(api) automatically configure some openID parameters: redirect_uri, display, response_mode

2024-12-01 12:24:28 +01:00 · 2022-04-19 16:55:46 +02:00 · 2022-04-19 16:55:46 +02:00 · 9665368755
commit 9665368755
parent c3889a27f1
10 changed files with 43 additions and 51 deletions
--- a/app/controllers/api/auth_providers_controller.rb
+++ b/app/controllers/api/auth_providers_controller.rb
@ -96,7 +96,7 @@ class API::AuthProvidersController < API::ApiController
    elsif params['auth_provider']['providable_type'] == OpenIdConnectProvider.name
      params.require(:auth_provider)
            .permit(:name, :providable_type,
-                    providable_attributes: %i[id issuer discovery client_auth_method scope response_type response_mode display prompt
+                    providable_attributes: %i[id issuer discovery client_auth_method scope response_type prompt
                                              send_scope_to_token_endpoint post_logout_redirect_uri uid_field extra_authorize_params
                                              allow_authorize_params client__identifier client__secret client__redirect_uri
                                              client__scheme client__host client__port client__authorization_endpoint client__token_endpoint
--- a/app/frontend/src/javascript/components/authentication-provider/openid-connect-form.tsx
+++ b/app/frontend/src/javascript/components/authentication-provider/openid-connect-form.tsx
@ -112,17 +112,6 @@ export const OpenidConnectForm = <TFieldValues extends FieldValues, TContext ext
                  ]}
                  valueDefault={'code'}
                  control={control} />
-      <FormSelect id="providable_attributes.response_mode"
-                  label={t('app.admin.authentication.openid_connect_form.response_mode')}
-                  tooltip={<HtmlTranslate trKey="app.admin.authentication.openid_connect_form.response_mode_help_html" />}
-                  options={[
-                    { value: 'query', label: t('app.admin.authentication.openid_connect_form.response_mode_query') },
-                    { value: 'fragment', label: t('app.admin.authentication.openid_connect_form.response_mode_fragment') },
-                    { value: 'form_post', label: t('app.admin.authentication.openid_connect_form.response_mode_form_post') },
-                    { value: 'web_message', label: t('app.admin.authentication.openid_connect_form.response_mode_web_message') }
-                  ]}
-                  clearable
-                  control={control} />
      <FormSelect id="providable_attributes.prompt"
                  label={t('app.admin.authentication.openid_connect_form.prompt')}
                  tooltip={<HtmlTranslate trKey="app.admin.authentication.openid_connect_form.prompt_help_html" />}
--- a/app/frontend/src/javascript/models/authentication-provider.ts
+++ b/app/frontend/src/javascript/models/authentication-provider.ts
@ -47,8 +47,6 @@ export interface OpenIdConnectProvider {
  client_auth_method?: 'basic' | 'jwks',
  scope?: string,
  response_type?: 'code' | 'id_token',
-  response_mode?: 'query' | 'fragment' | 'form_post' | 'web_message',
-  display?: 'page' | 'popup' | 'touch' | 'wap',
  prompt?: 'none' | 'login' | 'consent' | 'select_account',
  send_scope_to_token_endpoint?: string,
  post_logout_redirect_uri?: string,
--- a/app/frontend/src/javascript/models/sso.ts
+++ b/app/frontend/src/javascript/models/sso.ts
@ -1,15 +1,15 @@

 export interface OpenIdConfiguration {
-  authorization_endpoint: string;
-  token_endpoint: string;
-  userinfo_endpoint: string;
-  jwks_uri: string;
-  registration_endpoint: string;
-  scopes_supported: string[];
-  response_types_supported: string[];
-  response_modes_supported: string[];
-  grant_types_supported: string[];
-  subject_types_supported: string[];
-  id_token_signing_alg_values_supported: string[];
-  code_challenge_methods_supported: string[];
+  authorization_endpoint: string,
+  token_endpoint: string,
+  userinfo_endpoint: string,
+  jwks_uri: string,
+  registration_endpoint: string,
+  scopes_supported: string[],
+  response_types_supported: string[],
+  response_modes_supported: string[],
+  grant_types_supported: string[],
+  subject_types_supported: string[],
+  id_token_signing_alg_values_supported: string[],
+  code_challenge_methods_supported: string[]
 }
--- a/app/models/open_id_connect_provider.rb
+++ b/app/models/open_id_connect_provider.rb
@ -19,6 +19,8 @@ class OpenIdConnectProvider < ApplicationRecord

  before_validation :set_post_logout_redirect_uri
  before_validation :set_client_scheme_host_port
+  before_validation :set_redirect_uri
+  before_validation :set_display

  def config
    OpenIdConnectProvider.columns.map(&:name).filter { |n| !n.start_with?('client__') && n != 'profile_url' }.map do |n|
@ -38,6 +40,18 @@ class OpenIdConnectProvider < ApplicationRecord
    self.post_logout_redirect_uri = "#{ENV.fetch('DEFAULT_PROTOCOL')}://#{ENV.fetch('DEFAULT_HOST')}/sessions/sign_out"
  end

