OpenID Connect cleanup

CHANGELOG.md

@@ -8,6 +8,8 @@ Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+- [PR-385](https://github.com/itk-dev/os2loop/pull/385)
+  Cleaned up OpenID Connect settings and removed some obsolete custom settings
 - [PR-384](https://github.com/itk-dev/os2loop/pull/384)
   Set access permission on search view
 - [PR-383](https://github.com/itk-dev/os2loop/pull/383)

config/sync/openid_connect.client.generic.yml

@@ -10,10 +10,12 @@ settings:
   client_secret: '[client-secret]'
   iss_allowed_domains: ''
   issuer_url: ''
-  authorization_endpoint: 'https://idp-citizen.os2loop.local.itkdev.dk/connect/authorize'
-  token_endpoint: 'https://idp-citizen.os2loop.local.itkdev.dk/connect/token'
+  authorization_endpoint: 'https://idp-employee.os2loop.local.itkdev.dk/oauth2/authorize'
+  token_endpoint: 'http://idp-employee:9400/oauth2/token'
   userinfo_endpoint: ''
-  end_session_endpoint: 'https://idp-citizen.os2loop.local.itkdev.dk/connect/endsession'
+  end_session_endpoint: 'https://idp-employee.os2loop.local.itkdev.dk/oauth2/end_session'
   scopes:
     - openid
     - email
+  prompt:
+    - login

config/sync/openid_connect.settings.yml

@@ -2,13 +2,12 @@ always_save_userinfo: true
 connect_existing_users: true
 override_registration_settings: true
 end_session_enabled: true
-user_login_display: above
+user_login_display: replace
 redirect_login: /user
 redirect_logout: /
 userinfo_mappings:
-  timezone: zoneinfo
-  os2loop_user_family_name: family_name
-  os2loop_user_given_name: given_name
+  os2loop_user_city: family_name
+  os2loop_user_external_list: given_name
 role_mappings:
   os2loop_user_administrator:
     - administrator
@@ -28,3 +27,4 @@ role_mappings:
     - post_author
   os2loop_user_user_administrator:
     - user_administrator
+autostart_login: true

docker-compose.oidc.yml

@@ -0,0 +1,34 @@
+services:
+  idp-employee:
+    image: ghcr.io/geigerzaehler/oidc-provider-mock:latest
+    networks:
+      - app
+      - frontend
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=frontend"
+      - "traefik.http.routers.idp-employee_${COMPOSE_PROJECT_NAME:?}.rule=Host(`idp-employee.${COMPOSE_DOMAIN:?}`)"
+      - "traefik.http.services.idp-employee_${COMPOSE_PROJECT_NAME:?}.loadbalancer.server.port=9400"
+    command:
+      [
+        "--user-claims",
+        '{"sub": "user", "email": "user@example.com", "groups": ["authenticated"]}',
+        "--user-claims",
+        '{"sub": "administrator", "email": "administrator@example.com", "groups": ["os2loop_user_administrator"]}',
+        "--user-claims",
+        '{"sub": "user_administrator", "email": "user_administrator@example.com", "groups": ["os2loop_user_user_administrator"]}',
+        "--user-claims",
+        '{"sub": "manager", "email": "manager@example.com", "groups": ["os2loop_user_manager"]}',
+        "--user-claims",
+        '{"sub": "documentation_coordinator", "email": "documentation_coordinator@example.com", "groups": ["os2loop_user_documentation_coordinator"]}',
+        "--user-claims",
+        '{"sub": "document_collection_editor", "email": "document_collection_editor@example.com", "groups": ["os2loop_user_document_collection_editor"]}',
+        "--user-claims",
+        '{"sub": "document_author", "email": "document_author@example.com", "groups": ["os2loop_user_document_author"]}',
+        "--user-claims",
+        '{"sub": "external_sources_editor", "email": "external_sources_editor@example.com", "groups": ["os2loop_user_external_sources_editor"]}',
+        "--user-claims",
+        '{"sub": "post_author", "email": "post_author@example.com", "groups": ["os2loop_user_post_author"]}',
+        "--user-claims",
+        '{"sub": "read_only", "email": "read_only@example.com", "groups": ["os2loop_user_read_only"]}',
+      ]

