125: Updated local OIDC stuff

itk-dev · Jan 6, 2025 · 496202e · 496202e
1 parent 0b19831
commit 496202e
Show file tree

Hide file tree

Showing 4 changed files with 84 additions and 12 deletions.
diff --git a/.docker/oidc-server-mock/cert/docker.pfx b/.docker/oidc-server-mock/cert/docker.pfx
diff --git a/docker-compose.override.yml b/docker-compose.override.yml
@@ -54,8 +54,16 @@ services:
       - "traefik.enable=true"
       - "traefik.docker.network=frontend"
       - "traefik.http.routers.${COMPOSE_PROJECT_NAME}_idp-citizen.rule=Host(`idp-citizen.${COMPOSE_DOMAIN}`)"
-      - "traefik.http.services.${COMPOSE_PROJECT_NAME}_idp-citizen.loadbalancer.server.port=80"
+      - "traefik.http.services.${COMPOSE_PROJECT_NAME}_idp-citizen.loadbalancer.server.port=443"
+      - "traefik.http.services.${COMPOSE_PROJECT_NAME}_idp-citizen.loadbalancer.server.scheme=https"
+      - "traefik.http.routers.${COMPOSE_PROJECT_NAME}_idp-citizen.middlewares=redirect-to-https"
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
     environment:
+      # https://github.com/Soluto/oidc-server-mock?tab=readme-ov-file#https
+      ASPNETCORE_URLS: https://+:443;http://+:80
+      ASPNETCORE_Kestrel__Certificates__Default__Password: mock
+      ASPNETCORE_Kestrel__Certificates__Default__Path: /tmp/config/.docker/oidc-server-mock/cert/docker.pfx
+
       ASPNETCORE_ENVIRONMENT: Development
       SERVER_OPTIONS_INLINE: |
         AccessTokenJwtType: JWT
@@ -220,8 +228,16 @@ services:
       - "traefik.enable=true"
       - "traefik.docker.network=frontend"
       - "traefik.http.routers.${COMPOSE_PROJECT_NAME}_idp-employee.rule=Host(`idp-employee.${COMPOSE_DOMAIN}`)"
-      - "traefik.http.services.${COMPOSE_PROJECT_NAME}_idp-employee.loadbalancer.server.port=80"
+      - "traefik.http.services.${COMPOSE_PROJECT_NAME}_idp-employee.loadbalancer.server.port=443"
+      - "traefik.http.services.${COMPOSE_PROJECT_NAME}_idp-employee.loadbalancer.server.scheme=https"
+      - "traefik.http.routers.${COMPOSE_PROJECT_NAME}_idp-employee.middlewares=redirect-to-https"
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
     environment:
+      # https://github.com/Soluto/oidc-server-mock?tab=readme-ov-file#https
+      ASPNETCORE_URLS: https://+:443;http://+:80
+      ASPNETCORE_Kestrel__Certificates__Default__Password: mock
+      ASPNETCORE_Kestrel__Certificates__Default__Path: /tmp/config/.docker/oidc-server-mock/cert/docker.pfx
+
       ASPNETCORE_ENVIRONMENT: Development
       SERVER_OPTIONS_INLINE: |
         AccessTokenJwtType: JWT
@@ -289,35 +305,52 @@ services:
 
       USERS_CONFIGURATION_INLINE: |
         - SubjectId: 1
-          Username: employee-department-a
-          Password: employee-department-a
+          Username: department1-editor
+          Password: department1-editor
           Claims:
             # Claims added here must be defined above in IDENTITY_RESOURCES_INLINE
           - Type: email
-            Value: '[email protected]'
+            Value: '[email protected]'
             ValueType: string
           - Type: name
-            Value: 'Anders And'
+            Value: 'department1-editor'
             ValueType: string
           - Type: magistratsafdeling
-            Value: 'Department A'
+            Value: 'Department 1'
             ValueType: string
           - Type: groups
             Value: '["administrator"]'
             ValueType: json
 
