fix: #1509 Replace OIDC SSO playground url (#1565)

bcgov · Aug 26, 2024 · e888381 · e888381
1 parent 5357465
commit e888381
Show file tree

Hide file tree

Showing 10 changed files with 94 additions and 62 deletions.
diff --git a/infrastructure/server/oidc_clients_fam.tf b/infrastructure/server/oidc_clients_fam.tf
@@ -3,13 +3,17 @@ resource "aws_cognito_user_pool_client" "fam_console_oidc_client" {
   allowed_oauth_flows                  = ["code"]
   allowed_oauth_flows_user_pool_client = "true"
   allowed_oauth_scopes                 = ["openid", "profile", "email"]
-  callback_urls = (concat(var.fam_callback_urls,
+  callback_urls = (concat(
+    var.fam_callback_urls,
     [
+      var.oidc_sso_playground_url,
       "${aws_api_gateway_deployment.fam_api_gateway_deployment.invoke_url}/docs/oauth2-redirect",
       "${aws_api_gateway_stage.admin_management_api_gateway_stage.invoke_url}/docs/oauth2-redirect"
     ]
   ))
-  logout_urls                                   = var.fam_logout_urls
+  logout_urls                                   = concat(
+    var.fam_logout_urls,
+    [var.oidc_sso_playground_url])
   enable_propagate_additional_user_context_data = "false"
   enable_token_revocation                       = "true"
   explicit_auth_flows                           = ["ALLOW_REFRESH_TOKEN_AUTH"]

diff --git a/infrastructure/server/oidc_clients_fom.tf b/infrastructure/server/oidc_clients_fom.tf
@@ -3,13 +3,18 @@ resource "aws_cognito_user_pool_client" "dev_fom_oidc_client" {
   allowed_oauth_flows                           = ["code"]
   allowed_oauth_flows_user_pool_client          = "true"
   allowed_oauth_scopes                          = ["openid", "profile", "email"]
-  callback_urls                                 = concat([
-    "https://oidcdebugggersecure-c6af30-dev.apps.gold.devops.gov.bc.ca/",
-    "http://localhost:4200/admin/search"
-  ], [for i in range("${var.dev_pr_url_count}") : "https://fom-${i}.apps.silver.devops.gov.bc.ca/admin/search"])
-  logout_urls                                   = concat([
-    "${var.cognito_app_client_logout_chain_url.dev}http://localhost:4200/admin/not-authorized?loggedout=true"
-  ], [for i in range("${var.dev_pr_url_count}") : "${var.cognito_app_client_logout_chain_url.dev}https://fom-${i}.apps.silver.devops.gov.bc.ca/admin/not-authorized?loggedout=true"])
+  callback_urls                                 = concat(
+    [
+      var.oidc_sso_playground_url,
+      "http://localhost:4200/admin/search"
+    ],
+    [for i in range("${var.dev_pr_url_count}") : "https://fom-${i}.apps.silver.devops.gov.bc.ca/admin/search"])
+  logout_urls                                   = concat(
+    [
+      var.oidc_sso_playground_url,
+      "${var.cognito_app_client_logout_chain_url.dev}http://localhost:4200/admin/not-authorized?loggedout=true"
+    ],
+    [for i in range("${var.dev_pr_url_count}") : "${var.cognito_app_client_logout_chain_url.dev}https://fom-${i}.apps.silver.devops.gov.bc.ca/admin/not-authorized?loggedout=true"])
   enable_propagate_additional_user_context_data = "false"
   enable_token_revocation                       = "true"
   explicit_auth_flows                           = ["ALLOW_REFRESH_TOKEN_AUTH"]
@@ -39,12 +44,13 @@ resource "aws_cognito_user_pool_client" "test_fom_oidc_client" {
   allowed_oauth_flows_user_pool_client          = "true"
   allowed_oauth_scopes                          = ["openid", "profile", "email"]
   callback_urls                                 = [
-    "https://oidcdebugggersecure-c6af30-dev.apps.gold.devops.gov.bc.ca/",
+    var.oidc_sso_playground_url,
     "https://fom-test.nrs.gov.bc.ca/admin/search",
     "https://fom-demo.apps.silver.devops.gov.bc.ca/admin/search",
     "http://localhost:4200/admin/search"
   ]
   logout_urls                                   = [
+    var.oidc_sso_playground_url,
     "${var.cognito_app_client_logout_chain_url.test}https://fom-test.nrs.gov.bc.ca/admin/not-authorized?loggedout=true",
     "${var.cognito_app_client_logout_chain_url.test}https://fom-demo.apps.silver.devops.gov.bc.ca/admin/not-authorized?loggedout=true"
   ]
@@ -77,9 +83,11 @@ resource "aws_cognito_user_pool_client" "prod_fom_oidc_client" {
   allowed_oauth_flows_user_pool_client          = "true"
   allowed_oauth_scopes                          = ["openid", "profile", "email"]
   callback_urls                                 = [
-    "https://fom.nrs.gov.bc.ca/admin/search",
+    var.oidc_sso_playground_url,
+    "https://fom.nrs.gov.bc.ca/admin/search"
   ]
   logout_urls                                   = [
+    var.oidc_sso_playground_url,
     "${var.cognito_app_client_logout_chain_url.prod}https://fom.nrs.gov.bc.ca/admin/not-authorized?loggedout=true"
   ]
   enable_propagate_additional_user_context_data = "false"

