From 6c46e5ec8192f288b2363715df6b8382ff97d537 Mon Sep 17 00:00:00 2001 From: Sylvain Date: Tue, 19 Apr 2022 16:55:46 +0200 Subject: [PATCH] (api) automatically configure some openID parameters: redirect_uri, display, response_mode --- .../api/auth_providers_controller.rb | 2 +- .../openid-connect-form.tsx | 11 --------- .../models/authentication-provider.ts | 2 -- app/frontend/src/javascript/models/sso.ts | 24 +++++++++---------- app/models/open_id_connect_provider.rb | 14 +++++++++++ app/models/user.rb | 2 +- .../api/auth_providers/show.json.jbuilder | 9 ++++--- config/locales/app.admin.en.yml | 8 ++----- ...141618_create_open_id_connect_providers.rb | 2 -- db/schema.rb | 20 +++++++--------- 10 files changed, 43 insertions(+), 51 deletions(-) diff --git a/app/controllers/api/auth_providers_controller.rb b/app/controllers/api/auth_providers_controller.rb index c78114b96..9b94fe50b 100644 --- a/app/controllers/api/auth_providers_controller.rb +++ b/app/controllers/api/auth_providers_controller.rb @@ -96,7 +96,7 @@ class API::AuthProvidersController < API::ApiController elsif params['auth_provider']['providable_type'] == OpenIdConnectProvider.name params.require(:auth_provider) .permit(:name, :providable_type, - providable_attributes: %i[id issuer discovery client_auth_method scope response_type response_mode display prompt + providable_attributes: %i[id issuer discovery client_auth_method scope response_type prompt send_scope_to_token_endpoint post_logout_redirect_uri uid_field extra_authorize_params allow_authorize_params client__identifier client__secret client__redirect_uri client__scheme client__host client__port client__authorization_endpoint client__token_endpoint diff --git a/app/frontend/src/javascript/components/authentication-provider/openid-connect-form.tsx b/app/frontend/src/javascript/components/authentication-provider/openid-connect-form.tsx index 4fd52d839..b3d4e1fa9 100644 --- a/app/frontend/src/javascript/components/authentication-provider/openid-connect-form.tsx +++ b/app/frontend/src/javascript/components/authentication-provider/openid-connect-form.tsx @@ -112,17 +112,6 @@ export const OpenidConnectForm = - } - options={[ - { value: 'query', label: t('app.admin.authentication.openid_connect_form.response_mode_query') }, - { value: 'fragment', label: t('app.admin.authentication.openid_connect_form.response_mode_fragment') }, - { value: 'form_post', label: t('app.admin.authentication.openid_connect_form.response_mode_form_post') }, - { value: 'web_message', label: t('app.admin.authentication.openid_connect_form.response_mode_web_message') } - ]} - clearable - control={control} /> } diff --git a/app/frontend/src/javascript/models/authentication-provider.ts b/app/frontend/src/javascript/models/authentication-provider.ts index 01a055a1e..3a4b400be 100644 --- a/app/frontend/src/javascript/models/authentication-provider.ts +++ b/app/frontend/src/javascript/models/authentication-provider.ts @@ -47,8 +47,6 @@ export interface OpenIdConnectProvider { client_auth_method?: 'basic' | 'jwks', scope?: string, response_type?: 'code' | 'id_token', - response_mode?: 'query' | 'fragment' | 'form_post' | 'web_message', - display?: 'page' | 'popup' | 'touch' | 'wap', prompt?: 'none' | 'login' | 'consent' | 'select_account', send_scope_to_token_endpoint?: string, post_logout_redirect_uri?: string, diff --git a/app/frontend/src/javascript/models/sso.ts b/app/frontend/src/javascript/models/sso.ts index 592bf7d69..bd5d22768 100644 --- a/app/frontend/src/javascript/models/sso.ts +++ b/app/frontend/src/javascript/models/sso.ts @@ -1,15 +1,15 @@ export interface OpenIdConfiguration { - authorization_endpoint: string; - token_endpoint: string; - userinfo_endpoint: string; - jwks_uri: string; - registration_endpoint: string; - scopes_supported: string[]; - response_types_supported: string[]; - response_modes_supported: string[]; - grant_types_supported: string[]; - subject_types_supported: string[]; - id_token_signing_alg_values_supported: string[]; - code_challenge_methods_supported: string[]; + authorization_endpoint: string, + token_endpoint: string, + userinfo_endpoint: string, + jwks_uri: string, + registration_endpoint: string, + scopes_supported: string[], + response_types_supported: string[], + response_modes_supported: string[], + grant_types_supported: string[], + subject_types_supported: string[], + id_token_signing_alg_values_supported: string[], + code_challenge_methods_supported: string[] } diff --git a/app/models/open_id_connect_provider.rb b/app/models/open_id_connect_provider.rb index 79b360082..0bd4badf3 100644 --- a/app/models/open_id_connect_provider.rb +++ b/app/models/open_id_connect_provider.rb @@ -19,6 +19,8 @@ class OpenIdConnectProvider < ApplicationRecord before_validation :set_post_logout_redirect_uri before_validation :set_client_scheme_host_port + before_validation :set_redirect_uri + before_validation :set_display def config OpenIdConnectProvider.columns.map(&:name).filter { |n| !n.start_with?('client__') && n != 'profile_url' }.map do |n| @@ -38,6 +40,18 @@ class OpenIdConnectProvider < ApplicationRecord self.post_logout_redirect_uri = "#{ENV.fetch('DEFAULT_PROTOCOL')}://#{ENV.fetch('DEFAULT_HOST')}/sessions/sign_out" end + def set_redirect_uri + self.client__redirect_uri = "#{ENV.fetch('DEFAULT_PROTOCOL')}://#{ENV.fetch('DEFAULT_HOST')}/users/auth/#{auth_provider.strategy_name}/callback" + end + + def set_display + self.display = 'page' + end + + def set_response_mode + self.response_mode = 'query' + end + def set_client_scheme_host_port require 'uri' diff --git a/app/models/user.rb b/app/models/user.rb index f30355e63..059e6979b 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -219,7 +219,7 @@ class User < ApplicationRecord logger.debug "mapping info #{key} with value=#{value}" user.set_data_from_sso_mapping(key, value) end - logger.debug "generating a new password" + logger.debug 'generating a new password' user.password = Devise.friendly_token[0, 20] end end diff --git a/app/views/api/auth_providers/show.json.jbuilder b/app/views/api/auth_providers/show.json.jbuilder index bdcbcc9bb..b30d4c285 100644 --- a/app/views/api/auth_providers/show.json.jbuilder +++ b/app/views/api/auth_providers/show.json.jbuilder @@ -12,10 +12,9 @@ end if @provider.providable_type == OpenIdConnectProvider.name json.providable_attributes do - json.extract! @provider.providable, :id, :issuer, :discovery, :client_auth_method, :scope, :response_type, :response_mode, :display, - :prompt, :send_scope_to_token_endpoint, :post_logout_redirect_uri, :uid_field, :extra_authorize_params, - :allow_authorize_params, :client__identifier, :client__secret, :client__redirect_uri, :client__scheme, - :client__host, :client__port, :client__authorization_endpoint, :client__token_endpoint, :client__userinfo_endpoint, - :client__jwks_uri, :client__end_session_endpoint, :profile_url + json.extract! @provider.providable, :id, :issuer, :discovery, :client_auth_method, :scope, :response_type, + :prompt, :send_scope_to_token_endpoint, :post_logout_redirect_uri, :uid_field, :client__identifier, :client__secret, + :client__redirect_uri, :client__scheme, :client__host, :client__port, :client__authorization_endpoint, + :client__token_endpoint, :client__userinfo_endpoint, :client__jwks_uri, :client__end_session_endpoint, :profile_url end end diff --git a/config/locales/app.admin.en.yml b/config/locales/app.admin.en.yml index ebbf44670..55953b401 100644 --- a/config/locales/app.admin.en.yml +++ b/config/locales/app.admin.en.yml @@ -1117,12 +1117,6 @@ en: response_type_help: "Which OpenID response type to use with the authorization request. This is usually 'code'" response_type_code: "Code" response_type_id_token: "Id token" - response_mode: "Response mode" - response_mode_help_html: "Specifies the method to use to send the resulting authorization code to Fab-manager.
Query - the authorization code is included in the redirect URL.
Fragment - the authorization code is included in the redirect URL as a URL fragment.
Form post - the authorization code is included in a POST body.
Web message - the authorization code uses HTML5 Web Messaging (a.k.a window.postMessage())." - response_mode_query: "Query" - response_mode_fragment: "Fragment" - response_mode_form_post: "Form post" - response_mode_web_message: "Web message" prompt: "Prompt" prompt_help_html: "Which OpenID pages the user will be shown.
None - no authentication or consent user interface pages are shown.
Login - the authorization server prompt the user for reauthentication.
Consent - the authorization server prompt the user for consent before returning information to Fab-manager.
