Merged develop into feature/support 1135

.env

@@ -44,11 +44,13 @@ ADMIN_OIDC_METADATA_URL=
 ADMIN_OIDC_CLIENT_ID=
 ADMIN_OIDC_CLIENT_SECRET=
 ADMIN_OIDC_REDIRECT_ROUTE=default
+ADMIN_OIDC_ALLOW_HTTP=false
 
 BOARD_MEMBER_OIDC_METADATA_URL=
 BOARD_MEMBER_OIDC_CLIENT_ID=
 BOARD_MEMBER_OIDC_CLIENT_SECRET=
 BOARD_MEMBER_OIDC_REDIRECT_ROUTE=authenticate-board-member
+BOARD_MEMBER_OIDC_ALLOW_HTTP=false
 
 CLI_REDIRECT=default
 LEEWAY=10

CHANGELOG.md

@@ -13,6 +13,19 @@ about writing changes to this log.
 - [PR-377](https://github.com/itk-dev/naevnssekretariatet/pull/377)
   Improved `tvist1:digital-post-envelope:list` command and added Digital post
   debug command.
+- [PR-382](https://github.com/itk-dev/naevnssekretariatet/pull/382)
+  Added `--digital-post-id` filter on `tvist1:digital-post-envelope:list`.
+- [PR-380](https://github.com/itk-dev/naevnssekretariatet/pull/380)
+  Updated `itk-dev/openid-connect-bundle` to use authorization code flow.
+- [PR-380](https://github.com/itk-dev/naevnssekretariatet/pull/380)
+  Added [OpenId Connect Server
+  Mock](https://github.com/Soluto/oidc-server-mock) for mocking
+  OIDC IdPs during development.
+
+## [1.5.2]
+
+- [PR-378](https://github.com/itk-dev/naevnssekretariatet/pull/378)
+  Updated BBR meddelelse url.
 
 ## [1.5.1]
 
@@ -291,7 +304,8 @@ Fixed error in unescaped characters in filename
 - [TVIST1-604](https://jira.itkdev.dk/browse/TVIST1-604):
   Resolved issue regarding time formats.
 
-[Unreleased]: https://github.com/itk-dev/naevnssekretariatet/compare/1.5.1...HEAD
+[Unreleased]: https://github.com/itk-dev/naevnssekretariatet/compare/1.5.2...HEAD
+[1.5.2]: https://github.com/itk-dev/naevnssekretariatet/compare/1.5.1...1.5.2
 [1.5.1]: https://github.com/itk-dev/naevnssekretariatet/compare/1.5.0...1.5.1
 [1.5.0]: https://github.com/itk-dev/naevnssekretariatet/compare/1.4.1...1.5.0
 [1.4.1]: https://github.com/itk-dev/naevnssekretariatet/compare/1.4.0...1.4.1

README.md

@@ -103,26 +103,92 @@ must be done in order to login via Azure B2C:
 
 ```sh
 ###> itk-dev/openid-connect-bundle ###
-CONFIGURATION_URL=APP_CONFIGURATION_URL
-CLIENT_ID=APP_CLIENT_ID
-CLIENT_SECRET=APP_CLIENT_SECRET
-CALLBACK_URI=APP_CALLBACK_URI
-CLI_REDIRECT=APP_CLI_REDIRECT_URI
+ADMIN_OIDC_METADATA_URL=APP_ADMIN_ADMIN_OIDC_METADATA_URL
+ADMIN_OIDC_CLIENT_ID=APP_ADMIN_CLIENT_ID
+ADMIN_OIDC_CLIENT_SECRET=APP_ADMIN_CLIENT_SECRET
+ADMIN_OIDC_REDIRECT_ROUTE=APP_ADMIN_CLI_REDIRECT_ROUTE
+ADMIN_OIDC_ALLOW_HTTP=false # Set to true if mocking IdP
+
+BOARD_MEMBER_OIDC_METADATA_URL=APP_BOARD_MEMBER_OIDC_METADATA_URL
+BOARD_MEMBER_OIDC_CLIENT_ID=APP_BOARD_MEMBER_OIDC_CLIENT_ID
+BOARD_MEMBER_OIDC_CLIENT_SECRET=APP_BOARD_MEMBER_OIDC_CLIENT_SECRET
+BOARD_MEMBER_OIDC_REDIRECT_ROUTE=APP_BOARD_MEMBER_OIDC_REDIRECT_ROUTE
+BOARD_MEMBER_OIDC_ALLOW_HTTP=false # Set to true if mocking OIDC IdP
+
 LEEWAY=APP_LEEWAY
 ###< itk-dev/openid-connect-bundle ###
 ```
 
 Example configuration:
 
 ```sh
-CONFIGURATION_URL='https://.../.well-known/openid-configuration...'
-CLIENT_ID={app.client.id}
-CLIENT_SECRET={app.client.secret}
-CALLBACK_URI={app.callback.uri}
-CLI_REDIRECT={app.cli.redirect}
+ADMIN_OIDC_METADATA_URL='https://.../.well-known/openid-configuration...'
+ADMIN_OIDC_CLIENT_ID={app.admin.client.id}
+ADMIN_OIDC_CLIENT_SECRET={app.admin.client.secret}
+ADMIN_OIDC_REDIRECT_ROUTE={app.admin.cli.redirect}
+ADMIN_OIDC_ALLOW_HTTP=false # Set to true if mocking OIDC IdP
+
+BOARD_MEMBER_OIDC_METADATA_URL='https://.../.well-known/openid-configuration...'
+BOARD_MEMBER_OIDC_CLIENT_ID={app.board.client.id}
+BOARD_MEMBER_OIDC_CLIENT_SECRET={app.board.client.secret}
+BOARD_MEMBER_OIDC_REDIRECT_ROUTE={app.board.cli.redirect}
+BOARD_MEMBER_OIDC_ALLOW_HTTP=false # Set to true if mocking OIDC IdP
+
 LEEWAY=10
 ```
 