diff --git a/infrastructure/server/oidc_clients_forest_client.tf b/infrastructure/server/oidc_clients_forest_client.tf
@@ -3,13 +3,18 @@ resource "aws_cognito_user_pool_client" "dev_forest_client_oidc_client" {
   allowed_oauth_flows                  = ["code"]
   allowed_oauth_flows_user_pool_client = "true"
   allowed_oauth_scopes                 = ["openid", "profile", "email"]
-  callback_urls = concat([
-    "https://oidcdebugggersecure-c6af30-dev.apps.gold.devops.gov.bc.ca/",
-    "http://localhost:3000/dashboard",
-  ], [for i in range("${var.dev_pr_url_count}") : "https://nr-forest-client-${i}-frontend.apps.silver.devops.gov.bc.ca/dashboard"])
-  logout_urls = concat([
-    "http://localhost:3000/logout"
-  ], [for i in range("${var.dev_pr_url_count}") : "https://nr-forest-client-${i}-frontend.apps.silver.devops.gov.bc.ca/logout"])
+  callback_urls = concat(
+    [
+      var.oidc_sso_playground_url,
+      "http://localhost:3000/dashboard"
+    ],
+    [for i in range("${var.dev_pr_url_count}") : "https://nr-forest-client-${i}-frontend.apps.silver.devops.gov.bc.ca/dashboard"])
+  logout_urls = concat(
+    [
+      var.oidc_sso_playground_url,
+      "http://localhost:3000/logout"
+    ],
+    [for i in range("${var.dev_pr_url_count}") : "https://nr-forest-client-${i}-frontend.apps.silver.devops.gov.bc.ca/logout"])
   enable_propagate_additional_user_context_data = "false"
   enable_token_revocation                       = "true"
   explicit_auth_flows                           = ["ALLOW_REFRESH_TOKEN_AUTH"]
@@ -43,11 +48,12 @@ resource "aws_cognito_user_pool_client" "test_forest_client_oidc_client" {
   allowed_oauth_flows_user_pool_client = "true"
   allowed_oauth_scopes                 = ["openid", "profile", "email"]
   callback_urls = [
-    "https://oidcdebugggersecure-c6af30-dev.apps.gold.devops.gov.bc.ca/",
+    var.oidc_sso_playground_url,
     "http://localhost:3000/dashboard",
     "https://forestclient-tst.nrs.gov.bc.ca/dashboard"
   ]
   logout_urls = [
+    var.oidc_sso_playground_url,
     "http://localhost:3000/logout",
     "https://forestclient-tst.nrs.gov.bc.ca/logout",
   ]
@@ -81,11 +87,12 @@ resource "aws_cognito_user_pool_client" "prod_forest_client_oidc_client" {
   allowed_oauth_flows_user_pool_client = "true"
   allowed_oauth_scopes                 = ["openid", "profile", "email"]
   callback_urls = [
-    "https://oidcdebugggersecure-c6af30-dev.apps.gold.devops.gov.bc.ca/",
+    var.oidc_sso_playground_url,
     "http://localhost:3000/dashboard",
     "https://forestclient.nrs.gov.bc.ca/dashboard"
   ]
   logout_urls = [
+    var.oidc_sso_playground_url,
     "http://localhost:3000/logout",
     "https://forestclient.nrs.gov.bc.ca/logout"
   ]

