From e8883816cc0140eb785fb30a424bdc1dcc509ad1 Mon Sep 17 00:00:00 2001 From: Craig Yu Date: Mon, 26 Aug 2024 13:46:27 -0700 Subject: [PATCH] fix: #1509 Replace OIDC SSO playground url (#1565) --- infrastructure/server/oidc_clients_fam.tf | 8 +++- infrastructure/server/oidc_clients_fom.tf | 26 ++++++++----- .../server/oidc_clients_forest_client.tf | 25 ++++++++----- infrastructure/server/oidc_clients_silva.tf | 36 ++++++++++-------- infrastructure/server/oidc_clients_spar.tf | 37 +++++++++++-------- infrastructure/server/variables_provided.tf | 8 +++- terraform/dev/terragrunt.hcl | 3 +- terraform/prod/terragrunt.hcl | 5 +-- terraform/test/terragrunt.hcl | 5 +-- terraform/tools/terragrunt.hcl | 3 +- 10 files changed, 94 insertions(+), 62 deletions(-) diff --git a/infrastructure/server/oidc_clients_fam.tf b/infrastructure/server/oidc_clients_fam.tf index 5b4a5462b..b98eedd70 100644 --- a/infrastructure/server/oidc_clients_fam.tf +++ b/infrastructure/server/oidc_clients_fam.tf @@ -3,13 +3,17 @@ resource "aws_cognito_user_pool_client" "fam_console_oidc_client" { allowed_oauth_flows = ["code"] allowed_oauth_flows_user_pool_client = "true" allowed_oauth_scopes = ["openid", "profile", "email"] - callback_urls = (concat(var.fam_callback_urls, + callback_urls = (concat( + var.fam_callback_urls, [ + var.oidc_sso_playground_url, "${aws_api_gateway_deployment.fam_api_gateway_deployment.invoke_url}/docs/oauth2-redirect", "${aws_api_gateway_stage.admin_management_api_gateway_stage.invoke_url}/docs/oauth2-redirect" ] )) - logout_urls = var.fam_logout_urls + logout_urls = concat( + var.fam_logout_urls, + [var.oidc_sso_playground_url]) enable_propagate_additional_user_context_data = "false" enable_token_revocation = "true" explicit_auth_flows = ["ALLOW_REFRESH_TOKEN_AUTH"] diff --git a/infrastructure/server/oidc_clients_fom.tf b/infrastructure/server/oidc_clients_fom.tf index 4b17ac19b..4b6883fba 100644 --- a/infrastructure/server/oidc_clients_fom.tf +++ b/infrastructure/server/oidc_clients_fom.tf @@ -3,13 +3,18 @@ resource "aws_cognito_user_pool_client" "dev_fom_oidc_client" { allowed_oauth_flows = ["code"] allowed_oauth_flows_user_pool_client = "true" allowed_oauth_scopes = ["openid", "profile", "email"] - callback_urls = concat([ - "https://oidcdebugggersecure-c6af30-dev.apps.gold.devops.gov.bc.ca/", - "http://localhost:4200/admin/search" - ], [for i in range("${var.dev_pr_url_count}") : "https://fom-${i}.apps.silver.devops.gov.bc.ca/admin/search"]) - logout_urls = concat([ - "${var.cognito_app_client_logout_chain_url.dev}http://localhost:4200/admin/not-authorized?loggedout=true" - ], [for i in range("${var.dev_pr_url_count}") : "${var.cognito_app_client_logout_chain_url.dev}https://fom-${i}.apps.silver.devops.gov.bc.ca/admin/not-authorized?loggedout=true"]) + callback_urls = concat( + [ + var.oidc_sso_playground_url, + "http://localhost:4200/admin/search" + ], + [for i in range("${var.dev_pr_url_count}") : "https://fom-${i}.apps.silver.devops.gov.bc.ca/admin/search"]) + logout_urls = concat( + [ + var.oidc_sso_playground_url, + "${var.cognito_app_client_logout_chain_url.dev}http://localhost:4200/admin/not-authorized?loggedout=true" + ], + [for i in