+  def set_redirect_uri
+    self.client__redirect_uri = "#{ENV.fetch('DEFAULT_PROTOCOL')}://#{ENV.fetch('DEFAULT_HOST')}/users/auth/#{auth_provider.strategy_name}/callback"
+  end
+
+  def set_display
+    self.display = 'page'
+  end
+
+  def set_response_mode
+    self.response_mode = 'query'
+  end
+
  def set_client_scheme_host_port
    require 'uri'

--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -219,7 +219,7 @@ class User < ApplicationRecord
        logger.debug "mapping info #{key} with value=#{value}"
        user.set_data_from_sso_mapping(key, value)
      end
-      logger.debug "generating a new password"
+      logger.debug 'generating a new password'
      user.password = Devise.friendly_token[0, 20]
    end
  end
--- a/app/views/api/auth_providers/show.json.jbuilder
+++ b/app/views/api/auth_providers/show.json.jbuilder
@ -12,10 +12,9 @@ end

 if @provider.providable_type == OpenIdConnectProvider.name
  json.providable_attributes do
-    json.extract! @provider.providable, :id, :issuer, :discovery, :client_auth_method, :scope, :response_type, :response_mode, :display,
-                  :prompt, :send_scope_to_token_endpoint, :post_logout_redirect_uri, :uid_field, :extra_authorize_params,
-                  :allow_authorize_params, :client__identifier, :client__secret, :client__redirect_uri, :client__scheme,
-                  :client__host, :client__port, :client__authorization_endpoint, :client__token_endpoint, :client__userinfo_endpoint,
-                  :client__jwks_uri, :client__end_session_endpoint, :profile_url
+    json.extract! @provider.providable, :id, :issuer, :discovery, :client_auth_method, :scope, :response_type,
+                  :prompt, :send_scope_to_token_endpoint, :post_logout_redirect_uri, :uid_field, :client__identifier, :client__secret,
+                  :client__redirect_uri, :client__scheme, :client__host, :client__port, :client__authorization_endpoint,
+                  :client__token_endpoint, :client__userinfo_endpoint, :client__jwks_uri, :client__end_session_endpoint, :profile_url
  end
 end
--- a/config/locales/app.admin.en.yml
+++ b/config/locales/app.admin.en.yml
@ -1114,12 +1114,6 @@ en:
          response_type_help: "Which OpenID response type to use with the authorization request. This is usually 'code'"
          response_type_code: "Code"
          response_type_id_token: "Id token"
-          response_mode: "Response mode"
-          response_mode_help_html: "Specifies the method to use to send the resulting authorization code to Fab-manager. <br> <b>Query</b> - the authorization code is included in the redirect URL. <br> <b>Fragment</b> - the authorization code is included in the redirect URL as a URL fragment. <br> <b>Form post</b> - the authorization code is included in a POST body. <br> <b>Web message</b> - the authorization code uses HTML5 Web Messaging (a.k.a window.postMessage())."
-          response_mode_query: "Query"
-          response_mode_fragment: "Fragment"
-          response_mode_form_post: "Form post"
-          response_mode_web_message: "Web message"
          prompt: "Prompt"
          prompt_help_html: "Which OpenID pages the user will be shown. <br> <b>None</b> - no authentication or consent user interface pages are shown. <br> <b>Login</b> - the authorization server prompt the user for reauthentication. <br> <b>Consent</b> - the authorization server prompt the user for consent before returning information to Fab-manager. <br> <b>Select account</b> - the authorization server prompt the user to select a user account."
          prompt_none: "None"
@ -1149,6 +1143,8 @@ en:
          name: "Name"
          authentication_type: "Authentication type"
          save: "Save"
+          create_success: "Authentication provider created"
+          update_success: "Authentication provider updated"
          methods:
            local_database: "Local database"
            oauth2: "OAuth 2.0"
--- a/db/migrate/20220328141618_create_open_id_connect_providers.rb
+++ b/db/migrate/20220328141618_create_open_id_connect_providers.rb
@ -16,8 +16,6 @@ class CreateOpenIdConnectProviders < ActiveRecord::Migration[5.2]
      t.boolean :send_scope_to_token_endpoint
      t.string :post_logout_redirect_uri
      t.string :uid_field
-      t.string :extra_authorize_params
-      t.string :allow_authorize_params
      t.string :client__identifier
      t.string :client__secret
      t.string :client__redirect_uri
--- a/db/schema.rb
+++ b/db/schema.rb
@ -19,8 +19,8 @@ ActiveRecord::Schema.define(version: 2022_03_28_145017) do
  enable_extension "unaccent"