diff --git a/infrastructure/server/oidc_clients_silva.tf b/infrastructure/server/oidc_clients_silva.tf
@@ -3,18 +3,22 @@ resource "aws_cognito_user_pool_client" "dev_silva_oidc_client" {
   allowed_oauth_flows                           = ["code"]
   allowed_oauth_flows_user_pool_client          = "true"
   allowed_oauth_scopes                          = ["openid", "profile", "email"]
-  callback_urls                                 = concat([
-    "https://oidcdebugggersecure-c6af30-dev.apps.gold.devops.gov.bc.ca/",
-    "http://localhost:3000/dashboard",
-    "http://localhost:4173/dashboard",
-    "https://nr-results-exam-test-frontend.apps.silver.devops.gov.bc.ca/dashboard"
-  ], [for i in range("${var.dev_pr_url_count}") : "https://nr-silva-${i}-frontend.apps.silver.devops.gov.bc.ca/dashboard"])
-  logout_urls                                   = concat([
-    "${var.cognito_app_client_logout_chain_url.dev}https://oidcdebugggersecure-c6af30-dev.apps.gold.devops.gov.bc.ca/",
-    "${var.cognito_app_client_logout_chain_url.dev}http://localhost:3000/",
-    "${var.cognito_app_client_logout_chain_url.dev}http://localhost:4173/",
-    "${var.cognito_app_client_logout_chain_url.dev}https://nr-results-exam-test-frontend.apps.silver.devops.gov.bc.ca/"
-  ], [for i in range("${var.dev_pr_url_count}") : "${var.cognito_app_client_logout_chain_url.dev}https://nr-silva-${i}-frontend.apps.silver.devops.gov.bc.ca/"])
+  callback_urls                                 = concat(
+    [
+      var.oidc_sso_playground_url,
+      "http://localhost:3000/dashboard",
+      "http://localhost:4173/dashboard",
+      "https://nr-results-exam-test-frontend.apps.silver.devops.gov.bc.ca/dashboard"
+    ],
+    [for i in range("${var.dev_pr_url_count}") : "https://nr-silva-${i}-frontend.apps.silver.devops.gov.bc.ca/dashboard"])
+  logout_urls                                   = concat(
+    [
+      var.oidc_sso_playground_url,
+      "${var.cognito_app_client_logout_chain_url.dev}http://localhost:3000/",
+      "${var.cognito_app_client_logout_chain_url.dev}http://localhost:4173/",
+      "${var.cognito_app_client_logout_chain_url.dev}https://nr-results-exam-test-frontend.apps.silver.devops.gov.bc.ca/"
+    ],
+    [for i in range("${var.dev_pr_url_count}") : "${var.cognito_app_client_logout_chain_url.dev}https://nr-silva-${i}-frontend.apps.silver.devops.gov.bc.ca/"])