range("${var.dev_pr_url_count}") : "${var.cognito_app_client_logout_chain_url.dev}https://fom-${i}.apps.silver.devops.gov.bc.ca/admin/not-authorized?loggedout=true"]) enable_propagate_additional_user_context_data = "false" enable_token_revocation = "true" explicit_auth_flows = ["ALLOW_REFRESH_TOKEN_AUTH"] @@ -39,12 +44,13 @@ resource "aws_cognito_user_pool_client" "test_fom_oidc_client" { allowed_oauth_flows_user_pool_client = "true" allowed_oauth_scopes = ["openid", "profile", "email"] callback_urls = [ - "https://oidcdebugggersecure-c6af30-dev.apps.gold.devops.gov.bc.ca/", + var.oidc_sso_playground_url, "https://fom-test.nrs.gov.bc.ca/admin/search", "https://fom-demo.apps.silver.devops.gov.bc.ca/admin/search", "http://localhost:4200/admin/search" ] logout_urls = [ + var.oidc_sso_playground_url, "${var.cognito_app_client_logout_chain_url.test}https://fom-test.nrs.gov.bc.ca/admin/not-authorized?loggedout=true", "${var.cognito_app_client_logout_chain_url.test}https://fom-demo.apps.silver.devops.gov.bc.ca/admin/not-authorized?loggedout=true" ] @@ -77,9 +83,11 @@ resource "aws_cognito_user_pool_client" "prod_fom_oidc_client" { allowed_oauth_flows_user_pool_client = "true" allowed_oauth_scopes = ["openid", "profile", "email"] callback_urls = [ - "https://fom.nrs.gov.bc.ca/admin/search", + var.oidc_sso_playground_url, + "https://fom.nrs.gov.bc.ca/admin/search" ] logout_urls = [ + var.oidc_sso_playground_url, "${var.cognito_app_client_logout_chain_url.prod}https://fom.nrs.gov.bc.ca/admin/not-authorized?loggedout=true" ] enable_propagate_additional_user_context_data = "false" diff --git a/infrastructure/server/oidc_clients_forest_client.tf b/infrastructure/server/oidc_clients_forest_client.tf index 04f2b3b8e..2d62517a9 100644 --- a/infrastructure/server/oidc_clients_forest_client.tf +++ b/infrastructure/server/oidc_clients_forest_client.tf @@ -3,13 +3,18 @@ resource "aws_cognito_user_pool_client" "dev_forest_client_oidc_client" { allowed_oauth_flows = ["code"] allowed_oauth_flows_user_pool_client = "true" allowed_oauth_scopes = ["openid", "profile", "email"] - callback_urls = concat([ - "https://oidcdebugggersecure-c6af30-dev.apps.gold.devops.gov.bc.ca/", - "http://localhost:3000/dashboard", - ], [for i in range("${var.dev_pr_url_count}") : "https://nr-forest-client-${i}-frontend.apps.silver.devops.gov.bc.ca/dashboard"]) - logout_urls = concat([ - "http://localhost:3000/logout" - ], [for i in range("${var.dev_pr_url_count}") : "https://nr-forest-client-${i}-frontend.apps.silver.devops.gov.bc.ca/logout"]) + callback_urls = concat( + [ + var.oidc_sso_playground_url, + "http://localhost:3000/dashboard" + ], + [for i in range("${var.dev_pr_url_count}") : "https://nr-forest-client-${i}-frontend.apps.silver.devops.gov.bc.ca/dashboard"]) + logout_urls = concat( + [ + var.oidc_sso_playground_url, + "http://localhost:3000/logout" + ], + [for i in range("${var.dev_pr_url_count}") : "https://nr-forest-client-${i}-frontend.apps.silver.devops.gov.bc.ca/logout"]) enable_propagate_additional_user_context_data = "false" enable_token_revocation = "true" explicit_auth_flows = ["ALLOW_REFRESH_TOKEN_AUTH"] @@ -43,11 +48,12 @@ resource "aws_cognito_user_pool_client" "test_forest_client_oidc_client" { allowed_oauth_flows_user_pool_client = "true" allowed_oauth_scopes = ["openid", "profile", "email"] callback_urls = [ - "https://oidcdebugggersecure-c6af30-dev.apps.gold.devops.gov.bc.ca/", + var.oidc_sso_playground_url, "http://localhost:3000/dashboard", "https://forestclient-tst.nrs.gov.bc.ca/dashboard" ] logout_urls = [ + var.oidc_sso_playground_url, "http://localhost:3000/logout", "https://forestclient-tst.nrs.gov.bc.ca/logout", ] @@ -81,11 +87,12 @@ resource "aws_cognito_user_pool_client" "prod_forest_client_oidc_client" { allowed_oauth_flows_user_pool_client = "true" allowed_oauth_scopes = ["openid", "profile", "email"] callback_urls = [ - "https://oidcdebugggersecure-c6af30-dev.apps.gold.devops.gov.bc.ca/", + var.oidc_sso_playground_url, "http://localhost:3000/dashboard", "https://forestclient.nrs.gov.bc.ca/dashboard" ] logout_urls = [ + var.oidc_sso_playground_url, "http://localhost:3000/logout", "https://forestclient.nrs.gov.bc.ca/logout" ] diff --git a/infrastructure/server/oidc_clients_silva.tf b/infrastructure/server/oidc_clients_silva.tf index 699120acb..ced60a5bc 100644 --- a/infrastructure/server/oidc_clients_silva.tf +++ b/infrastructure/server/oidc_clients_silva.tf @@ -3,18 +3,22 @@ resource "aws_cognito_user_pool_client" "dev_silva_oidc_client" { allowed_oauth_flows = ["code"] allowed_oauth_flows_user_pool_client = "true" allowed_oauth_scopes = ["openid", "profile", "email"] - callback_urls = concat([ - "https://oidcdebugggersecure-c6af30-dev.apps.gold.devops.gov.bc.ca/", - "http://localhost:3000/dashboard", - "http://localhost:4173/dashboard", - "https://nr-results-exam-test-frontend.apps.silver.devops.gov.bc.ca/dashboard" - ], [for i in range("${var.dev_pr_url_count}") : "https://nr-silva-${i}-frontend.apps.silver.devops.gov.bc.ca/dashboard"]) - logout_urls = concat([ - "${var.cognito_app_client_logout_chain_url.dev}https://oidcdebugggersecure-c6af30-dev.apps.gold.devops.gov.bc.ca/", - "${var.cognito_app_client_logout_chain_url.dev}http://localhost:3000/", - "${var.cognito_app_client_logout_chain_url.dev}http://localhost:4173/", - "${var.cognito_app_client_logout_chain_url.dev}https://nr-results-exam-test-frontend.apps.silver.devops.gov.bc.ca/" - ], [for i in range("${var.dev_pr_url_count}") : "${var.cognito_app_client_logout_chain_url.dev}https://nr-silva-${i}-frontend.apps.silver.devops.gov.bc.ca/"]) + callback_urls = concat( + [ + var.oidc_sso_playground_url, + "http://localhost:3000/dashboard", + "http://localhost:4173/dashboard", + "https://nr-results-exam-test-frontend.apps.silver.devops.gov.bc.ca/dashboard" + ], + [for i in range("${var.dev_pr_url_count}") : "https://nr-silva-${i}-frontend.apps.silver.devops.gov.bc.ca/dashboard"]) + logout_urls = concat( + [ + var.oidc_sso_playground_url, + "${var.cognito_app_client_logout_chain_url.dev}http://localhost:3000/", + "${var.cognito_app_client_logout_chain_url.dev}http://localhost:4173/", + "${var.cognito_app_client_logout_chain_url.dev}https://nr-results-exam-test-frontend.apps.silver.devops.gov.bc.ca/" + ], + [for i in range("${var.dev_pr_url_count}") : "${var.cognito_app_client_logout_chain_url.dev}https://nr-silva-${i}-frontend.apps.silver.devops.gov.bc.ca/"]) enable_propagate_additional_user_context_data = "false" enable_token_revocation = "true" explicit_auth_flows = ["ALLOW_REFRESH_TOKEN_AUTH"] @@ -44,13 +48,13 @@ resource "aws_cognito_user_pool_client" "test_silva_oidc_client" { allowed_oauth_flows_user_pool_client = "true" allowed_oauth_scopes = ["openid", "profile", "email"] callback_urls = [ - "https://oidcdebugggersecure-c6af30-dev.apps.gold.devops.gov.bc.ca/", + var.oidc_sso_playground_url, "http://localhost:3000/dashboard", "https://nr-silva-test-frontend.apps.silver.devops.gov.bc.ca/dashboard", "https://nr-results-exam-test-frontend.apps.silver.devops.gov.bc.ca/dashboard" ] logout_urls = [ - "${var.cognito_app_client_logout_chain_url.test}https://oidcdebugggersecure-c6af30-dev.apps.gold.devops.gov.bc.ca/", + var.oidc_sso_playground_url, "${var.cognito_app_client_logout_chain_url.test}http://localhost:3000/", "${var.cognito_app_client_logout_chain_url.test}https://nr-silva-test-frontend.apps.silver.devops.gov.bc.ca/", "${var.cognito_app_client_logout_chain_url.test}https://nr-results-exam-test-frontend.apps.silver.devops.gov.bc.ca/" @@ -84,13 +88,13 @@ resource "aws_cognito_user_pool_client" "prod_silva_oidc_client" { allowed_oauth_flows_user_pool_client = "true" allowed_oauth_scopes = ["openid", "profile", "email"] callback_urls = [ - "https://oidcdebugggersecure-c6af30-dev.apps.gold.devops.gov.bc.ca/", + var.oidc_sso_playground_url, "http://localhost:3000/dashboard", "https://nr-silva-prod-frontend.apps.silver.devops.gov.bc.ca/dashboard", "https://nr-results-exam-prod-frontend.apps.silver.devops.gov.bc.ca/dashboard" ] logout_urls = [ - "${var.cognito_app_client_logout_chain_url.prod}https://oidcdebugggersecure-c6af30-dev.apps.gold.devops.gov.bc.ca/", + var.oidc_sso_playground_url, "${var.cognito_app_client_logout_chain_url.prod}http://localhost:3000/", "${var.cognito_app_client_logout_chain_url.prod}https://nr-silva-prod-frontend.apps.silver.devops.gov.bc.ca/", "${var.cognito_app_client_logout_chain_url.prod}https://nr-results-exam-prod-frontend.apps.silver.devops.gov.bc.ca/" diff --git a/infrastructure/server/oidc_clients_spar.tf b/infrastructure/server/oidc_clients_spar.tf index cdcf1d1c7..b98b44161 100644 --- a/infrastructure/server/oidc_clients_spar.tf +++ b/infrastructure/server/oidc_clients_spar.tf @@ -4,13 +4,13 @@ resource "aws_cognito_user_pool_client" "dev_spar_oidc_client" { allowed_oauth_flows_user_pool_client = "true" allowed_oauth_scopes = ["openid", "profile", "email"] callback_urls = [ - "https://oidcdebugggersecure-c6af30-dev.apps.gold.devops.gov.bc.ca/", + var.oidc_sso_playground_url, "http://localhost:3000/", "http://localhost:3000/silent-check-sso", "https://nr-spar-demo.apps.silver.devops.gov.bc.ca/" ] logout_urls = [ - "${var.cognito_app_client_logout_chain_url.dev}https://oidcdebugggersecure-c6af30-dev.apps.gold.devops.gov.bc.ca/", + var.oidc_sso_playground_url, "${var.cognito_app_client_logout_chain_url.dev}http://localhost:3000/", "${var.cognito_app_client_logout_chain_url.dev}https://nr-spar-demo.apps.silver.devops.gov.bc.ca/" ] @@ -42,19 +42,24 @@ resource "aws_cognito_user_pool_client" "test_spar_oidc_client" { allowed_oauth_flows = ["code"] allowed_oauth_flows_user_pool_client = "true" allowed_oauth_scopes = ["openid", "profile", "email"] - callback_urls = concat([ - "http://localhost:3000/", - "https://oidcdebugggersecure-c6af30-dev.apps.gold.devops.gov.bc.ca/", - "https://nr-spar-test-frontend.apps.silver.devops.gov.bc.ca/", - "https://spar-tst.nrs.gov.bc.ca/", - "https://nr-spar-demo.apps.silver.devops.gov.bc.ca/" - ], [for i in range("${var.dev_pr_url_count}") : "https://nr-spar-${i}-frontend.apps.silver.devops.gov.bc.ca/"]) - logout_urls = concat([ - "${var.cognito_app_client_logout_chain_url.test}https://spar-tst.nrs.gov.bc.ca/", - "${var.cognito_app_client_logout_chain_url.test}https://nr-spar-test-frontend.apps.silver.devops.gov.bc.ca/", - "${var.cognito_app_client_logout_chain_url.test}http://localhost:3000/", - "${var.cognito_app_client_logout_chain_url.test}https://nr-spar-demo.apps.silver.devops.gov.bc.ca/" - ], [for i in range("${var.dev_pr_url_count}") : "${var.cognito_app_client_logout_chain_url.test}https://nr-spar-${i}-frontend.apps.silver.devops.gov.bc.ca/"]) + callback_urls = concat( + [ + var.oidc_sso_playground_url, + "http://localhost:3000/", + "https://nr-spar-test-frontend.apps.silver.devops.gov.bc.ca/", + "https://spar-tst.nrs.gov.bc.ca/", + "https://nr-spar-demo.apps.silver.devops.gov.bc.ca/" + ], + [for i in range("${var.dev_pr_url_count}") : "https://nr-spar-${i}-frontend.apps.silver.devops.gov.bc.ca/"]) + logout_urls = concat( + [ + var.oidc_sso_playground_url, + "${var.cognito_app_client_logout_chain_url.test}https://spar-tst.nrs.gov.bc.ca/", + "${var.cognito_app_client_logout_chain_url.test}https://nr-spar-test-frontend.apps.silver.devops.gov.bc.ca/", + "${var.cognito_app_client_logout_chain_url.test}http://localhost:3000/", + "${var.cognito_app_client_logout_chain_url.test}https://nr-spar-demo.apps.silver.devops.gov.bc.ca/" + ], + [for i in range("${var.dev_pr_url_count}") : "${var.cognito_app_client_logout_chain_url.test}https://nr-spar-${i}-frontend.apps.silver.devops.gov.bc.ca/"]) enable_propagate_additional_user_context_data = "false" enable_token_revocation = "true" explicit_auth_flows = ["ALLOW_REFRESH_TOKEN_AUTH"] @@ -84,10 +89,12 @@ resource "aws_cognito_user_pool_client" "prod_spar_oidc_client" { allowed_oauth_flows_user_pool_client = "true" allowed_oauth_scopes = ["openid", "profile", "email"] callback_urls = [ + var.oidc_sso_playground_url, "https://nr-spar-prod-frontend.apps.silver.devops.gov.bc.ca/", "https://spar.nrs.gov.bc.ca/" ] logout_urls = [ + var.oidc_sso_playground_url, "${var.cognito_app_client_logout_chain_url.prod}https://spar.nrs.gov.bc.ca/", "${var.cognito_app_client_logout_chain_url.prod}https://nr-spar-prod-frontend.apps.silver.devops.gov.bc.ca/" ] diff --git a/infrastructure/server/variables_provided.tf b/infrastructure/server/variables_provided.tf index 93161bfaf..6d9d34bb3 100644 --- a/infrastructure/server/variables_provided.tf +++ b/infrastructure/server/variables_provided.tf @@ -64,6 +64,12 @@ variable "oidc_bceid_business_idp_client_id" { default = "fsa-cognito-b-ce-id-business-dev-4090" } +variable "oidc_sso_playground_url" { + description = "OIDC SSO Playground for debugging congnito login" + type = string + default = "https://sso-playground.apps.gold.devops.gov.bc.ca" +} + # Client secrets for IDIR in each environment variable "dev_oidc_idir_idp_client_secret" { @@ -372,4 +378,4 @@ variable "dev_pr_url_count" { description = "Number of pull request redirect urls of Cognito dev clients" type = number default = 50 -} \ No newline at end of file +} diff --git a/terraform/dev/terragrunt.hcl b/terraform/dev/terragrunt.hcl index 598e0aa0f..922c15a1c 100644 --- a/terraform/dev/terragrunt.hcl +++ b/terraform/dev/terragrunt.hcl @@ -32,8 +32,7 @@ generate "dev_tfvars" { "https://fam-dev.nrs.gov.bc.ca/authCallback", "http://localhost:5173/authCallback", "http://localhost:8000/docs/oauth2-redirect", - "http://localhost:8001/docs/oauth2-redirect", - "https://oidcdebugggersecure-c6af30-dev.apps.gold.devops.gov.bc.ca/" + "http://localhost:8001/docs/oauth2-redirect" ] fam_logout_urls = [ "${local.common_vars.inputs.idp_logout_chain_test_url}https://fam-dev.nrs.gov.bc.ca", diff --git a/terraform/prod/terragrunt.hcl b/terraform/prod/terragrunt.hcl index 5d4f75607..d9c96dfd8 100644 --- a/terraform/prod/terragrunt.hcl +++ b/terraform/prod/terragrunt.hcl @@ -29,8 +29,7 @@ generate "prod_tfvars" { prod = "${local.common_vars.inputs.idp_logout_chain_prod_url}" } fam_callback_urls = [ - "https://fam.nrs.gov.bc.ca/authCallback", - "https://oidcdebugggersecure-c6af30-dev.apps.gold.devops.gov.bc.ca/" + "https://fam.nrs.gov.bc.ca/authCallback" ] fam_logout_urls = [ "${local.common_vars.inputs.idp_logout_chain_prod_url}https://fam.nrs.gov.bc.ca", @@ -42,4 +41,4 @@ generate "prod_tfvars" { use_override_proxy_endpoints = false idim_proxy_api_base_url_prod = "https://nr-fam-idim-lookup-proxy-prod-backend.apps.silver.devops.gov.bc.ca" EOF -} \ No newline at end of file +} diff --git a/terraform/test/terragrunt.hcl b/terraform/test/terragrunt.hcl index ac03a0d4c..11a9f89e7 100644 --- a/terraform/test/terragrunt.hcl +++ b/terraform/test/terragrunt.hcl @@ -29,8 +29,7 @@ generate "test_tfvars" { "https://fam-tst.nrs.gov.bc.ca/authCallback", "http://localhost:5173/authCallback", "http://localhost:8000/docs/oauth2-redirect", - "http://localhost:8001/docs/oauth2-redirect", - "https://oidcdebugggersecure-c6af30-dev.apps.gold.devops.gov.bc.ca/" + "http://localhost:8001/docs/oauth2-redirect" ] fam_logout_urls = [ "${local.common_vars.inputs.idp_logout_chain_test_url}https://fam-tst.nrs.gov.bc.ca", @@ -41,4 +40,4 @@ generate "test_tfvars" { forest_client_api_base_url_test = "${local.common_vars.inputs.forest_client_api_test_base_url}" use_override_proxy_endpoints = false EOF -} \ No newline at end of file +} diff --git a/terraform/tools/terragrunt.hcl b/terraform/tools/terragrunt.hcl index 067c5a5e9..f9674c0e1 100644 --- a/terraform/tools/terragrunt.hcl +++ b/terraform/tools/terragrunt.hcl @@ -33,8 +33,7 @@ generate "tools_tfvars" { "https://fam-tools.nrs.gov.bc.ca/authCallback", "http://localhost:5173/authCallback", "http://localhost:8000/docs/oauth2-redirect", - "http://localhost:8001/docs/oauth2-redirect", - "https://oidcdebugggersecure-c6af30-dev.apps.gold.devops.gov.bc.ca/" + "http://localhost:8001/docs/oauth2-redirect" ] fam_logout_urls = [ "${local.common_vars.inputs.idp_logout_chain_test_url}https://fam-tools.nrs.gov.bc.ca",