From 2ed6ac26a5b9721cc353265d63579d436f93f965 Mon Sep 17 00:00:00 2001 From: Daniel von Atzigen Date: Wed, 15 May 2024 15:07:23 +0200 Subject: [PATCH] Configure local oidc server Remove duplicate import --- README.md | 2 +- .../src/app/jwt/jwt-middleware.ts | 5 ++- development/docker-compose.yaml | 32 ++++++++------ development/init/oidc/oidc-mock-clients.json | 14 +++--- development/init/oidc/oidc-mock-users.json | 44 ++++++++++++------- 5 files changed, 56 insertions(+), 41 deletions(-) diff --git a/README.md b/README.md index 4cdac6f2..17768251 100644 --- a/README.md +++ b/README.md @@ -98,7 +98,7 @@ To do so, use the following commands. Be aware that you need to manually insert the `{DB_*}` values beforehand. ```bash cd development -docker compose exec db sh -c 'pg_dump --dbname=postgresql://{DB_USERNAME}:{DB_PASSWORD}@{DB_HOST}:5432/{DB_DATABASE} --data-only --exclude-table asset_user -n public > /dump.sql' +docker compose exec db sh -c 'pg_dump --dbname=postgresql://{DB_USERNAME}:{DB_PASSWORD}@{DB_HOST}:5432/{DB_DATABASE} --data-only --exclude-table asset_user _prisma_migrations -n public > /dump.sql' ``` > The export will output warnings related to circular foreign-key constraints. > These can be safely ignored. diff --git a/apps/server-asset-sg/src/app/jwt/jwt-middleware.ts b/apps/server-asset-sg/src/app/jwt/jwt-middleware.ts index 2570d9f9..054a86b8 100644 --- a/apps/server-asset-sg/src/app/jwt/jwt-middleware.ts +++ b/apps/server-asset-sg/src/app/jwt/jwt-middleware.ts @@ -117,9 +117,12 @@ export class JwtMiddleware implements NestMiddleware { } private getJwkTE(): TE.TaskEither { + const jwksPath = environment.production + ? '/.well-known/jwks.json' + : '/.well-known/openid-configuration/jwks'; return pipe( TE.tryCatch( - () => axios.get(`${process.env.OAUTH_ISSUER}/.well-known/jwks.json`), + () => axios.get(`${process.env.OAUTH_ISSUER}${jwksPath}`), reason => new Error(`${reason}`), ), TE.map(response => response.data.keys), diff --git a/development/docker-compose.yaml b/development/docker-compose.yaml index 149e0877..05478017 100644 --- a/development/docker-compose.yaml +++ b/development/docker-compose.yaml @@ -119,24 +119,25 @@ services: environment: - ServerOptions__HostName=smtp4dev - oidc-server: + oidc: container_name: swissgeol-assets-oidc - image: soluto/oidc-server-mock + image: ghcr.io/soluto/oidc-server-mock restart: unless-stopped ports: - - "4011:80" + - "4011:8080" environment: CLIENTS_CONFIGURATION_PATH: /tmp/config/clients-config.json USERS_CONFIGURATION_PATH: /tmp/config/users-config.json - IDENTITY_RESOURCES_INLINE: | - [ - { - "Name": "local_groups_scope", - "ClaimTypes": [ - "local_groups_claim" - ] - } - ] + API_SCOPES_INLINE: | + [ + { + "Name": "cognito", + "UserClaims": [ + "cognito:groups", + "username" + ] + } + ] SERVER_OPTIONS_INLINE: | { "IssuerUri": "http://localhost:4011", @@ -147,8 +148,13 @@ services: "Authentication": { "CookieSameSiteMode": "Lax", "CheckSessionCookieSameSiteMode": "Lax" + }, + "KeyManagement": { + "Enabled": true, + "KeyPath": "/tmp/data/keys" } } volumes: - ./init/oidc/oidc-mock-clients.json:/tmp/config/clients-config.json:ro - - ./init/oidc/oidc-mock-users.json:/tmp/config/users-config.json:ro + - ./init/oidc/oidc-mock-users.json:/tmp/config/users-config.json:ro + - ./volumes/oidc/keys:/tmp/data/keys diff --git a/development/init/oidc/oidc-mock-clients.json b/development/init/oidc/oidc-mock-clients.json index 1d4a1b3d..209a9260 100644 --- a/development/init/oidc/oidc-mock-clients.json +++ b/development/init/oidc/oidc-mock-clients.json @@ -1,15 +1,11 @@ [{ - "ClientId": "assets-client", - "Description": "Client for Authorization Code flow with PKCE", + "ClientId": "assets", + "Description": "swisstopo assets", "RequireClientSecret": false, "AlwaysIncludeUserClaimsInIdToken": true, "AllowedGrantTypes": [ "authorization_code" ], - "AllowedResponseTypes": [ - "code", - "id_token" - ], "AllowAccessTokensViaBrowser": true, "RedirectUris": [ "http://localhost:4200" @@ -20,10 +16,10 @@ "AllowedScopes": [ "openid", "profile", - "local_groups_scope" + "email", + "cognito" ], "AccessTokenType": "JWT", "IdentityTokenLifetime": 3600, "AccessTokenLifetime": 3600 -} -] +}] diff --git a/development/init/oidc/oidc-mock-users.json b/development/init/oidc/oidc-mock-users.json index c2919e49..6ec00608 100644 --- a/development/init/oidc/oidc-mock-users.json +++ b/development/init/oidc/oidc-mock-users.json @@ -1,17 +1,17 @@ [ { - "SubjectId":"10f95aa3-fb95-41eb-b754-5f729a092e30", - "Username":"admin@swissgeol.assets", - "Password":"swissgeol_assets", + "SubjectId":"379a20e6-6a5d-4390-93ca-d408613e854d", + "Username":"admin", + "Password":"admin", "Claims": [ { "Type": "name", - "Value": "Admin User", + "Value": "Admin", "ValueType": "string" }, { "Type": "family_name", - "Value": "User", + "Value": "Admin", "ValueType": "string" }, { @@ -21,7 +21,7 @@ }, { "Type": "email", - "Value": "admin.user@local.dev", + "Value": "admin@assets.swissgeol.ch", "ValueType": "string" }, { @@ -30,35 +30,40 @@ "ValueType": "boolean" }, { - "Type": "local_groups_claim", - "Value": "[\"boreholes_dev_group\"]", + "Type": "cognito:groups", + "Value": "[\"assets.swissgeol\"]", "ValueType": "json" + }, + { + "Type": "username", + "Value": "1_admin@assets.swissgeol.ch", + "ValueType": "string" } ] }, { - "SubjectId":"sub_editor", - "Username":"editor", - "Password":"swissforages", + "SubjectId":"e06ad465-3adc-4ad7-bee5-ff0605a4b928", + "Username":"viewer", + "Password":"viewer", "Claims": [ { "Type": "name", - "Value": "Editor User", + "Value": "Viewer", "ValueType": "string" }, { "Type": "family_name", - "Value": "User", + "Value": "Viewer", "ValueType": "string" }, { "Type": "given_name", - "Value": "Editor", + "Value": "Viewer", "ValueType": "string" }, { "Type": "email", - "Value": "editor.user@local.dev", + "Value": "viewer@assets.swissgeol.ch", "ValueType": "string" }, { @@ -67,9 +72,14 @@ "ValueType": "boolean" }, { - "Type": "local_groups_claim", - "Value": "[\"boreholes_dev_group\"]", + "Type": "cognito:groups", + "Value": "[\"assets.swissgeol\"]", "ValueType": "json" + }, + { + "Type": "username", + "Value": "2_viewer@assets.swissgeol.ch", + "ValueType": "string" } ] }