   enable_propagate_additional_user_context_data = "false"
   enable_token_revocation                       = "true"
   explicit_auth_flows                           = ["ALLOW_REFRESH_TOKEN_AUTH"]
@@ -44,13 +48,13 @@ resource "aws_cognito_user_pool_client" "test_silva_oidc_client" {
   allowed_oauth_flows_user_pool_client          = "true"
   allowed_oauth_scopes                          = ["openid", "profile", "email"]
   callback_urls                                 = [
-    "https://oidcdebugggersecure-c6af30-dev.apps.gold.devops.gov.bc.ca/",
+    var.oidc_sso_playground_url,
     "http://localhost:3000/dashboard",
     "https://nr-silva-test-frontend.apps.silver.devops.gov.bc.ca/dashboard",
     "https://nr-results-exam-test-frontend.apps.silver.devops.gov.bc.ca/dashboard"
   ]
   logout_urls                                   = [
-    "${var.cognito_app_client_logout_chain_url.test}https://oidcdebugggersecure-c6af30-dev.apps.gold.devops.gov.bc.ca/",
+    var.oidc_sso_playground_url,
     "${var.cognito_app_client_logout_chain_url.test}http://localhost:3000/",
     "${var.cognito_app_client_logout_chain_url.test}https://nr-silva-test-frontend.apps.silver.devops.gov.bc.ca/",
     "${var.cognito_app_client_logout_chain_url.test}https://nr-results-exam-test-frontend.apps.silver.devops.gov.bc.ca/"
@@ -84,13 +88,13 @@ resource "aws_cognito_user_pool_client" "prod_silva_oidc_client" {
   allowed_oauth_flows_user_pool_client          = "true"
   allowed_oauth_scopes                          = ["openid", "profile", "email"]
   callback_urls                                 = [
-    "https://oidcdebugggersecure-c6af30-dev.apps.gold.devops.gov.bc.ca/",
+    var.oidc_sso_playground_url,
     "http://localhost:3000/dashboard",
     "https://nr-silva-prod-frontend.apps.silver.devops.gov.bc.ca/dashboard",
     "https://nr-results-exam-prod-frontend.apps.silver.devops.gov.bc.ca/dashboard"
   ]
   logout_urls                                   = [
-    "${var.cognito_app_client_logout_chain_url.prod}https://oidcdebugggersecure-c6af30-dev.apps.gold.devops.gov.bc.ca/",
+    var.oidc_sso_playground_url,
     "${var.cognito_app_client_logout_chain_url.prod}http://localhost:3000/",
     "${var.cognito_app_client_logout_chain_url.prod}https://nr-silva-prod-frontend.apps.silver.devops.gov.bc.ca/",
     "${var.cognito_app_client_logout_chain_url.prod}https://nr-results-exam-prod-frontend.apps.silver.devops.gov.bc.ca/"

