Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rework OpenID Connect integration #4272

Merged
merged 23 commits into from
Jun 18, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
f6ee53b
:hammer: Add tag to migration tests
sergei-maertens Jun 17, 2024
8c1e5ea
:whale: [#4246] Redo/setup docker-compose Keycloak
sergei-maertens Jun 17, 2024
4f65aa4
:arrow_up: [#4246] Upgrade mozilla-django-oidc-db and digid-eherkenning
sergei-maertens Jun 17, 2024
2906780
:fire: [#4246] Delete obsoleted digid_eherkenning_oidc_generics code
sergei-maertens Jun 17, 2024
a42bf8c
:wrench: [#4246] Use the digid-eherkenning subpackage in settings
sergei-maertens Jun 17, 2024
f3bd649
:art: Move setting to the correct configuration block
sergei-maertens Jun 17, 2024
8c6973f
:hammer: [#4246] Added some general purpose test utils for Keycloak
sergei-maertens Jun 17, 2024
3e7b385
:recycle: [#4246] Rework the organization-oidc authentication plugin
sergei-maertens Jun 17, 2024
e42a2b0
:white_check_mark: [#4246] Rewrite admin OIDC login tests with VCR.py
sergei-maertens Jun 17, 2024
8e2c00f
:green_heart: [#4246] Rewrite integration test using org-oidc auth pl…
sergei-maertens Jun 17, 2024
e984d16
:card_file_box: [#4246] Define custom configuration (proxy) models
sergei-maertens Jun 17, 2024
9f51f50
:recycle: [#4246] Rewrite authentication backend for digid-eh oidc pl…
sergei-maertens Jun 17, 2024
2fd9bd2
:white_check_mark: [#4246] Move disabled-plugin API endpoint tests
sergei-maertens Jun 17, 2024
3898d40
:recycle: [#4246] Adapt authentication plugin(s) to new mozilla-djang…
sergei-maertens Jun 17, 2024
607e532
:recycle: [#4246] Update url config for OIDC
sergei-maertens Jun 17, 2024
3e56073
:wastebasket: Mark legacy co-sign flows as deprecated
sergei-maertens Jun 17, 2024
5be1706
:white_check_mark: [#4246] Update the digid-eherkenning oidc plugin t…
sergei-maertens Jun 17, 2024
9de72ba
:technologist: [#4246] Update release checklist with new VCR.py tests
sergei-maertens Jun 17, 2024
3c36617
:wrench: [#4246] Remove obsoleted OIDC configuration
sergei-maertens Jun 17, 2024
dbddc8b
:pencil: Removed 'in development' title of 2.5 release
sergei-maertens Jun 17, 2024
22528a5
:pencil: [#4246] Update changelog and documentation
sergei-maertens Jun 17, 2024
17d49da
:white_check_mark: [#4246] Add tests for legacy/new callback endpoint…
sergei-maertens Jun 17, 2024
163109c
:wrench: [#4246] Remove removed authentication backend from 2FA bypass
sergei-maertens Jun 18, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 18 additions & 3 deletions .github/ISSUE_TEMPLATE/prepare-release.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,17 +8,32 @@ assignees: sergei-maertens

- [ ] Resolve release blockers
- [ ] ...
- [ ] Re-generate VCR cassettes for API tests (see instructions on Taiga)
- [ ] Re-generate VCR cassettes for API tests (see instructions on Taiga). You can find all test
cases with `grep OFVCRMixin -r src`

- [ ] Appoinments: Qmatic
- [ ] Suwinet
- [ ] DigiD/eHerkenning (Signicat)
- DigiD/eHerkenning (Signicat)

- [ ] `openforms.authentication.contrib.digid.tests.test_signicat_integration`
- [ ] `openforms.authentication.contrib.eherkenning.tests.test_signicat_integration`

- OIDC based authentication flows

- [ ] `openforms.authentication.tests.test_oidc`
- [ ] `openforms.authentication.contrib.digid_eherkenning_oidc`
- [ ] `openforms.authentication.contrib.org_oidc`
- [ ] `openforms.authentication.contrib.org_oidc`
- [ ] `openforms.tests.test_registrator_prefill`

- [ ] Haal Centraal BRP Personen bevragen
- [ ] `src.soap.tests.test_client`
- [ ] `soap.tests.test_client`
- [ ] BRK (Kadaster)
- [ ] KVK
- [ ] Ogone
- [ ] Objects API (registration)
- [ ] ZGW APIs (registration)

- [ ] Release new SDK version
- [ ] Correct SDK version pinned in `.sdk-release`
- [ ] Check translations
Expand Down
45 changes: 33 additions & 12 deletions CHANGELOG.rst
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,39 @@
Changelog
=========

2.7.0 "TBD" (2024-07-??)
========================

This release is in development, meaning it is not finished yet or suitable for
production use.

Upgrade notes
-------------

* ⚠️ The feature flag to disable backend validation is now removed, instances relying
on it should verify that their existing forms works with the validation enforced.

* We're consolidating the OpenID Connect *Redirect URI* endpoints into a single
endpoint: ``/auth/oidc/callback/``. The legacy endpoints are still enabled (by default),
but scheduled for removal in Open Forms 3.0.

