chore: eIAM cleanup

Dockerfile

@@ -3,21 +3,19 @@ FROM node:18
 RUN mkdir -p /usr/src/app
 WORKDIR /usr/src/app
 
-# build with 
+# build with
 # docker build \
 #   --build-arg COMMIT=$(git rev-parse HEAD) \
 #   --build-arg VECTOR_TILE_URL=<url of the vector service> \
 #   --build-arg MAPTILER_STYLE_KEY=<maptiler style key> \
 #   --build-arg ADFS_ID=<adfs client id> \
-#   --build-arg ADFS_SECRET=<adfs secret> \
 #   --build-arg ADFS_ISSUER=<adfs issuer> \
 #   --build-arg NEXTAUTH_SECRET=<nextauth secret> \
 #   --build-arg NEXTAUTH_URL=<nextauth url>
 ARG COMMIT
 ARG VECTOR_TILE_URL
 ARG MAPTILER_STYLE_KEY
 ARG ADFS_ID
-ARG ADFS_SECRET
 ARG ADFS_ISSUER
 ARG NEXTAUTH_SECRET
 ARG NEXTAUTH_URL
@@ -33,7 +31,6 @@ ENV NEXT_PUBLIC_COMMIT=$COMMIT
 ENV NEXT_PUBLIC_BASE_VECTOR_TILE_URL=$VECTOR_TILE_URL
 ENV NEXT_PUBLIC_MAPTILER_STYLE_KEY=$MAPTILER_STYLE_KEY
 ENV ADFS_ID=$ADFS_ID
-ENV ADFS_SECRET=$ADFS_SECRET
 ENV ADFS_ISSUER=$ADFS_ISSUER
 ENV NEXTAUTH_SECRET=$NEXTAUTH_SECRET
 ENV NEXTAUTH_URL=$NEXTAUTH_URL

app/domain/env.ts

@@ -51,7 +51,6 @@ export const GA_TRACKING_ID =
 
 export const DATABASE_URL = process.env.DATABASE_URL;
 export const ADFS_ID = process.env.ADFS_ID;
-export const ADFS_SECRET = process.env.ADFS_SECRET;
 export const ADFS_ISSUER = process.env.ADFS_ISSUER;
 
 /**

app/pages/api/auth/[...nextauth].ts

@@ -2,17 +2,17 @@ import NextAuth, { NextAuthOptions } from "next-auth";
 
 import ADFS from "@/auth-providers/adfs";
 import { ensureUserFromSub } from "@/db/user";
-import { ADFS_ID, ADFS_ISSUER, ADFS_SECRET } from "@/domain/env";
+import { ADFS_ID, ADFS_ISSUER } from "@/domain/env";
 import { truthy } from "@/domain/types";
 
 import type { NextApiRequest, NextApiResponse } from "next";
 
 const providers = [
-  ADFS_ID && ADFS_SECRET && ADFS_ISSUER
+  ADFS_ID && ADFS_ISSUER
     ? ADFS({
         wellKnown: `${ADFS_ISSUER}/.well-known/openid-configuration`,
         clientId: ADFS_ID,
-        clientSecret: ADFS_SECRET,
+        clientSecret: "", // PKCE does not require a client secret
         authorizeUrl: `${ADFS_ISSUER}/protocol/openid-connect/auth`,
         issuer: ADFS_ISSUER,
         token: `${ADFS_ISSUER}/protocol/openid-connect/token`,
@@ -45,7 +45,7 @@ export const nextAuthOptions = {
       return token;
     },
   },
-  debug: true,
+  debug: false,
 } as NextAuthOptions;
 
 export default async function auth(req: NextApiRequest, res: NextApiResponse) {

scripts/docker-build-push.sh

@@ -5,7 +5,7 @@
 # be used to tag the image that is built.
 # Multiple tags can be used and must be separated by spaces.
 
-# Fail on error, fail if environment variable is not set, fail if pipe fails 
+# Fail on error, fail if environment variable is not set, fail if pipe fails
 set -euo pipefail
 
 # Logins to docker registry
@@ -14,15 +14,14 @@ docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
 # Activates logging of the lines
 set -x
 
-# Build docker image, passing arguments defined in the CI 
+# Build docker image, passing arguments defined in the CI
 docker build \
     --label "COMMIT=$CI_COMMIT_SHA" \
     --label "TAGS=$DOCKER_IMAGE_TAGS" \
     --build-arg COMMIT=$CI_COMMIT_SHA \
     --build-arg MAPTILER_STYLE_KEY=$MAPTILER_STYLE_KEY \
     --build-arg VECTOR_TILE_URL=$VECTOR_TILE_URL \
     --build-arg ADFS_ID=$ADFS_ID \
-    --build-arg ADFS_SECRET=$ADFS_SECRET \
     --build-arg ADFS_ISSUER=$ADFS_ISSUER \
     --build-arg NEXTAUTH_SECRET=$NEXTAUTH_SECRET \
     --build-arg NEXTAUTH_URL=$NEXTAUTH_URL \