET_LOGIN_KEY }}
+      LOGIN_CLIENT_ID: ${{ secrets.LOGIN_CLIENT_ID }}
       SECRET_KEY: ${{ secrets.SECRET_KEY }}
       ALLOWED_HOSTS: '0.0.0.0 127.0.0.1 localhost'
       DISABLE_AUTH: True

.github/workflows/testing-from-ghcr.yml

@@ -13,6 +13,7 @@ jobs:
       SAM_API_KEY: ${{ secrets.SAM_API_KEY }}
       DJANGO_BASE_URL: 'http://localhost:8000'
       DJANGO_SECRET_LOGIN_KEY: ${{ secrets.DJANGO_SECRET_LOGIN_KEY }}
+      LOGIN_CLIENT_ID: ${{ secrets.LOGIN_CLIENT_ID }}
       SECRET_KEY: ${{ secrets.SECRET_KEY }}
       ALLOWED_HOSTS: '0.0.0.0 127.0.0.1 localhost'
       DISABLE_AUTH: False
@@ -61,6 +62,7 @@ jobs:
       SAM_API_KEY: ${{ secrets.SAM_API_KEY }}
       DJANGO_BASE_URL: 'http://localhost:8000'
       DJANGO_SECRET_LOGIN_KEY: ${{ secrets.DJANGO_SECRET_LOGIN_KEY }}
+      LOGIN_CLIENT_ID: ${{ secrets.LOGIN_CLIENT_ID }}
       SECRET_KEY: ${{ secrets.SECRET_KEY }}
       ALLOWED_HOSTS: '0.0.0.0 127.0.0.1 localhost'
       DISABLE_AUTH: True

backend/config/settings.py

@@ -409,6 +409,7 @@
 ]
 
 env_base_url = env.str("DJANGO_BASE_URL", "")
+login_client_id = secret("LOGIN_CLIENT_ID", "")
 secret_login_key = b64decode(secret("DJANGO_SECRET_LOGIN_KEY", ""))
 
 # which provider to use if multiple are available
@@ -432,7 +433,7 @@
             "acr_value": "http://idmanagement.gov/ns/assurance/ial/1",
         },
         "client_registration": {
-            "client_id": "urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:gsa-fac-pk-jwt-01",
+            "client_id": login_client_id,
             "redirect_uris": [f"{env_base_url}/openid/callback/login/"],
             "post_logout_redirect_uris": [f"{env_base_url}/openid/callback/logout/"],
             "token_endpoint_auth_method": ["private_key_jwt"],

backend/docker-compose-web.yml

@@ -33,6 +33,7 @@ services:
       SAM_API_KEY: ${SAM_API_KEY}
       DJANGO_BASE_URL: http://localhost:8000
       DJANGO_SECRET_LOGIN_KEY: ${DJANGO_SECRET_LOGIN_KEY}
+      LOGIN_CLIENT_ID: ${LOGIN_CLIENT_ID}
       ENV: ${ENV}
       SECRET_KEY: ${SECRET_KEY}
       ALLOWED_HOSTS: 0.0.0.0 127.0.0.1 localhost

backend/docker-compose.yml

@@ -42,6 +42,7 @@ services:
       SAM_API_KEY: ${SAM_API_KEY}
       DJANGO_BASE_URL: http://localhost:8000
       DJANGO_SECRET_LOGIN_KEY: ${DJANGO_SECRET_LOGIN_KEY}
+      LOGIN_CLIENT_ID: ${LOGIN_CLIENT_ID}
       ENV: ${ENV}
       SECRET_KEY: ${SECRET_KEY}
       ALLOWED_HOSTS: 0.0.0.0 127.0.0.1 localhost

docs/development.md

@@ -48,6 +48,7 @@ ENV = 'LOCAL'
 SAM_API_KEY =
 SECRET_KEY =
 DJANGO_SECRET_LOGIN_KEY =
+LOGIN_CLIENT_ID =
 DISABLE_AUTH = 
 ```
 If you are using a MacBook with Apple M1 hardware, you will probably also have to add `DOCKERFILE = Apple_M1_Dockerfile` to the file.
@@ -81,6 +82,9 @@ The `DJANGO_SECRET_LOGIN_KEY` environment variable is used to interact with Logi
 *  If you wish to use the shared Login.gov sandbox client application, but create your own client credentials, you must first be granted access to the GSA-FAC Login.gov sandbox team. Once you can access the GSA-FAC client application, follow [Login.gov's documentation for creating a public certificate](https://developers.login.gov/testing/#creating-a-public-certificate). Once created, you can add the newly-generated public key to the GSA-FAC app, and set `DJANGO_SECRET_LOGIN_KEY` to the base64-encoded value of the corresponding private key.
 *  If you wish to use your own Login.gov sandbox client application, follow [Login.gov's documentation for setting up a test application](https://developers.login.gov/testing/). Once completed, open `settings.py` and set `OIDC_PROVIDERS.login.gov.client_registration.client_id` so that it matches the `issuer` string for your newly-created client application. NOTE: changes to the `client_id` should __not__ be checked into version control!
 
+#### LOGIN_CLIENT_ID
+The `LOGIN_CLIENT_ID` environment variable is our unique application identifier at Login.gov. Each environment has its own client ID. You can obtain the client ID that should be used during local development from our shared [dev secrets document](https://docs.google.com/spreadsheets/d/1byrBp16jufbiEY_GP5MyR0Uqf6WvB_5tubSXN_mYyJY/edit#gid=0)
+
 #### DISABLE_AUTH
 The `DISABLE_AUTH` variable tells Django to disable the Login.gov authorization. This should almost always be `False` unless you need to temporarily disable it for your local development.