Merge pull request #380 from itk-dev/feature/TVIST1-code-authorizatio…

…n-flow TVIST1: Use authorization code flow
itk-dev · Aug 4, 2023 · 6508ba5 · 6508ba5
2 parents f67433f + 729772a
commit 6508ba5
Show file tree

Hide file tree

Showing 9 changed files with 288 additions and 42 deletions.
diff --git a/.env b/.env
@@ -44,11 +44,13 @@ ADMIN_OIDC_METADATA_URL=
 ADMIN_OIDC_CLIENT_ID=
 ADMIN_OIDC_CLIENT_SECRET=
 ADMIN_OIDC_REDIRECT_ROUTE=default
+ADMIN_OIDC_ALLOW_HTTP=false
 
 BOARD_MEMBER_OIDC_METADATA_URL=
 BOARD_MEMBER_OIDC_CLIENT_ID=
 BOARD_MEMBER_OIDC_CLIENT_SECRET=
 BOARD_MEMBER_OIDC_REDIRECT_ROUTE=authenticate-board-member
+BOARD_MEMBER_OIDC_ALLOW_HTTP=false
 
 CLI_REDIRECT=default
 LEEWAY=10

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,13 @@ about writing changes to this log.
 
 ## [Unreleased]
 
+- [PR-380](https://github.com/itk-dev/naevnssekretariatet/pull/380)
+  Updated `itk-dev/openid-connect-bundle` to use authorization code flow.
+- [PR-380](https://github.com/itk-dev/naevnssekretariatet/pull/380)
+  Added [OpenId Connect Server
+  Mock](https://github.com/Soluto/oidc-server-mock) for mocking
+  OIDC-login during development.
+
 ## [1.5.2]
 
 - [PR-378](https://github.com/itk-dev/naevnssekretariatet/pull/378)

diff --git a/README.md b/README.md
@@ -103,26 +103,78 @@ must be done in order to login via Azure B2C:
 
 ```sh
 ###> itk-dev/openid-connect-bundle ###
-CONFIGURATION_URL=APP_CONFIGURATION_URL
-CLIENT_ID=APP_CLIENT_ID
-CLIENT_SECRET=APP_CLIENT_SECRET
-CALLBACK_URI=APP_CALLBACK_URI
-CLI_REDIRECT=APP_CLI_REDIRECT_URI
+ADMIN_OIDC_METADATA_URL=APP_ADMIN_ADMIN_OIDC_METADATA_URL
+ADMIN_OIDC_CLIENT_ID=APP_ADMIN_CLIENT_ID
+ADMIN_OIDC_CLIENT_SECRET=APP_ADMIN_CLIENT_SECRET
+ADMIN_OIDC_REDIRECT_ROUTE=APP_ADMIN_CLI_REDIRECT_ROUTE
+ADMIN_OIDC_ALLOW_HTTP=false # Set to true if mocking IdP
+
+BOARD_MEMBER_OIDC_METADATA_URL=APP_BOARD_MEMBER_OIDC_METADATA_URL
+BOARD_MEMBER_OIDC_CLIENT_ID=APP_BOARD_MEMBER_OIDC_CLIENT_ID
+BOARD_MEMBER_OIDC_CLIENT_SECRET=APP_BOARD_MEMBER_OIDC_CLIENT_SECRET
+BOARD_MEMBER_OIDC_REDIRECT_ROUTE=APP_BOARD_MEMBER_OIDC_REDIRECT_ROUTE
+BOARD_MEMBER_OIDC_ALLOW_HTTP=false # Set to true if mocking OIDC IdP
+
 LEEWAY=APP_LEEWAY
 ###< itk-dev/openid-connect-bundle ###
 ```
 
 Example configuration:
 
 ```sh
-CONFIGURATION_URL='https://.../.well-known/openid-configuration...'
-CLIENT_ID={app.client.id}
-CLIENT_SECRET={app.client.secret}
-CALLBACK_URI={app.callback.uri}
-CLI_REDIRECT={app.cli.redirect}
+ADMIN_OIDC_METADATA_URL='https://.../.well-known/openid-configuration...'
+ADMIN_OIDC_CLIENT_ID={app.admin.client.id}
+ADMIN_OIDC_CLIENT_SECRET={app.admin.client.secret}
+ADMIN_OIDC_REDIRECT_ROUTE={app.admin.cli.redirect}
+ADMIN_OIDC_ALLOW_HTTP=false # Set to true if mocking OIDC IdP
+
+BOARD_MEMBER_OIDC_METADATA_URL='https://.../.well-known/openid-configuration...'
+BOARD_MEMBER_OIDC_CLIENT_ID={app.board.client.id}
+BOARD_MEMBER_OIDC_CLIENT_SECRET={app.board.client.secret}
+BOARD_MEMBER_OIDC_REDIRECT_ROUTE={app.board.cli.redirect}
+BOARD_MEMBER_OIDC_ALLOW_HTTP=false # Set to true if mocking OIDC IdP
+
 LEEWAY=10
 ```
 