+#### Mocking OpenID Connect IdP for local development
+
+We use [OpenId Connect Server Mock](https://github.com/Soluto/oidc-server-mock).
+
+**Note**: The following assumes that [the itkdev-docker-compose helper
+script](https://github.com/itk-dev/devops_itkdev-docker#helper-scripts) is used
+for development.
+
+Start docker compose show with the `test`
+[profile](https://docs.docker.com/compose/profiles/):
+
+```sh
+docker compose --profile test up --detach
+```
+
+Remember to add `--profile test` when stopping (or downing) to stop (or down)
+all containers:
+
+```sh
+docker compose --profile test stop
+```
+
+See [`docker-compose.override.yml`](docker-compose.override.yml) for
+the configuration of the mocked IdPs (`idp-admin` and `idp-board-member`).
+
+Simply overwrite the above variables as such
+
+```sh
+ADMIN_OIDC_METADATA_URL='http://idp-admin.naevnssekretariatet.local.itkdev.dk/.well-known/openid-configuration'
+ADMIN_OIDC_CLIENT_ID='client-id'
+ADMIN_OIDC_CLIENT_SECRET='client-secret'
+ADMIN_OIDC_REDIRECT_ROUTE=default
+ADMIN_OIDC_ALLOW_HTTP=true
+
+BOARD_MEMBER_OIDC_METADATA_URL='http://idp-board-member.naevnssekretariatet.local.itkdev.dk/.well-known/openid-configuration'
+BOARD_MEMBER_OIDC_CLIENT_ID='client-id'
+BOARD_MEMBER_OIDC_CLIENT_SECRET='client-secret'
+BOARD_MEMBER_OIDC_REDIRECT_ROUTE=authenticate-board-member
+BOARD_MEMBER_OIDC_ALLOW_HTTP=true
+```
+
+And you should be redirected to the mocked IdP. Here you can
+sign in with the configured users. See `USERS_CONFIGURATION_INLINE` in
+[`docker-compose.override.yml`](docker-compose.override.yml). This is
+also where any modifying of claims and users can be done. Run
+
+```sh
+docker compose up -d
+```
+
+to reload the mock OIDC IdP configuration.
+
 #### CLI login
 
 In order to use the CLI login feature the following

composer.json

@@ -36,8 +36,8 @@
         "itk-dev/azure-key-vault-php": "^1.0",
         "itk-dev/beskedfordeler-symfony": "^1.0",
         "itk-dev/datafordeler-php-client": "dev-develop",
-        "itk-dev/openid-connect-bundle": "dev-develop",
-        "itk-dev/serviceplatformen": "dev-feature/tvist1",
+        "itk-dev/openid-connect-bundle": "^3.1",
+        "itk-dev/serviceplatformen": "^1.5",
         "knplabs/knp-paginator-bundle": "^5.6",
         "league/oauth2-client": "^2.6",
         "lexik/form-filter-bundle": "^7.0",

config/packages/itkdev_openid_connect.yaml

@@ -2,18 +2,22 @@ itkdev_openid_connect:
   cache_options:
     cache_pool: 'cache.app' # Cache item pool for caching discovery document and CLI login tokens
   cli_login_options:
-    cli_redirect: '%env(CLI_REDIRECT)%' # Redirect route for CLI login
+    route: '%env(CLI_REDIRECT)%' # Redirect route for CLI login
   openid_providers:
     admin:
       options:
         metadata_url: '%env(ADMIN_OIDC_METADATA_URL)%'
         client_id: '%env(ADMIN_OIDC_CLIENT_ID)%'
         client_secret: '%env(ADMIN_OIDC_CLIENT_SECRET)%'
         redirect_route: 'default'
+        allow_http: '%env(bool:ADMIN_OIDC_ALLOW_HTTP)%'
+        leeway: '%env(int:LEEWAY)%'
 
     board-member:
       options:
         metadata_url: '%env(BOARD_MEMBER_OIDC_METADATA_URL)%'
         client_id: '%env(BOARD_MEMBER_OIDC_CLIENT_ID)%'
         client_secret: '%env(BOARD_MEMBER_OIDC_CLIENT_SECRET)%'
         redirect_route: 'default'
+        allow_http: '%env(bool:BOARD_MEMBER_OIDC_ALLOW_HTTP)%'
+        leeway: '%env(int:LEEWAY)%'

config/services.yaml

@@ -16,8 +16,6 @@ services:
         autowire: true      # Automatically injects dependencies in your services.
         autoconfigure: true # Automatically registers your services as commands, event subscribers, etc.
         bind:
-            $leeway: '%env(LEEWAY)%'
-
             $bbrHelperOptions:
                 datafordeler_api_username: '%env(DATAFORDELER_API_USERNAME)%'
                 datafordeler_api_password: '%env(DATAFORDELER_API_PASSWORD)%'