  create_table "abuses", id: :serial, force: :cascade do |t|
-    t.string "signaled_type"
    t.integer "signaled_id"
+    t.string "signaled_type"
    t.string "first_name"
    t.string "last_name"
    t.string "email"
@ -49,8 +49,8 @@ ActiveRecord::Schema.define(version: 2022_03_28_145017) do
    t.string "locality"
    t.string "country"
    t.string "postal_code"
-    t.string "placeable_type"
    t.integer "placeable_id"
+    t.string "placeable_type"
    t.datetime "created_at"
    t.datetime "updated_at"
  end
@ -64,8 +64,8 @@ ActiveRecord::Schema.define(version: 2022_03_28_145017) do
  end

  create_table "assets", id: :serial, force: :cascade do |t|
-    t.string "viewable_type"
    t.integer "viewable_id"
+    t.string "viewable_type"
    t.string "attachment"
    t.string "type"
    t.datetime "created_at"
@ -146,8 +146,8 @@ ActiveRecord::Schema.define(version: 2022_03_28_145017) do
  end

  create_table "credits", id: :serial, force: :cascade do |t|
-    t.string "creditable_type"
    t.integer "creditable_id"
+    t.string "creditable_type"
    t.integer "plan_id"
    t.integer "hours"
    t.datetime "created_at"
@ -369,15 +369,15 @@ ActiveRecord::Schema.define(version: 2022_03_28_145017) do

  create_table "notifications", id: :serial, force: :cascade do |t|
    t.integer "receiver_id"
-    t.string "attached_object_type"
    t.integer "attached_object_id"
+    t.string "attached_object_type"
    t.integer "notification_type_id"
    t.boolean "is_read", default: false
    t.datetime "created_at"
    t.datetime "updated_at"
    t.string "receiver_type"
    t.boolean "is_send", default: false
-    t.jsonb "meta_data", default: "{}"
+    t.jsonb "meta_data", default: {}
    t.index ["notification_type_id"], name: "index_notifications_on_notification_type_id"
    t.index ["receiver_id"], name: "index_notifications_on_receiver_id"
  end
@ -423,8 +423,6 @@ ActiveRecord::Schema.define(version: 2022_03_28_145017) do
    t.boolean "send_scope_to_token_endpoint"
    t.string "post_logout_redirect_uri"
    t.string "uid_field"
-    t.string "extra_authorize_params"
-    t.string "allow_authorize_params"
    t.string "client__identifier"
    t.string "client__secret"
    t.string "client__redirect_uri"
@ -572,8 +570,8 @@ ActiveRecord::Schema.define(version: 2022_03_28_145017) do
  create_table "prices", id: :serial, force: :cascade do |t|
    t.integer "group_id"
    t.integer "plan_id"
-    t.string "priceable_type"
    t.integer "priceable_id"
+    t.string "priceable_type"
    t.integer "amount"
    t.datetime "created_at", null: false
    t.datetime "updated_at", null: false
@ -683,8 +681,8 @@ ActiveRecord::Schema.define(version: 2022_03_28_145017) do
    t.text "message"
    t.datetime "created_at"
    t.datetime "updated_at"
-    t.string "reservable_type"
    t.integer "reservable_id"
+    t.string "reservable_type"
    t.integer "nb_reserve_places"
    t.integer "statistic_profile_id"
    t.index ["reservable_type", "reservable_id"], name: "index_reservations_on_reservable_type_and_reservable_id"
@ -693,8 +691,8 @@ ActiveRecord::Schema.define(version: 2022_03_28_145017) do

  create_table "roles", id: :serial, force: :cascade do |t|
    t.string "name"
-    t.string "resource_type"
    t.integer "resource_id"
+    t.string "resource_type"
    t.datetime "created_at"
    t.datetime "updated_at"
    t.index ["name", "resource_type", "resource_id"], name: "index_roles_on_name_and_resource_type_and_resource_id"