Merge pull request #361 from itk-dev/feature/2270-setup-local-OIDC

feature/2270 setup local OIDC

Author: martinyde

.docker/oidc-server-mock/cert/docker.pfx

@@ -8,6 +8,9 @@ Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+- [PR-361](https://github.com/itk-dev/os2loop/pull/361)
+  Added local OIDC server-mock
+
 ## [1.1.1]
 
 - [PR-360](https://github.com/itk-dev/os2loop/pull/360)

CHANGELOG.md

@@ -1,18 +1,18 @@
 uuid: 398e2246-b9c9-4721-8036-28076d5028c8
-langcode: en
+langcode: da
 status: true
 dependencies: {  }
 id: generic
 label: generic
 plugin: generic
 settings:
-  client_id: "file:///settings.local.php#$config['openid_connect.client.generic']['settings']['client_id']"
-  client_secret: "file:///settings.local.php#$config['openid_connect.client.generic']['settings']['client_secret']"
+  client_id: client-id
+  client_secret: '[client-secret]'
+  iss_allowed_domains: ''
   issuer_url: ''
-  authorization_endpoint: "file:///settings.local.php#$config['openid_connect.client.generic]['settings']['client_id']"
-  token_endpoint: "file:///settings.local.php#$config['openid_connect.client.generic]['settings'][token_endpoint']"
+  authorization_endpoint: 'https://idp-citizen.os2loop.local.itkdev.dk/connect/authorize'
+  token_endpoint: 'https://idp-citizen.os2loop.local.itkdev.dk/connect/token'
   userinfo_endpoint: ''
-  end_session_endpoint: ''
+  end_session_endpoint: 'https://idp-citizen.os2loop.local.itkdev.dk/connect/endsession'
   scopes:
     - openid
-    - email

config/sync/openid_connect.client.generic.yml

@@ -3,8 +3,8 @@ connect_existing_users: true
 override_registration_settings: true
 end_session_enabled: true
 user_login_display: above
-redirect_login: ''
-redirect_logout: ''
+redirect_login: 'http://os2loop.local.itkdev.dk/user/login'
+redirect_logout: 'http://os2loop.local.itkdev.dk/user/logout'
 userinfo_mappings:
   timezone: zoneinfo
   os2loop_user_family_name: family_name

config/sync/openid_connect.settings.yml

@@ -0,0 +1,4 @@
+show_drupal_login: 0
+show_oidc_login: 1
+default_login_method: ''
+hide_logout_menu_item: 0

