bcgov · ikethecoder · Feb 27, 2025 · Feb 26, 2025 · Feb 27, 2025 · Feb 27, 2025
diff --git a/.github/ISSUE_TEMPLATE/issue.md → ...api-services-portal-bug-issue-template.md b/.github/ISSUE_TEMPLATE/issue.md → ...api-services-portal-bug-issue-template.md
@@ -1,9 +1,13 @@
 ---
-name: API Services Portal Issue Template
-about: Generic template for all GitHub issues
+name: API Services Portal Bug Issue Template
+about: Generic template for bug GitHub issues
+title: ''
+labels: bug, jira
+assignees: ''
+
 ---
 
-# API Services Portal Issue
+# API Services Portal Bug Issue
 
 <!-- Use what you want. Remove what you don't want. -->
 

diff --git a/.github/ISSUE_TEMPLATE/api-services-portal-feature-request-issue-template.md b/.github/ISSUE_TEMPLATE/api-services-portal-feature-request-issue-template.md
@@ -0,0 +1,56 @@
+---
+name: API Services Portal Feature Request Issue Template
+about: Generic template for feature request GitHub issues
+title: ''
+labels: enhancement, jira
+assignees: ''
+
+---
+
+## User Story
+
+**As a** `<persona>`,  
+**I want** `<feature>`,  
+**so that** `<reason>`.
+
+---
+
+## Background  
+Provide a detailed description of the user story. Include any relevant background information and additional context.
+
+---
+
+## Acceptance Criteria  
+
+Choose one of the following formats and delete the rest. You may write your acceptance criteria in your preferred format as well.
+
+
+  - Given `<first condition>`, when `<first action>`, then `<first outcome>`.  
+
+- **Functional format**:  
+  - The system should `<specific functionality or behavior>`.  
+
+  - When `<specific event or action>`, the system should `<expected response>`.  
+
+- **Other considerations**:  
+  - Any other specific aspect that should be met for the story to be considered complete.  
+
+---
+
+## Business Value (Optional)  
+Explain the business value of this user story and how it aligns with the overall goals.
+
+---
+
+## Assumptions (Optional)  
+List any assumptions that are considered as part of the story.
+
+---
+
+## Out of Scope (Optional)  
+Specify anything that is out of scope for this user story.
+
+---
+
+## Constraints (Optional)  
+List any constraints or limitations that must be considered.
diff --git a/.github/workflows/ci-build-deploy.yaml b/.github/workflows/ci-build-deploy.yaml
@@ -197,29 +197,97 @@ jobs:
 
           oauthProxy:
             enabled: true
-            image:
-              repository: ${{ env.REGISTRY }}/bcgov-dss/api-serv-infra/oauth2-proxy
-              tag: 7.2.1-8c743f0c
-              pullPolicy: IfNotPresent
 