docker-compose.override.yml

@@ -1,3 +1,6 @@
+include:
+  - docker-compose.oidc.yml
+
 services:
   node:
     image: node:20
@@ -16,123 +19,3 @@ services:
     environment:
       # Match PHP_MAX_EXECUTION_TIME above
       - NGINX_FASTCGI_READ_TIMEOUT=300
-
-  idp-citizen:
-    image: ghcr.io/soluto/oidc-server-mock:0.8.6
-    profiles:
-      - oidc
-      - test
-    # Let this container be accessible both internally and externally on the same domain.
-    container_name: idp-citizen.${COMPOSE_DOMAIN}
-    networks:
-      - app
-      - frontend
-    ports:
-      # https://github.com/Soluto/oidc-server-mock?tab=readme-ov-file#https
-      # - '80'
-      - "443"
-    volumes:
-      - .:/tmp/config:ro
-    labels:
-      - "traefik.enable=true"
-      - "traefik.docker.network=frontend"
-      - "traefik.http.routers.${COMPOSE_PROJECT_NAME}_idp-citizen.rule=Host(`idp-citizen.${COMPOSE_DOMAIN}`)"
-      - "traefik.http.services.${COMPOSE_PROJECT_NAME}_idp-citizen.loadbalancer.server.port=443"
-      - "traefik.http.services.${COMPOSE_PROJECT_NAME}_idp-citizen.loadbalancer.server.scheme=https"
-      - "traefik.http.routers.${COMPOSE_PROJECT_NAME}_idp-citizen.middlewares=redirect-to-https"
-      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
-
-    environment:
-      # https://github.com/Soluto/oidc-server-mock?tab=readme-ov-file#https
-      ASPNETCORE_URLS: https://+:443;http://+:80
-      ASPNETCORE_Kestrel__Certificates__Default__Password: mock
-      ASPNETCORE_Kestrel__Certificates__Default__Path: /tmp/config/.docker/oidc-server-mock/cert/docker.pfx
-
-      ASPNETCORE_ENVIRONMENT: Development
-      SERVER_OPTIONS_INLINE: |
-        AccessTokenJwtType: JWT
-        Discovery:
-          ShowKeySet: true
-        Authentication:
-          CookieSameSiteMode: Lax
-          CheckSessionCookieSameSiteMode: Lax
-
-      LOGIN_OPTIONS_INLINE: |
-        {
-          "AllowRememberLogin": false
-        }
-
-      LOGOUT_OPTIONS_INLINE: |
-        {
-          "AutomaticRedirectAfterSignOut": true
-        }
-
-      CLIENTS_CONFIGURATION_INLINE: |
-        - ClientId: client-id
-          ClientSecrets: [client-secret]
-          Description: Mock IdP
-          AllowedGrantTypes:
-            # - client_credentials
-            # - implicit
-            - authorization_code
-          # https://github.com/Soluto/oidc-server-mock/issues/46#issuecomment-704963181
-          RequireClientSecret: false
-          AllowAccessTokensViaBrowser: true
-          # https://github.com/Soluto/oidc-server-mock/issues/26#issuecomment-705022941
-          AlwaysIncludeUserClaimsInIdToken: true
-          AllowedScopes:
-            - openid
-            - profile
-            - email
-          ClientClaimsPrefix: ''
-          RedirectUris:
-            - '*'
-          # https://github.com/Soluto/oidc-server-mock/issues/60
-          PostLogoutRedirectUris:
-            - '*'
-          # https://github.com/Soluto/oidc-server-mock/issues/46#issuecomment-704845375
-          RequirePkce: false
-
-      # Needed to set custom claim types in "profile"
-      # https://github.com/Soluto/oidc-server-mock/issues/123#issuecomment-1427129278
-      # https://github.com/Soluto/oidc-server-mock/blob/master/README.md#simple-configuration
-      # https://docs.docker.com/compose/compose-file/compose-file-v3/#environment
-      OVERRIDE_STANDARD_IDENTITY_RESOURCES: "true"
-      IDENTITY_RESOURCES_INLINE: |
-        # https://auth0.com/docs/get-started/apis/scopes/openid-connect-scopes#standard-claims
-        - Name: openid
-          ClaimTypes:
-            - sub
-        - Name: email
-          ClaimTypes:
-            - email
-        - Name: profile
-          ClaimTypes:
-            # Add your custom claims here
-            - dk_ssn
-            - name
-            - email
-            - zip
-            - uuid
-
-      USERS_CONFIGURATION_INLINE: |
-        - SubjectId: 1
-          Username: citizen1
-          Password: citizen1
-          Claims:
-            # Claims added here must be defined above in IDENTITY_RESOURCES_INLINE
-          - Type: dk_ssn
-            Value: '1111111111'
-            ValueType: string
-          - Type: name
-            Value: 'Anders And'
-            ValueType: string
-          - Type: email
-            Value: admin@example.com
-            ValueType: string
-          - Type: zip
-            Value: '1111'
-            ValueType: string
-          - Type: uuid
-            Value: '11111111-1111-1111-1111-111111111111'
-            ValueType: string

web/profiles/custom/os2loop/modules/os2loop_user_login/README.md

@@ -7,14 +7,10 @@ Go to Administration › Configuration › OS2Loop › OS2Loop user login settin
 
 ## OpenID Connect
 
-The modules [OpenID Connect](https://www.drupal.org/project/openid_connect) and
-[OpenID Connect Microsoft Azure Active Directory
-client](https://www.drupal.org/project/openid_connect_windows_aad) are used for
-OpenID Connect login. *Note*: Eventhough it's called “OpenID Connect Microsoft
-Azure Active Directory client” it also work with other OpenID Connect identity
-providers.
-
-In the default configuration both login methods assume that the identitity
+The module [OpenID Connect](https://www.drupal.org/project/openid_connect) is
+used for OpenID Connect login.
+
+In the default configuration the login method assumes that the identitity
 provider returns a `name` claim which is used as the Drupal user name and that a
 `groups` claim is a list of groups that can be mapped to Drupal roles.
 
