fix: wrong redirect / error display on OIDC login

This also replace local mock for OIDC since old container did not work anymore. Fix #849
MAIF · Oct 23, 2024 · 1abfab1 · 1abfab1
1 parent 985bf55
commit 1abfab1
Show file tree

Hide file tree

Showing 5 changed files with 131 additions and 56 deletions.
diff --git a/conf/dev.conf b/conf/dev.conf
@@ -15,8 +15,8 @@ app {
   openid {
     client-id = foo
     client-secret = bar
-    authorize-url = "http://localhost:9001/auth"
-    token-url = "http://localhost:9001/token"
+    authorize-url = "http://localhost:9001/connect/authorize"
+    token-url = "http://localhost:9001/connect/token"
     redirect-url = "http://localhost:3000/login"
     scopes = "email profile"
     username-field = name

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -2,6 +2,99 @@
 version: '3.1'
 
 services:
+  oidc-server-mock:
+    container_name: oidc-server-mock
+    image: ghcr.io/soluto/oidc-server-mock:latest
+    ports:
+      - '9001:8080'
+    environment:
+      ASPNETCORE_ENVIRONMENT: Development
+      SERVER_OPTIONS_INLINE: |
+        {
+          "AccessTokenJwtType": "JWT",
+          "Discovery": {
+            "ShowKeySet": true
+          },
+          "Authentication": {
+            "CookieSameSiteMode": "Lax",
+            "CheckSessionCookieSameSiteMode": "Lax"
+          }
+        }
+      LOGIN_OPTIONS_INLINE: |
+        {
+          "AllowRememberLogin": false
+        }
+      LOGOUT_OPTIONS_INLINE: |
+        {
+          "AutomaticRedirectAfterSignOut": true
+        }
+      API_SCOPES_INLINE: |
+        - Name: some-app-scope-1
+        - Name: some-app-scope-2
+      API_RESOURCES_INLINE: |
+        - Name: some-app
+          Scopes:
+            - some-app-scope-1
+            - some-app-scope-2
+      USERS_CONFIGURATION_INLINE: |
+        [
+          {
+            "SubjectId":"1",
+            "Username":"User1",
+            "Password":"pwd",
+            "Claims": [
+              {
+                "Type": "name",
+                "Value": "Sam Tailor",
+                "ValueType": "string"
+              },
+              {
+                "Type": "email",
+                "Value": "sam.tailor@gmail.com",
+                "ValueType": "string"
+              },
+              {
+                "Type": "some-api-resource-claim",
+                "Value": "Sam's Api Resource Custom Claim",
+                "ValueType": "string"
+              },
+              {
+                "Type": "some-api-scope-claim",
+                "Value": "Sam's Api Scope Custom Claim",
+                "ValueType": "string"
+              },
+              {
+                "Type": "some-identity-resource-claim",
+                "Value": "Sam's Identity Resource Custom Claim",
+                "ValueType": "string"
+              }
+            ]
+          }
+        ]
+      CLIENTS_CONFIGURATION_INLINE: |
+        [
+          {
+            "ClientId": "foo",
+            "ClientSecrets": ["bar"],
+            "Description": "Client for implicit flow",
+            "AllowedGrantTypes": ["authorization_code"],
+            "RequirePkce": false,
+            "AllowAccessTokensViaBrowser": true,
+            "RedirectUris": ["http://localhost:3000/login"],
+            "AllowedScopes": ["openid", "profile", "email"],
+            "IdentityTokenLifetime": 3600,
+            "AccessTokenLifetime": 3600,
+            "AlwaysIncludeUserClaimsInIdToken": true
+        }
+        ]
+      ASPNET_SERVICES_OPTIONS_INLINE: |
+        { 
+          "ForwardedHeadersOptions": { 
+            "ForwardedHeaders" : "All"
+          }
+        }
+    volumes:
+      - .:/tmp/config:ro
   db:
     image: postgres
     restart: always
@@ -12,12 +105,12 @@ services:
 #      - ./schema.sql:/docker-entrypoint-initdb.d/schema.sql
     ports:
       - 5432:5432
-  openid:
-    image: qlik/simple-oidc-provider
-    environment:
-      REDIRECTS: http://localhost:3000/login
-    ports:
-      - 9001:9000
+  #openid:
+  #  image: qlik/simple-oidc-provider
+  #  environment:
+  #    REDIRECTS: http://localhost:3000/login
+  #  ports:
+  #    - 9001:9000
   fake-smtp:
     image: reachfive/fake-smtp-server
     ports:

diff --git a/izanami-frontend/src/pages/login.tsx b/izanami-frontend/src/pages/login.tsx
@@ -53,27 +53,28 @@ function TokenWaitScreen({ code }: { code: string }) {
   }
 }
 