             config:
-              upstream: http://127.0.0.1:3000
-              client-id: ${{ secrets.OIDC_CLIENT_ID }}
-              client-secret: ${{ secrets.OIDC_CLIENT_SECRET }}
-              oidc-issuer-url: ${{ secrets.OIDC_ISSUER }}
-              redirect-url: https://api-services-portal-${{ steps.set-deploy-id.outputs.DEPLOY_ID }}.apps.silver.devops.gov.bc.ca/oauth2/callback
-              skip-auth-regex: '/login|/health|/public|/docs|/redirect|/_next|/images|/devportal|/manager|/about|/maintenance|/admin/session|/ds/api|/feed/|/signout|/content|^[/]$'
-              whitelist-domain: authz-apps-gov-bc-ca.dev.api.gov.bc.ca
-              skip-provider-button: 'true'
-              profile-url: ${{ secrets.OIDC_ISSUER }}/protocol/openid-connect/userinfo
-              insecure-oidc-allow-unverified-email: 'true'
-              oidc-email-claim: 'sub'
-              pass-basic-auth: 'false'
-              pass-access-token: 'true'
-              set-xauthrequest: 'true'
-              skip-jwt-bearer-tokens: 'false'
-              set-authorization-header: 'false'
-              pass-authorization-header: 'false'
+              - filename: oauth2-proxy.cfg
+                mountPath: /oauth2-proxy.cfg
+                contents: |-
+                  cookie_expire='24h'
+                  cookie_refresh='3m'
+                  cookie_secure='true'
+                  cookie_samesite='strict'
+                  cookie_secret='not_secretenough'
+                  email_domains='*'
+                  redirect_url='https://api-services-portal-${{ steps.set-deploy-id.outputs.DEPLOY_ID }}.apps.silver.devops.gov.bc.ca/oauth2/callback'
+                  skip_auth_regex='/login|/health|/public|/docs|/redirect|/_next|/images|/devportal|/manager|/about|/maintenance|/admin/session|/ds/api|/feed|/metrics|/signout|/gw/api|/content|^[/]$'
+                  skip_jwt_bearer_tokens='false'
+                  skip_provider_button='true'
+                  whitelist_domains='authz-apps-gov-bc-ca.dev.api.gov.bc.ca'
+                  # redis_connection_url="redis://redis-headless:6379"
+                  # session_store_type="redis"
+                  # redis_password=""
+                  # insecure-oidc-allow-unverified-email: 'true'
+                  # insecure-oidc-skip-issuer-verification: 'true'
+                  # oidc-email-claim: 'sub'
+                  # pass-authorization-header: 'false'
+                  # set-authorization-header: 'false'
+
+              - filename: oauth2-proxy.yaml
+                mountPath: /oauth2-proxy.yaml
+                yaml:
+                  injectRequestHeaders:
+                    - name: X-Forwarded-Groups
+                      values:
+                        - claim: groups
+                    - name: X-Forwarded-User
+                      values:
+                        - claim: user
+                    - name: X-Forwarded-Email
+                      values:
+                        - claim: email
+                    - name: X-Forwarded-Preferred-Username
+                      values:
+                        - claim: preferred_username
+                    - name: X-Forwarded-Access-Token
+                      values:
+                        - claim: access_token
+                  injectResponseHeaders: []
+                  metricsServer:
+                    BindAddress: ""
+                    SecureBindAddress: ""
+                    TLS: null
+                  providers:
+                    - clientID: ${{ secrets.OIDC_CLIENT_ID }}
+                      clientSecret: ${{ secrets.OIDC_CLIENT_SECRET }}
+                      loginURL: ${{ secrets.OIDC_ISSUER }}/protocol/openid-connect/auth
+                      id: oidc=aps-portal
+                      loginURLParameters:
+                        - default:
+                            - force
+                          name: approval_prompt
+                        - allow:
+                            - pattern: ".*$"
+                          name: kc_idp_hint
+                      oidcConfig:
+                        audienceClaims:
+                          - aud
+                        emailClaim: sub
+                        groupsClaim: groups
+                        insecureAllowUnverifiedEmail: true
+                        insecureSkipNonce: true
+                        issuerURL: ${{ secrets.OIDC_ISSUER }}
+                        userIDClaim: sub
+
+                      profileURL: ${{ secrets.OIDC_ISSUER }}/protocol/openid-connect/userinfo
+                      provider: oidc
+                      redeemURL: ${{ secrets.OIDC_ISSUER }}/protocol/openid-connect/token
+                      scope: openid
+                      validateURL: ${{ secrets.OIDC_ISSUER }}/protocol/openid-connect/userinfo
+
+                  server:
+                    BindAddress: 0.0.0.0:7999
+                    SecureBindAddress: ""
+                    TLS: null
+                  upstreamConfig:
+                    upstreams:
+                      - flushInterval: 1s
+                        id: /
+                        passHostHeader: true
+                        path: /
+                        proxyWebSockets: true
+                        timeout: 30s
+                        uri: http://127.0.0.1:3000
+
           env:
             SESSION_SECRET:
               value: '234873290483290'

diff --git a/README.md b/README.md
@@ -76,9 +76,10 @@ hostip=$(ifconfig en0 | awk '$1 == "inet" {print $2}')
 