config/sync/os2loop_user_login.settings.yml

@@ -18,3 +18,123 @@ services:
     environment:
       # Match PHP_MAX_EXECUTION_TIME above
       - NGINX_FASTCGI_READ_TIMEOUT=300
+
+  idp-citizen:
+    image: ghcr.io/soluto/oidc-server-mock:0.8.6
+    profiles:
+      - oidc
+      - test
+    # Let this container be accessible both internally and externally on the same domain.
+    container_name: idp-citizen.${COMPOSE_DOMAIN}
+    networks:
+      - app
+      - frontend
+    ports:
+      # https://github.com/Soluto/oidc-server-mock?tab=readme-ov-file#https
+      # - '80'
+      - '443'
+    volumes:
+      - .:/tmp/config:ro
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=frontend"
+      - "traefik.http.routers.${COMPOSE_PROJECT_NAME}_idp-citizen.rule=Host(`idp-citizen.${COMPOSE_DOMAIN}`)"
+      - "traefik.http.services.${COMPOSE_PROJECT_NAME}_idp-citizen.loadbalancer.server.port=443"
+      - "traefik.http.services.${COMPOSE_PROJECT_NAME}_idp-citizen.loadbalancer.server.scheme=https"
+      - "traefik.http.routers.${COMPOSE_PROJECT_NAME}_idp-citizen.middlewares=redirect-to-https"
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+
+    environment:
+      # https://github.com/Soluto/oidc-server-mock?tab=readme-ov-file#https
+      ASPNETCORE_URLS: https://+:443;http://+:80
+      ASPNETCORE_Kestrel__Certificates__Default__Password: mock
+      ASPNETCORE_Kestrel__Certificates__Default__Path: /tmp/config/.docker/oidc-server-mock/cert/docker.pfx
+
+      ASPNETCORE_ENVIRONMENT: Development
+      SERVER_OPTIONS_INLINE: |
+        AccessTokenJwtType: JWT
+        Discovery:
+          ShowKeySet: true
+        Authentication:
+          CookieSameSiteMode: Lax
+          CheckSessionCookieSameSiteMode: Lax
+
+      LOGIN_OPTIONS_INLINE: |
+        {
+          "AllowRememberLogin": false
+        }
+
+      LOGOUT_OPTIONS_INLINE: |
+        {
+          "AutomaticRedirectAfterSignOut": true
+        }
+
+      CLIENTS_CONFIGURATION_INLINE: |
+        - ClientId: client-id
+          ClientSecrets: [client-secret]
+          Description: Mock IdP
+          AllowedGrantTypes:
+            # - client_credentials
+            # - implicit
+            - authorization_code
+          # https://github.com/Soluto/oidc-server-mock/issues/46#issuecomment-704963181
+          RequireClientSecret: false
+          AllowAccessTokensViaBrowser: true
+          # https://github.com/Soluto/oidc-server-mock/issues/26#issuecomment-705022941
+          AlwaysIncludeUserClaimsInIdToken: true
+          AllowedScopes:
+            - openid
+            - profile
+            - email
+          ClientClaimsPrefix: ''
+          RedirectUris:
+            - '*'
+          # https://github.com/Soluto/oidc-server-mock/issues/60
+          PostLogoutRedirectUris:
+            - '*'
+          # https://github.com/Soluto/oidc-server-mock/issues/46#issuecomment-704845375
+          RequirePkce: false
+
+      # Needed to set custom claim types in "profile"
+      # https://github.com/Soluto/oidc-server-mock/issues/123#issuecomment-1427129278
+      # https://github.com/Soluto/oidc-server-mock/blob/master/README.md#simple-configuration
+      # https://docs.docker.com/compose/compose-file/compose-file-v3/#environment
+      OVERRIDE_STANDARD_IDENTITY_RESOURCES: 'true'
+      IDENTITY_RESOURCES_INLINE: |
+        # https://auth0.com/docs/get-started/apis/scopes/openid-connect-scopes#standard-claims
+        - Name: openid
+          ClaimTypes:
+            - sub
+        - Name: email
+          ClaimTypes:
+            - email
+        - Name: profile
+          ClaimTypes:
+            # Add your custom claims here
+            - dk_ssn
+            - name
+            - email
+            - zip
+            - uuid
+
+      USERS_CONFIGURATION_INLINE: |
+        - SubjectId: 1
+          Username: citizen1
+          Password: citizen1
+          Claims:
+            # Claims added here must be defined above in IDENTITY_RESOURCES_INLINE
+          - Type: dk_ssn
+            Value: '1111111111'
+            ValueType: string
+          - Type: name
+            Value: 'Anders And'
+            ValueType: string
+          - Type: email
+            Value: [email protected]
+            ValueType: string
+          - Type: zip
+            Value: '1111'
+            ValueType: string
+          - Type: uuid
+            Value: '11111111-1111-1111-1111-111111111111'
+            ValueType: string

docker-compose.override.yml

@@ -0,0 +1,13 @@
+diff --git a/web/modules/contrib/openid_connect/src/Plugin/OpenIDConnectClientBase.php b/web/modules/contrib/openid_connect/src/Plugin/OpenIDConnectClientBase.php
+index f70effe8..4c9cec4a 100644
+--- a/web/modules/contrib/openid_connect/src/Plugin/OpenIDConnectClientBase.php
++++ b/web/modules/contrib/openid_connect/src/Plugin/OpenIDConnectClientBase.php
+@@ -341,6 +341,9 @@ protected function getRequestOptions(string $authorization_code, string $redirec
+       'headers' => [
+         'Accept' => 'application/json',
+       ],
++      // We use a self-signed certificate for development.
++      // https://docs.guzzlephp.org/en/stable/request-options.html?highlight=verify#verify
++      \GuzzleHttp\RequestOptions::VERIFY => FALSE,
+     ];
+   }