-
 function LoginForm(props: { req?: string }) {
   const navigate = useNavigate();
   const req = props.req;
   const { setUser, integrations, expositionUrl } = useContext(IzanamiContext);
   const [error, setError] = useState<string>("");
   const [loading, setLoading] = useState<boolean>(false);
-  const [lightMode, setLightMode] = useState<boolean>(false)  
-  
+  const [lightMode, setLightMode] = useState<boolean>(false);
+
   React.useEffect(() => {
     let mode = window.localStorage.getItem("izanami-dark-light-mode");
     setLightMode(mode !== "dark");
-    if (mode === "light") {document.documentElement.setAttribute("data-theme", "light")}
-  },[])
+    if (mode === "light") {
+      document.documentElement.setAttribute("data-theme", "light");
+    }
+  }, []);
 
   const handleCheckboxChange = (event: React.ChangeEvent<HTMLInputElement>) => {
     setLightMode(event.target.checked);
     if (lightMode) {
-      document.documentElement.setAttribute("data-theme", "dark")
+      document.documentElement.setAttribute("data-theme", "dark");
       window.localStorage.setItem("izanami-dark-light-mode", "dark");
-    }else{
+    } else {
       document.documentElement.setAttribute("data-theme", "light");
       window.localStorage.setItem("izanami-dark-light-mode", "light");
     }
@@ -186,6 +187,7 @@ function LoginForm(props: { req?: string }) {
                 <div className="openid-separator my-3">OR</div>
 
                 <button
+                  type="button"
                   className="btn btn-secondary"
                   onClick={() => {
                     window.location.href = `${expositionUrl}/api/admin/openid-connect`;
@@ -209,10 +211,9 @@ function LoginForm(props: { req?: string }) {
                 <label
                   className="form-check-label"
                   htmlFor="flexSwitchCheckChecked"
-                >
-                </label>
+                ></label>
               </div>
-                  <i className="fa fa-lightbulb" />
+              <i className="fa fa-lightbulb" />
             </div>
           </>
         )}

diff --git a/izanami-frontend/tests/oidc.spec.ts b/izanami-frontend/tests/oidc.spec.ts
@@ -0,0 +1,18 @@
+import test, { expect } from "@playwright/test";
+
+test.describe("Home screen should", () => {
+  test("allow tenant creation", async ({ page }) => {
+    await page.goto("/login");
+    await page.getByRole("button", { name: "OpenId connect" }).click();
+    await expect(page).toHaveURL(
+      new RegExp("^http://localhost:9001/Account/Login")
+    );
+    await page.getByLabel("Username").fill("User1");
+    await page.getByLabel("Password").fill("pwd");
+    await page.getByRole("button", { name: "Login" }).click();
+    await expect(page).toHaveURL("http://localhost:3000/home");
+    await expect(
+      page.getByRole("button", { name: "Sam Tailor" })
+    ).toBeVisible();
+  });
+});
diff --git a/test/fr/maif/izanami/api/LoginAPISpec.scala b/test/fr/maif/izanami/api/LoginAPISpec.scala
@@ -105,44 +105,7 @@ class LoginAPISpec extends BaseAPISpec {
       result
         .headers()
         .firstValue("location")
-        .get() mustEqual "http://localhost:9001/auth?scope=email%20profile%20openid&client_id=foo&response_type=code&redirect_uri=http://localhost:3000/login"
-    }
-
-    "should allow complete flow" in {
-      var res     = await(
-        ws.url(s"""${ADMIN_BASE_URL}/openid-connect""")
-          .withFollowRedirects(false)
-          .get()
-      )
-      res = await(
-        ws.url(res.header("location").get)
-          .withFollowRedirects(false)
-          .get()
-      )
-      val cookies = res.cookies.toArray.to(scala.collection.immutable.Seq)
-
-      val loginUrl = s"""http://localhost:9001${res.header("location").get}/login"""
-      var codeRes  = await(
-        ws.url(loginUrl)
-          .withFollowRedirects(false)
-          .withCookies(cookies: _*)
-          .withHttpHeaders(("Content-Type", "application/x-www-form-urlencoded"))
-          .post("email=harley%40qlik.example&password=Password1%21&submit=")
-      )
-      codeRes = await(
-        ws.url(codeRes.header("location").get)
-          .withCookies(cookies: _*)
-          .withFollowRedirects(false)
-          .get()
-      )
-
-      val myAppRedirectUrl = codeRes.header("location").get
-      val uri              = new URI(myAppRedirectUrl)
-      val code             = uri.getQuery.split("code=")(1).split("&")(0)
-
-      val finalResponse = await(ws.url(s"""${ADMIN_BASE_URL}/openid-connect-callback""").post(Json.obj("code" -> code)))
-
-      finalResponse.cookie("token") mustBe defined
+        .get() mustEqual "http://localhost:9001/connect/authorize?scope=email%20profile%20openid&client_id=foo&response_type=code&redirect_uri=http://localhost:3000/login"
     }
   }
 }