Updated OIDC module and development setup

Author: rimi-itk

composer.lock

@@ -9,11 +9,14 @@ settings:
   client_id: client-id
   client_secret: '[client-secret]'
   iss_allowed_domains: ''
+  prompt:
+    - login
   issuer_url: ''
-  authorization_endpoint: 'https://idp-citizen.os2loop.local.itkdev.dk/connect/authorize'
-  token_endpoint: 'https://idp-citizen.os2loop.local.itkdev.dk/connect/token'
+  authorization_endpoint: 'https://idp-employee.os2loop.local.itkdev.dk/oauth2/authorize'
+  # This URL makes sense only for the phpfpm service.
+  token_endpoint: 'http://idp-employee:9400/oauth2/token'
   userinfo_endpoint: ''
-  end_session_endpoint: 'https://idp-citizen.os2loop.local.itkdev.dk/connect/endsession'
+  end_session_endpoint: 'https://idp-employee.os2loop.local.itkdev.dk/oauth2/end_session'
   scopes:
     - openid
     - email

config/sync/openid_connect.client.generic.yml

@@ -2,13 +2,12 @@ always_save_userinfo: true
 connect_existing_users: true
 override_registration_settings: true
 end_session_enabled: true
-user_login_display: above
+user_login_display: replace
 redirect_login: /user
 redirect_logout: /
 userinfo_mappings:
-  timezone: zoneinfo
-  os2loop_user_family_name: family_name
-  os2loop_user_given_name: given_name
+  os2loop_user_city: family_name
+  os2loop_user_external_list: given_name
 role_mappings:
   os2loop_user_administrator:
     - administrator
@@ -28,3 +27,4 @@ role_mappings:
     - post_author
   os2loop_user_user_administrator:
     - user_administrator
+autostart_login: true

config/sync/openid_connect.settings.yml

@@ -0,0 +1,34 @@
+services:
+  idp-employee:
+    image: ghcr.io/geigerzaehler/oidc-provider-mock:latest
+    networks:
+      - app
+      - frontend
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=frontend"
+      - "traefik.http.routers.idp-employee_${COMPOSE_PROJECT_NAME:?}.rule=Host(`idp-employee.${COMPOSE_DOMAIN:?}`)"
+      - "traefik.http.services.idp-employee_${COMPOSE_PROJECT_NAME:?}.loadbalancer.server.port=9400"
+    command:
+      [
+        "--user-claims",
+        '{"sub": "user", "email": "user@example.com", "groups": ["authenticated"]}',
+        "--user-claims",
+        '{"sub": "administrator", "email": "administrator@example.com", "groups": ["os2loop_user_administrator"]}',
+        "--user-claims",
+        '{"sub": "user_administrator", "email": "user_administrator@example.com", "groups": ["os2loop_user_user_administrator"]}',
+        "--user-claims",
+        '{"sub": "manager", "email": "manager@example.com", "groups": ["os2loop_user_manager"]}',
+        "--user-claims",
+        '{"sub": "documentation_coordinator", "email": "documentation_coordinator@example.com", "groups": ["os2loop_user_documentation_coordinator"]}',
+        "--user-claims",
+        '{"sub": "document_collection_editor", "email": "document_collection_editor@example.com", "groups": ["os2loop_user_document_collection_editor"]}',
+        "--user-claims",
+        '{"sub": "document_author", "email": "document_author@example.com", "groups": ["os2loop_user_document_author"]}',
+        "--user-claims",
+        '{"sub": "external_sources_editor", "email": "external_sources_editor@example.com", "groups": ["os2loop_user_external_sources_editor"]}',
+        "--user-claims",
+        '{"sub": "post_author", "email": "post_author@example.com", "groups": ["os2loop_user_post_author"]}',
+        "--user-claims",
+        '{"sub": "read_only", "email": "read_only@example.com", "groups": ["os2loop_user_read_only"]}',
+      ]