 docker run -ti --rm --name proxy --net=host \
   --add-host portal.localtest.me:$hostip \
+  -v `pwd`/local/oauth2-proxy/oauth2-proxy-dev.yaml:/oauth2.yaml \
   -v `pwd`/local/oauth2-proxy/oauth2-proxy-dev.cfg:/oauth2.config \
-  quay.io/oauth2-proxy/oauth2-proxy:v7.2.0 \
-  --config /oauth2.config
+  quay.io/oauth2-proxy/oauth2-proxy:v7.8.1 \
+  --alpha-config /oauth2.yaml --config /oauth2.config
 ```
 
 1. Start the Portal locally:

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -42,18 +42,17 @@ services:
         aliases:
           - keycloak.localtest.me
   oauth2-proxy:
-    image: quay.io/oauth2-proxy/oauth2-proxy:v7.2.0
+    image: quay.io/oauth2-proxy/oauth2-proxy:v7.8.1
     container_name: oauth2-proxy
-    command: --config ./oauth2-proxy.cfg
+    command: --alpha-config /oauth2-proxy.yaml --config /oauth2-proxy.cfg
     depends_on:
       - keycloak
     ports:
       - 4180:4180/tcp
     volumes:
+      - ./local/oauth2-proxy/oauth2-proxy-local.yaml:/oauth2-proxy.yaml
       - ./local/oauth2-proxy/oauth2-proxy-local.cfg:/oauth2-proxy.cfg
     restart: unless-stopped
-    env_file:
-      - .env.local
     networks:
       aps-net:
         aliases:

diff --git a/local/oauth2-proxy/oauth2-proxy-dev.cfg b/local/oauth2-proxy/oauth2-proxy-dev.cfg
@@ -1,27 +1,10 @@
-http_address="0.0.0.0:4180"
+cookie_expire="24h"
+cookie_refresh="3m"
 cookie_secret="abcd1234!@#$$++="
+cookie_secure="false"
 email_domains="*"
-provider="oidc"
-insecure_oidc_allow_unverified_email="true"
-client_id="aps-portal"
-client_secret="8e1a17ed-cb93-4806-ac32-e303d1c86018"
-scope="openid"
-oidc_issuer_url="http://keycloak.localtest.me:9081/auth/realms/master"
-login_url="http://keycloak.localtest.me:9081/auth/realms/master/protocol/openid-connect/auth"
-redeem_url="http://keycloak.localtest.me:9081/auth/realms/master/protocol/openid-connect/token"
-validate_url="http://keycloak.localtest.me:9081/auth/realms/master/protocol/openid-connect/userinfo"
 redirect_url="http://oauth2proxy.localtest.me:4180/oauth2/callback"
-profile_url="http://keycloak.localtest.me:9081/auth/realms/master/protocol/openid-connect/userinfo"
-cookie_secure="false"
-cookie_refresh="3m"
-cookie_expire="24h"
-pass_basic_auth="false"
-pass_access_token="true"
-set_xauthrequest="true"
-skip_jwt_bearer_tokens="false"
-set_authorization_header="false"
-pass_authorization_header="false"
 skip_auth_regex="/__coverage__|/login|/health|/public|/docs|/redirect|/_next|/images|/devportal|/manager|/about|/maintenance|/admin/session|/ds/api|/gw/api|/feed/|/signout|^[/]$"
-whitelist_domains="keycloak.localtest.me:9081"
-upstreams=["http://portal.localtest.me:3000"]
+skip_jwt_bearer_tokens="false"
 skip_provider_button='true'
+whitelist_domains="keycloak.localtest.me:9081"
diff --git a/local/oauth2-proxy/oauth2-proxy-dev.yaml b/local/oauth2-proxy/oauth2-proxy-dev.yaml
@@ -0,0 +1,75 @@
+injectRequestHeaders:
+  - name: X-Forwarded-Groups
+    values:
+      - claim: groups
+  - name: X-Forwarded-User
+    values:
+      - claim: user
+  - name: X-Forwarded-Email
+    values:
+      - claim: email
+  - name: X-Forwarded-Preferred-Username
+    values:
+      - claim: preferred_username
+  - name: X-Forwarded-Access-Token
+    values:
+      - claim: access_token
+injectResponseHeaders:
+  - name: X-Auth-Request-User
+    values:
+      - claim: user