Select account - the authorization server prompt the user to select a user account." prompt_none: "None" @@ -1152,6 +1146,8 @@ en: name: "Name" authentication_type: "Authentication type" save: "Save" + create_success: "Authentication provider created" + update_success: "Authentication provider updated" methods: local_database: "Local database" oauth2: "OAuth 2.0" diff --git a/db/migrate/20220328141618_create_open_id_connect_providers.rb b/db/migrate/20220328141618_create_open_id_connect_providers.rb index 6a6b22cd1..a7d7c34c7 100644 --- a/db/migrate/20220328141618_create_open_id_connect_providers.rb +++ b/db/migrate/20220328141618_create_open_id_connect_providers.rb @@ -16,8 +16,6 @@ class CreateOpenIdConnectProviders < ActiveRecord::Migration[5.2] t.boolean :send_scope_to_token_endpoint t.string :post_logout_redirect_uri t.string :uid_field - t.string :extra_authorize_params - t.string :allow_authorize_params t.string :client__identifier t.string :client__secret t.string :client__redirect_uri diff --git a/db/schema.rb b/db/schema.rb index d91bc6737..af5697543 100644 --- a/db/schema.rb +++ b/db/schema.rb @@ -19,8 +19,8 @@ ActiveRecord::Schema.define(version: 2022_03_28_145017) do enable_extension "unaccent" create_table "abuses", id: :serial, force: :cascade do |t| - t.string "signaled_type" t.integer "signaled_id" + t.string "signaled_type" t.string "first_name" t.string "last_name" t.string "email" @@ -49,8 +49,8 @@ ActiveRecord::Schema.define(version: 2022_03_28_145017) do t.string "locality" t.string "country" t.string "postal_code" - t.string "placeable_type" t.integer "placeable_id" + t.string "placeable_type" t.datetime "created_at" t.datetime "updated_at" end @@ -64,8 +64,8 @@ ActiveRecord::Schema.define(version: 2022_03_28_145017) do end create_table "assets", id: :serial, force: :cascade do |t| - t.string "viewable_type" t.integer "viewable_id" + t.string "viewable_type" t.string "attachment" t.string "type" t.datetime "created_at" @@ -146,8 +146,8 @@ ActiveRecord::Schema.define(version: 2022_03_28_145017) do end create_table "credits", id: :serial, force: :cascade do |t| - t.string "creditable_type" t.integer "creditable_id" + t.string "creditable_type" t.integer "plan_id" t.integer "hours" t.datetime "created_at" @@ -369,15 +369,15 @@ ActiveRecord::Schema.define(version: 2022_03_28_145017) do create_table "notifications", id: :serial, force: :cascade do |t| t.integer "receiver_id" - t.string "attached_object_type" t.integer "attached_object_id" + t.string "attached_object_type" t.integer "notification_type_id" t.boolean "is_read", default: false t.datetime "created_at" t.datetime "updated_at" t.string "receiver_type" t.boolean "is_send", default: false - t.jsonb "meta_data", default: "{}" + t.jsonb "meta_data", default: {} t.index ["notification_type_id"], name: "index_notifications_on_notification_type_id" t.index ["receiver_id"], name: "index_notifications_on_receiver_id" end @@ -423,8 +423,6 @@ ActiveRecord::Schema.define(version: 2022_03_28_145017) do t.boolean "send_scope_to_token_endpoint" t.string "post_logout_redirect_uri" t.string "uid_field" - t.string "extra_authorize_params" - t.string "allow_authorize_params" t.string "client__identifier" t.string "client__secret" t.string "client__redirect_uri" @@ -571,8 +569,8 @@ ActiveRecord::Schema.define(version: 2022_03_28_145017) do create_table "prices", id: :serial, force: :cascade do |t| t.integer "group_id" t.integer "plan_id" - t.string "priceable_type" t.integer "priceable_id" + t.string "priceable_type" t.integer "amount" t.datetime "created_at", null: false t.datetime "updated_at", null: false @@ -682,8 +680,8 @@ ActiveRecord::Schema.define(version: 2022_03_28_145017) do t.text "message" t.datetime "created_at" t.datetime "updated_at" - t.string "reservable_type" t.integer "reservable_id" + t.string "reservable_type" t.integer "nb_reserve_places" t.integer "statistic_profile_id" t.index ["reservable_type", "reservable_id"], name: "index_reservations_on_reservable_type_and_reservable_id" @@ -692,8 +690,8 @@ ActiveRecord::Schema.define(version: 2022_03_28_145017) do create_table "roles", id: :serial, force: :cascade do |t| t.string "name" - t.string "resource_type" t.integer "resource_id" + t.string "resource_type" t.datetime "created_at" t.datetime "updated_at" t.index ["name", "resource_type", "resource_id"], name: "index_roles_on_name_and_resource_type_and_resource_id"