+#### Mocking OpenID Connect IdP for local development
+
+We use [OpenId Connect Server Mock](https://github.com/Soluto/oidc-server-mock).
+
+**Note**: The following assumes that [the itkdev-docker-compose helper
+script](https://github.com/itk-dev/devops_itkdev-docker#helper-scripts) is used
+for development.
+
+See [`docker-compose.override.yml`](docker-compose.override.yml) for
+the configuration of the mocked IdPs (`idp-admin` and `idp-board-member`).
+
+Simply overwrite the above variables as such
+
+```sh
+ADMIN_OIDC_METADATA_URL='http://idp-admin.naevnssekretariatet.local.itkdev.dk/.well-known/openid-configuration'
+ADMIN_OIDC_CLIENT_ID='client-id'
+ADMIN_OIDC_CLIENT_SECRET='client-secret'
+ADMIN_OIDC_REDIRECT_ROUTE=default
+ADMIN_OIDC_ALLOW_HTTP=true
+
+BOARD_MEMBER_OIDC_METADATA_URL='http://idp-board-member.naevnssekretariatet.local.itkdev.dk/.well-known/openid-configuration'
+BOARD_MEMBER_OIDC_CLIENT_ID='client-id'
+BOARD_MEMBER_OIDC_CLIENT_SECRET='client-secret'
+BOARD_MEMBER_OIDC_REDIRECT_ROUTE=authenticate-board-member
+BOARD_MEMBER_OIDC_ALLOW_HTTP=true
+```
+
+And you should be redirected to the mocked IdP. Here you can
+sign in with the configured users. See `USERS_CONFIGURATION_INLINE` in
+[`docker-compose.override.yml`](docker-compose.override.yml). This is
+also where any modifying of claims and users can be done. Run
+
+```sh
+docker compose up -d
+```
+
+to reload the mock OIDC IdP configuration.
+
 #### CLI login
 
 In order to use the CLI login feature the following

diff --git a/composer.json b/composer.json
@@ -36,7 +36,7 @@
         "itk-dev/azure-key-vault-php": "^1.0",
         "itk-dev/beskedfordeler-symfony": "^1.0",
         "itk-dev/datafordeler-php-client": "dev-develop",
-        "itk-dev/openid-connect-bundle": "dev-develop",
+        "itk-dev/openid-connect-bundle": "^3.1",
         "itk-dev/serviceplatformen": "dev-feature/guzzle7-adapter",
         "knplabs/knp-paginator-bundle": "^5.6",
         "league/oauth2-client": "^2.6",

diff --git a/composer.lock b/composer.lock
diff --git a/config/packages/itkdev_openid_connect.yaml b/config/packages/itkdev_openid_connect.yaml
@@ -2,18 +2,22 @@ itkdev_openid_connect:
   cache_options:
     cache_pool: 'cache.app' # Cache item pool for caching discovery document and CLI login tokens
   cli_login_options:
-    cli_redirect: '%env(CLI_REDIRECT)%' # Redirect route for CLI login
+    route: '%env(CLI_REDIRECT)%' # Redirect route for CLI login
   openid_providers:
     admin:
       options:
         metadata_url: '%env(ADMIN_OIDC_METADATA_URL)%'
         client_id: '%env(ADMIN_OIDC_CLIENT_ID)%'
         client_secret: '%env(ADMIN_OIDC_CLIENT_SECRET)%'
         redirect_route: 'default'
+        allow_http: '%env(bool:ADMIN_OIDC_ALLOW_HTTP)%'
+        leeway: '%env(int:LEEWAY)%'
 
     board-member:
       options:
         metadata_url: '%env(BOARD_MEMBER_OIDC_METADATA_URL)%'
         client_id: '%env(BOARD_MEMBER_OIDC_CLIENT_ID)%'
         client_secret: '%env(BOARD_MEMBER_OIDC_CLIENT_SECRET)%'
         redirect_route: 'default'
+        allow_http: '%env(bool:BOARD_MEMBER_OIDC_ALLOW_HTTP)%'
+        leeway: '%env(int:LEEWAY)%'
diff --git a/config/services.yaml b/config/services.yaml
@@ -16,8 +16,6 @@ services:
         autowire: true      # Automatically injects dependencies in your services.
         autoconfigure: true # Automatically registers your services as commands, event subscribers, etc.
         bind:
-            $leeway: '%env(LEEWAY)%'
-
             $bbrHelperOptions:
                 datafordeler_api_username: '%env(DATAFORDELER_API_USERNAME)%'
                 datafordeler_api_password: '%env(DATAFORDELER_API_PASSWORD)%'