+  - name: X-Auth-Request-Email
+    values:
+      - claim: email
+  - name: X-Auth-Request-Preferred-Username
+    values:
+      - claim: preferred_username
+  - name: X-Auth-Request-Groups
+    values:
+      - claim: groups
+  - name: X-Auth-Request-Access-Token
+    values:
+      - claim: access_token
+metricsServer:
+  BindAddress: ''
+  SecureBindAddress: ''
+  TLS: null
+providers:
+  - clientID: aps-portal
+    clientSecret: 8e1a17ed-cb93-4806-ac32-e303d1c86018
+    id: oidc=aps-portal
+    loginURL: http://keycloak.localtest.me:9081/auth/realms/master/protocol/openid-connect/auth
+    loginURLParameters:
+      - default:
+          - force
+        name: approval_prompt
+      - allow:
+          - pattern: '.*$'
+        name: kc_idp_hint
+    oidcConfig:
+      audienceClaims:
+        - aud
+      emailClaim: email
+      groupsClaim: groups
+      insecureAllowUnverifiedEmail: true
+      insecureSkipNonce: true
+      issuerURL: http://keycloak.localtest.me:9081/auth/realms/master
+      userIDClaim: email
+    profileURL: http://keycloak.localtest.me:9081/auth/realms/master/protocol/openid-connect/userinfo
+    provider: oidc
+    redeemURL: http://keycloak.localtest.me:9081/auth/realms/master/protocol/openid-connect/token
+    scope: openid
+    validateURL: http://keycloak.localtest.me:9081/auth/realms/master/protocol/openid-connect/userinfo
+server:
+  BindAddress: 0.0.0.0:4180
+  SecureBindAddress: ''
+  TLS: null
+upstreamConfig:
+  upstreams:
+    - flushInterval: 1s
+      id: /
+      passHostHeader: true
+      path: /
+      proxyWebSockets: true
+      timeout: 30s
+      uri: http://portal.localtest.me:3000
diff --git a/local/oauth2-proxy/oauth2-proxy-local.cfg b/local/oauth2-proxy/oauth2-proxy-local.cfg
@@ -1,30 +1,13 @@
-http_address="0.0.0.0:4180"
+cookie_expire="24h"
+cookie_refresh="3m"
 cookie_secret="abcd1234!@#$$++="
+cookie_secure="false"
 email_domains="*"
-provider="oidc"
-insecure_oidc_allow_unverified_email="true"
-client_id="aps-portal"
-client_secret="8e1a17ed-cb93-4806-ac32-e303d1c86018"
-scope="openid"
-oidc_issuer_url="http://keycloak.localtest.me:9081/auth/realms/master"
-login_url="http://keycloak.localtest.me:9081/auth/realms/master/protocol/openid-connect/auth"
-redeem_url="http://keycloak.localtest.me:9081/auth/realms/master/protocol/openid-connect/token"
-validate_url="http://keycloak.localtest.me:9081/auth/realms/master/protocol/openid-connect/userinfo"
 redirect_url="http://oauth2proxy.localtest.me:4180/oauth2/callback"
-profile_url="http://keycloak.localtest.me:9081/auth/realms/master/protocol/openid-connect/userinfo"
-cookie_secure="false"
-cookie_refresh="3m"
-cookie_expire="24h"
-pass_basic_auth="false"
-pass_access_token="true"
-set_xauthrequest="true"
-skip_jwt_bearer_tokens="false"
-set_authorization_header="false"
-pass_authorization_header="false"
 skip_auth_regex="/__coverage__|/login|/health|/public|/docs|/redirect|/_next|/images|/devportal|/manager|/about|/maintenance|/admin/session|/ds/api|/gw/api|/feed/|/signout|^[/]$"
-whitelist_domains="keycloak.localtest.me:9081"
-upstreams=["http://apsportal.localtest.me:3000"]
+skip_jwt_bearer_tokens="false"
 skip_provider_button='true'
+whitelist_domains="keycloak.localtest.me:9081"
 redis_connection_url="redis://redis-master:6379"
 session_store_type='redis'
 redis_password='s3cr3t'