@@ -83,12 +79,16 @@ $config['openid_connect.client.generic']['settings']['authorization_endpoint'] =
 $config['openid_connect.client.generic']['settings']['token_endpoint'] = …; // Get this from your OpenID Connect Discovery endpoint
 // Optional
 $config['openid_connect.client.generic']['settings']['end_session_endpoint'] = …; // Get this from your OpenID Connect Discovery endpoint
+
+// Disable "Autostart login process"
+$config['openid_connect.settings']['autostart_login'] = false;
 ```
 
 Check your overwrites by running
 
 ```sh
 vendor/bin/drush config:get --include-overridden openid_connect.client.generic
+vendor/bin/drush config:get --include-overridden openid_connect.settings
 ```
 
 #### Groups to roles mapping

web/profiles/custom/os2loop/modules/os2loop_user_login/os2loop_user_login.module

@@ -5,18 +5,8 @@
  * The module file for os2loop_user_login.
  */
 
-use Drupal\Core\Form\FormStateInterface;
 use Drupal\user\UserInterface;
 
-/**
- * Implements hook_form_alter().
- *
- * @see \Drupal\os2loop_user_login\Helper\Helper::alterForm()
- */
-function os2loop_user_login_form_alter(&$form, FormStateInterface $form_state, $form_id) {
-  Drupal::service('os2loop_user_login.helper')->alterForm($form, $form_state, $form_id);
-}
-
 /**
  * Implements hook_menu_local_tasks_alter().
  *

web/profiles/custom/os2loop/modules/os2loop_user_login/src/Form/SettingsForm.php

@@ -73,37 +73,43 @@ public function buildForm(array $form, FormStateInterface $form_state) {
     $form['show_drupal_login'] = [
       '#type' => 'checkbox',
       '#title' => $this->t('Show Drupal login'),
-      '#default_value' => $config->get('show_drupal_login'),
+      '#default_value' => FALSE,
+      '#disabled' => TRUE,
       '#description' => $this->t(
-        'Show Drupal (username and password) login on user login page. If not enabled, the login form will still be visible if <a href="@login_url"><code>#drupal-login</code></a> is appended to the url (<a href="@login_url">@login_url</a>).',
+        'This option has been removed. This is now controlled by the "@config_title" setting in the <a href=":config_url">OpenID Connect settings</a>.',
         [
-          '@login_url' => Url::fromRoute('user.login', [], [
-            'absolute' => TRUE,
-            'fragment' => 'drupal-login',
-          ])->toString(),
-        ]),
+          '@config_title' => $this->t('OpenID buttons display in user login form'),
+          ':config_url' => Url::fromRoute('openid_connect.admin_settings')->toString(),
+        ],
+      ),
     ];
 
     $form['show_oidc_login'] = [
       '#type' => 'checkbox',
       '#title' => $this->t('Show OpenID Connect login'),
-      '#default_value' => $config->get('show_oidc_login'),
+      '#default_value' => FALSE,
+      '#disabled' => TRUE,
       '#description' => $this->t(
-        'Show OpenID Connect login button on user login page. Set up proper <a href="@config_url">OpenID Connect configuration</a> before enabling this.',
+        'This option has been removed. This is now controlled by the "@config_title" setting in the <a href=":config_url">OpenID Connect settings</a>.',
         [
-          '@config_url' => Url::fromRoute('openid_connect.admin_settings')->toString(),
-        ]
+          '@config_title' => $this->t('OpenID buttons display in user login form'),
+          ':config_url' => Url::fromRoute('openid_connect.admin_settings')->toString(),
+        ],
       ),
     ];
 
-    $options['oidc'] = $this->t('OpenID Connect');
     $form['default_login_method'] = [
       '#type' => 'select',
       '#title' => $this->t('Default login method'),
-      '#options' => $options,
-      '#empty_value' => '',
-      '#default_value' => $config->get('default_login_method'),
-      '#description' => $this->t('The default login method to use. If specified, anonymous users will automatically be logged in with this method.'),
+      '#default_value' => FALSE,
+      '#disabled' => TRUE,
+      '#description' => $this->t(
+        'This option has been removed. This is now controlled by the "@config_title" setting in the <a href=":config_url">OpenID Connect settings</a>.',
+        [
+          '@config_title' => $this->t('Autostart login process'),
+          ':config_url' => Url::fromRoute('openid_connect.admin_settings')->toString(),
+        ],
+      ),
     ];
 
     $form['hide_logout_menu_item'] = [
@@ -121,9 +127,6 @@ public function buildForm(array $form, FormStateInterface $form_state) {
    */
   public function submitForm(array &$form, FormStateInterface $form_state) {
     $this->configFactory->getEditable(static::SETTINGS_NAME)
-      ->set('show_drupal_login', $form_state->getValue('show_drupal_login'))
-      ->set('show_oidc_login', $form_state->getValue('show_oidc_login'))
-      ->set('default_login_method', $form_state->getValue('default_login_method'))
       ->set('hide_logout_menu_item', $form_state->getValue('hide_logout_menu_item'))
       ->save();