diff --git a/infrastructure/server/oidc_clients_spar.tf b/infrastructure/server/oidc_clients_spar.tf
@@ -4,13 +4,13 @@ resource "aws_cognito_user_pool_client" "dev_spar_oidc_client" {
   allowed_oauth_flows_user_pool_client          = "true"
   allowed_oauth_scopes                          = ["openid", "profile", "email"]
   callback_urls                                 = [
-    "https://oidcdebugggersecure-c6af30-dev.apps.gold.devops.gov.bc.ca/",
+    var.oidc_sso_playground_url,
     "http://localhost:3000/",
     "http://localhost:3000/silent-check-sso",
     "https://nr-spar-demo.apps.silver.devops.gov.bc.ca/"
   ]
   logout_urls                                   = [
-    "${var.cognito_app_client_logout_chain_url.dev}https://oidcdebugggersecure-c6af30-dev.apps.gold.devops.gov.bc.ca/",
+    var.oidc_sso_playground_url,
     "${var.cognito_app_client_logout_chain_url.dev}http://localhost:3000/",
     "${var.cognito_app_client_logout_chain_url.dev}https://nr-spar-demo.apps.silver.devops.gov.bc.ca/"
   ]
@@ -42,19 +42,24 @@ resource "aws_cognito_user_pool_client" "test_spar_oidc_client" {
   allowed_oauth_flows                           = ["code"]
   allowed_oauth_flows_user_pool_client          = "true"
   allowed_oauth_scopes                          = ["openid", "profile", "email"]
-  callback_urls                                 = concat([
-    "http://localhost:3000/",
-    "https://oidcdebugggersecure-c6af30-dev.apps.gold.devops.gov.bc.ca/",
-    "https://nr-spar-test-frontend.apps.silver.devops.gov.bc.ca/",
-    "https://spar-tst.nrs.gov.bc.ca/",
-    "https://nr-spar-demo.apps.silver.devops.gov.bc.ca/"
-  ], [for i in range("${var.dev_pr_url_count}") : "https://nr-spar-${i}-frontend.apps.silver.devops.gov.bc.ca/"])
-  logout_urls                                   = concat([
-    "${var.cognito_app_client_logout_chain_url.test}https://spar-tst.nrs.gov.bc.ca/",
-    "${var.cognito_app_client_logout_chain_url.test}https://nr-spar-test-frontend.apps.silver.devops.gov.bc.ca/",
-    "${var.cognito_app_client_logout_chain_url.test}http://localhost:3000/",
-    "${var.cognito_app_client_logout_chain_url.test}https://nr-spar-demo.apps.silver.devops.gov.bc.ca/"
-  ], [for i in range("${var.dev_pr_url_count}") : "${var.cognito_app_client_logout_chain_url.test}https://nr-spar-${i}-frontend.apps.silver.devops.gov.bc.ca/"])
+  callback_urls                                 = concat(
+    [
+      var.oidc_sso_playground_url,
+      "http://localhost:3000/",
+      "https://nr-spar-test-frontend.apps.silver.devops.gov.bc.ca/",
+      "https://spar-tst.nrs.gov.bc.ca/",
+      "https://nr-spar-demo.apps.silver.devops.gov.bc.ca/"
+    ],
+    [for i in range("${var.dev_pr_url_count}") : "https://nr-spar-${i}-frontend.apps.silver.devops.gov.bc.ca/"])
+  logout_urls                                   = concat(
+    [
+      var.oidc_sso_playground_url,
+      "${var.cognito_app_client_logout_chain_url.test}https://spar-tst.nrs.gov.bc.ca/",
+      "${var.cognito_app_client_logout_chain_url.test}https://nr-spar-test-frontend.apps.silver.devops.gov.bc.ca/",
+      "${var.cognito_app_client_logout_chain_url.test}http://localhost:3000/",
+      "${var.cognito_app_client_logout_chain_url.test}https://nr-spar-demo.apps.silver.devops.gov.bc.ca/"
+    ],
+    [for i in range("${var.dev_pr_url_count}") : "${var.cognito_app_client_logout_chain_url.test}https://nr-spar-${i}-frontend.apps.silver.devops.gov.bc.ca/"])
   enable_propagate_additional_user_context_data = "false"
   enable_token_revocation                       = "true"
   explicit_auth_flows                           = ["ALLOW_REFRESH_TOKEN_AUTH"]
@@ -84,10 +89,12 @@ resource "aws_cognito_user_pool_client" "prod_spar_oidc_client" {
   allowed_oauth_flows_user_pool_client          = "true"
   allowed_oauth_scopes                          = ["openid", "profile", "email"]
   callback_urls                                 = [
+    var.oidc_sso_playground_url,
     "https://nr-spar-prod-frontend.apps.silver.devops.gov.bc.ca/",
     "https://spar.nrs.gov.bc.ca/"
   ]
   logout_urls                                   = [
+    var.oidc_sso_playground_url,
     "${var.cognito_app_client_logout_chain_url.prod}https://spar.nrs.gov.bc.ca/",
     "${var.cognito_app_client_logout_chain_url.prod}https://nr-spar-prod-frontend.apps.silver.devops.gov.bc.ca/"
   ]