         - SubjectId: 2
-          Username: employee-department-b
-          Password: employee-department-b
+          Username: department2-editor
+          Password: department2-editor
+          Claims:
+          - Type: email
+            Value: '[email protected]'
+            ValueType: string
+          - Type: name
+            Value: 'department2-editor'
+            ValueType: string
+          - Type: magistratsafdeling
+            Value: 'Department 2'
+            ValueType: string
+          - Type: groups
+            Value: '["editor"]'
+            ValueType: json
+
+        - SubjectId: 3
+          Username: department3-editor
+          Password: department3-editor
           Claims:
           - Type: email
-            Value: '[email protected]'
+            Value: '[email protected]'
             ValueType: string
           - Type: name
-            Value: 'Bølle-bob'
+            Value: 'department3-editor'
             ValueType: string
           - Type: magistratsafdeling
-            Value: 'Department B'
+            Value: 'Department 3'
             ValueType: string
           - Type: groups
             Value: '["editor"]'

diff --git a/documentation/openIdConnect.md b/documentation/openIdConnect.md
@@ -54,3 +54,28 @@ Create department taxonomy terms:
 docker compose exec phpfpm vendor/bin/drush php:eval "\Drupal\taxonomy\Entity\Term::create(['name' => 'Department A', 'vid' => 'department', 'status' => 1])->save();"
 docker compose exec phpfpm vendor/bin/drush php:eval "\Drupal\taxonomy\Entity\Term::create(['name' => 'Department B', 'vid' => 'department', 'status' => 1])->save();"
 ```
+
+## Debugging OpenID Connect authentification
+
+```sh
+docker compose --profile oidc up --detach
+```
+
+During development it can be useful to see the user info we actually get during OpenID Connect authentification, and to
+do this you can apply the patch [debug-userinfo.patch](../patches/drupal/openid_connect/debug-userinfo.patch):
+
+```sh
+docker compose exec phpfpm patch --strip=1 --input=patches/drupal/openid_connect/debug-userinfo.patch
+```
+
+After applying the patch and succesfully logging in, the actual userinfo received can be inspected with
+
+```sh
+docker compose exec phpfpm vendor/bin/drush watchdog:show --type=itkdev-debug --extended
+```
+
+Remove (reverse) the patch with
+
+```sh
+docker compose exec phpfpm patch --strip=1 --input=patches/drupal/openid_connect/debug-userinfo.patch --reverse
+```
diff --git a/patches/drupal/openid_connect/debug-userinfo.patch b/patches/drupal/openid_connect/debug-userinfo.patch
@@ -0,0 +1,14 @@
+diff --git a/web/modules/contrib/openid_connect/src/OpenIDConnect.php b/web/modules/contrib/openid_connect/src/OpenIDConnect.php
+index 7dc1d286..b4fecf37 100644
+--- a/web/modules/contrib/openid_connect/src/OpenIDConnect.php
++++ b/web/modules/contrib/openid_connect/src/OpenIDConnect.php
+@@ -263,7 +263,9 @@ private function buildContext(OpenIDConnectClientEntityInterface $client, array
+       'user_data' => $user_data,
+     ];
+
++    \Drupal::logger('itkdev-debug')->debug('openid_connect_userinfo (before alter): %userinfo', ['%userinfo' => json_encode($userinfo, JSON_PRETTY_PRINT|JSON_UNESCAPED_SLASHES|JSON_UNESCAPED_UNICODE)]);
+     $this->moduleHandler->alter('openid_connect_userinfo', $userinfo, $context);
++    \Drupal::logger('itkdev-debug')->debug('openid_connect_userinfo (after alter): %userinfo', ['%userinfo' => json_encode($userinfo, JSON_PRETTY_PRINT|JSON_UNESCAPED_SLASHES|JSON_UNESCAPED_UNICODE)]);
+
+     // Whether we have no usable user information.
+     if ((empty($user_data) || !is_array($user_data)) && empty($userinfo)) {