docker-compose.oidc.yml

@@ -1,3 +1,6 @@
+include:
+  - docker-compose.oidc.yml
+
 services:
   node:
     image: node:20
@@ -16,123 +19,3 @@ services:
     environment:
       # Match PHP_MAX_EXECUTION_TIME above
       - NGINX_FASTCGI_READ_TIMEOUT=300
-
-  idp-citizen:
-    image: ghcr.io/soluto/oidc-server-mock:0.8.6
-    profiles:
-      - oidc
-      - test
-    # Let this container be accessible both internally and externally on the same domain.
-    container_name: idp-citizen.${COMPOSE_DOMAIN}
-    networks:
-      - app
-      - frontend
-    ports:
-      # https://github.com/Soluto/oidc-server-mock?tab=readme-ov-file#https
-      # - '80'
-      - "443"
-    volumes:
-      - .:/tmp/config:ro
-    labels:
-      - "traefik.enable=true"
-      - "traefik.docker.network=frontend"
-      - "traefik.http.routers.${COMPOSE_PROJECT_NAME}_idp-citizen.rule=Host(`idp-citizen.${COMPOSE_DOMAIN}`)"
-      - "traefik.http.services.${COMPOSE_PROJECT_NAME}_idp-citizen.loadbalancer.server.port=443"
-      - "traefik.http.services.${COMPOSE_PROJECT_NAME}_idp-citizen.loadbalancer.server.scheme=https"
-      - "traefik.http.routers.${COMPOSE_PROJECT_NAME}_idp-citizen.middlewares=redirect-to-https"
-      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
-
-    environment:
-      # https://github.com/Soluto/oidc-server-mock?tab=readme-ov-file#https
-      ASPNETCORE_URLS: https://+:443;http://+:80
-      ASPNETCORE_Kestrel__Certificates__Default__Password: mock
-      ASPNETCORE_Kestrel__Certificates__Default__Path: /tmp/config/.docker/oidc-server-mock/cert/docker.pfx
-
-      ASPNETCORE_ENVIRONMENT: Development
-      SERVER_OPTIONS_INLINE: |
-        AccessTokenJwtType: JWT
-        Discovery:
-          ShowKeySet: true
-        Authentication:
-          CookieSameSiteMode: Lax
-          CheckSessionCookieSameSiteMode: Lax
-
-      LOGIN_OPTIONS_INLINE: |
-        {
-          "AllowRememberLogin": false
-        }
-
-      LOGOUT_OPTIONS_INLINE: |
-        {
-          "AutomaticRedirectAfterSignOut": true
-        }
-
-      CLIENTS_CONFIGURATION_INLINE: |
-        - ClientId: client-id
-          ClientSecrets: [client-secret]
-          Description: Mock IdP
-          AllowedGrantTypes:
-            # - client_credentials
-            # - implicit
-            - authorization_code
-          # https://github.com/Soluto/oidc-server-mock/issues/46#issuecomment-704963181
-          RequireClientSecret: false
-          AllowAccessTokensViaBrowser: true
-          # https://github.com/Soluto/oidc-server-mock/issues/26#issuecomment-705022941
-          AlwaysIncludeUserClaimsInIdToken: true
-          AllowedScopes:
-            - openid
-            - profile
-            - email
-          ClientClaimsPrefix: ''
-          RedirectUris:
-            - '*'
-          # https://github.com/Soluto/oidc-server-mock/issues/60
-          PostLogoutRedirectUris:
-            - '*'
-          # https://github.com/Soluto/oidc-server-mock/issues/46#issuecomment-704845375
-          RequirePkce: false
-
-      # Needed to set custom claim types in "profile"
-      # https://github.com/Soluto/oidc-server-mock/issues/123#issuecomment-1427129278
-      # https://github.com/Soluto/oidc-server-mock/blob/master/README.md#simple-configuration
-      # https://docs.docker.com/compose/compose-file/compose-file-v3/#environment
-      OVERRIDE_STANDARD_IDENTITY_RESOURCES: "true"
-      IDENTITY_RESOURCES_INLINE: |
-        # https://auth0.com/docs/get-started/apis/scopes/openid-connect-scopes#standard-claims
-        - Name: openid
-          ClaimTypes:
-            - sub
-        - Name: email
-          ClaimTypes:
-            - email
-        - Name: profile
-          ClaimTypes:
-            # Add your custom claims here
-            - dk_ssn
-            - name
-            - email
-            - zip
-            - uuid
-
-      USERS_CONFIGURATION_INLINE: |
-        - SubjectId: 1
-          Username: citizen1
-          Password: citizen1
-          Claims:
-            # Claims added here must be defined above in IDENTITY_RESOURCES_INLINE
-          - Type: dk_ssn
-            Value: '1111111111'
-            ValueType: string
-          - Type: name
-            Value: 'Anders And'
-            ValueType: string
-          - Type: email
-            Value: admin@example.com
-            ValueType: string
-          - Type: zip
-            Value: '1111'
-            ValueType: string
-          - Type: uuid
-            Value: '11111111-1111-1111-1111-111111111111'
-            ValueType: string