diff --git a/infrastructure/server/variables_provided.tf b/infrastructure/server/variables_provided.tf
@@ -64,6 +64,12 @@ variable "oidc_bceid_business_idp_client_id" {
   default = "fsa-cognito-b-ce-id-business-dev-4090"
 }
 
+variable "oidc_sso_playground_url" {
+  description = "OIDC SSO Playground for debugging congnito login"
+  type = string
+  default = "https://sso-playground.apps.gold.devops.gov.bc.ca"
+}
+
 # Client secrets for IDIR in each environment
 
 variable "dev_oidc_idir_idp_client_secret" {
@@ -372,4 +378,4 @@ variable "dev_pr_url_count" {
   description = "Number of pull request redirect urls of Cognito dev clients"
   type = number
   default = 50
-}
+}
diff --git a/terraform/dev/terragrunt.hcl b/terraform/dev/terragrunt.hcl
@@ -32,8 +32,7 @@ generate "dev_tfvars" {
     "https://fam-dev.nrs.gov.bc.ca/authCallback",
     "http://localhost:5173/authCallback",
     "http://localhost:8000/docs/oauth2-redirect",
-    "http://localhost:8001/docs/oauth2-redirect",
-    "https://oidcdebugggersecure-c6af30-dev.apps.gold.devops.gov.bc.ca/"
+    "http://localhost:8001/docs/oauth2-redirect"
   ]
   fam_logout_urls = [
     "${local.common_vars.inputs.idp_logout_chain_test_url}https://fam-dev.nrs.gov.bc.ca",

diff --git a/terraform/prod/terragrunt.hcl b/terraform/prod/terragrunt.hcl
@@ -29,8 +29,7 @@ generate "prod_tfvars" {
     prod = "${local.common_vars.inputs.idp_logout_chain_prod_url}"
   }
   fam_callback_urls = [
-    "https://fam.nrs.gov.bc.ca/authCallback",
-    "https://oidcdebugggersecure-c6af30-dev.apps.gold.devops.gov.bc.ca/"
+    "https://fam.nrs.gov.bc.ca/authCallback"
   ]
   fam_logout_urls = [
     "${local.common_vars.inputs.idp_logout_chain_prod_url}https://fam.nrs.gov.bc.ca",
@@ -42,4 +41,4 @@ generate "prod_tfvars" {
   use_override_proxy_endpoints = false
   idim_proxy_api_base_url_prod = "https://nr-fam-idim-lookup-proxy-prod-backend.apps.silver.devops.gov.bc.ca"
 EOF
-}
+}
diff --git a/terraform/test/terragrunt.hcl b/terraform/test/terragrunt.hcl
@@ -29,8 +29,7 @@ generate "test_tfvars" {
     "https://fam-tst.nrs.gov.bc.ca/authCallback",
     "http://localhost:5173/authCallback",
     "http://localhost:8000/docs/oauth2-redirect",
-    "http://localhost:8001/docs/oauth2-redirect",
-    "https://oidcdebugggersecure-c6af30-dev.apps.gold.devops.gov.bc.ca/"
+    "http://localhost:8001/docs/oauth2-redirect"
   ]
   fam_logout_urls = [
     "${local.common_vars.inputs.idp_logout_chain_test_url}https://fam-tst.nrs.gov.bc.ca",
@@ -41,4 +40,4 @@ generate "test_tfvars" {
   forest_client_api_base_url_test = "${local.common_vars.inputs.forest_client_api_test_base_url}"
   use_override_proxy_endpoints = false
 EOF
-}
+}
diff --git a/terraform/tools/terragrunt.hcl b/terraform/tools/terragrunt.hcl
@@ -33,8 +33,7 @@ generate "tools_tfvars" {
     "https://fam-tools.nrs.gov.bc.ca/authCallback",
     "http://localhost:5173/authCallback",
     "http://localhost:8000/docs/oauth2-redirect",
-    "http://localhost:8001/docs/oauth2-redirect",
-    "https://oidcdebugggersecure-c6af30-dev.apps.gold.devops.gov.bc.ca/"
+    "http://localhost:8001/docs/oauth2-redirect"
   ]
   fam_logout_urls = [
     "${local.common_vars.inputs.idp_logout_chain_test_url}https://fam-tools.nrs.gov.bc.ca",