You can already opt-in to the new behaviour through three environment variables:

- ``USE_LEGACY_OIDC_ENDPOINTS=false``: admin login
- ``USE_LEGACY_DIGID_EH_OIDC_ENDPOINTS=false``: DigiD/eHerkenning plugins
- ``USE_LEGACY_ORG_OIDC_ENDPOINTS=false``: Organization OIDC plugin

Note that the OpenID applications need to be updated on the identity provider,
specifically the allowed "Redirect URIs" setting needs to be updated with the
following path replacements:

- ``/oidc/callback/`` -> ``/auth/oidc/callback/``
- ``/digid-oidc/callback/`` -> ``/auth/oidc/callback/``
- ``/eherkenning-oidc/callback/`` -> ``/auth/oidc/callback/``
- ``/digid-machtigen-oidc/callback/`` -> ``/auth/oidc/callback/``
- ``/eherkenning-bewindvoering-oidc/callback/`` -> ``/auth/oidc/callback/``
- ``/org-oidc/callback/`` -> ``/auth/oidc/callback/``

2.6.9 (2024-06-14)
==================

Expand Down Expand Up @@ -61,7 +94,6 @@ Note that 2.4.8 was never published to Docker Hub.
* [#4390] Fixed regression introduced by #4368 that would break template variables in
hyperlinks inside WYSIWYG content.


2.4.8 (2024-06-14)
==================

Expand All @@ -73,17 +105,6 @@ Bugfix release
* [#4362] Fixed a crash in the form designer when a textfield/textarea allows multiple
values in forms with translations enabled.

2.7.0-alpha.1 (2024-XX-XX)
==========================

This is an alpha release, meaning it is not finished yet or suitable for production use.

Upgrade notes
-------------

* ⚠️ The feature flag to disable backend validation is now removed, instances relying
on it should verify that their existing forms works with the validation enforced.

2.6.7 (2024-05-22)
==================

Expand Down
6 changes: 5 additions & 1 deletion docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,6 @@ services:
- DB_HOST=db
- CACHE_DEFAULT=redis:6379/0
- CACHE_AXES=redis:6379/0
- CACHE_OIDC=redis:6379/0
- CACHE_PORTALOCKER=redis:6379/0
- ALLOWED_HOSTS=*
- CELERY_BROKER_URL=redis://redis:6379/0
Expand All @@ -76,6 +75,11 @@ services:
# settings used by workers and beat containers.
- TZ=Europe/Amsterdam
- CSP_REPORT_ONLY=yes
# Legacy endpoints are deprecated, new installs should opt-out of using legacy
# settings (the default is to use legacy endpoints).
- USE_LEGACY_OIDC_ENDPOINTS=no
- USE_LEGACY_DIGID_EH_OIDC_ENDPOINTS=no
- USE_LEGACY_ORG_OIDC_ENDPOINTS=no
volumes: &web_volumes
- media:/app/media
- private_media:/app/private_media
Expand Down
23 changes: 17 additions & 6 deletions docker/docker-compose.keycloak.yml
Original file line number Diff line number Diff line change
@@ -1,14 +1,25 @@
version: '3.4'
# Config taken from https://stackoverflow.com/a/77257732
#
# This docker-compose is for development and test purposes. Tests are recorded with
# VCR against this instance.
#
# Log in to http://localhost:8080/admin/master/console/ with `admin`/`admin`
# credentials.
#
# DO NOT USE THIS IN PRODUCTION.
#

version: '3.8'

services:
keycloak:
image: jboss/keycloak
image: quay.io/keycloak/keycloak:23.0
command: start-dev --import-realm
environment:
- KEYCLOAK_USER=demo
- KEYCLOAK_PASSWORD=demo
- KEYCLOAK_IMPORT=/realm.json
- KEYCLOAK_ADMIN=admin
- KEYCLOAK_ADMIN_PASSWORD=admin
volumes:
- ./keycloak/fixtures/realm.json:/realm.json
- ./keycloak/import:/opt/keycloak/data/import
ports:
- 8080:8080
networks:
Expand Down
73 changes: 51 additions & 22 deletions docker/keycloak/README.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
# Keycloak infrastructure

Open Forms supports OpenID Connect as an authentication protocol. Keycloak is
an example of an Identity Provider that supports OIDC.
Open Forms supports OpenID Connect as an authentication protocol. Keycloak is an example of an
Identity Provider that supports OIDC.

We include a compose stack for development and CI purposes. This is **NOT** suitable
for production usage.
We include a compose stack for development and testing/CI purposes. This is **NOT** suitable for
production usage.

## docker compose

Expand All @@ -14,34 +14,63 @@ Start a Keycloak instance in your local environment from the parent directory:
docker compose -f docker-compose.keycloak.yml up -d
```

This brings up Keycloak, the admin interface is accessible at http://localhost:8080/.
You can log in with `demo:demo`.
This brings up Keycloak, the admin interface is accessible at http://localhost:8080/. You can now
log in with the `admin`/`admin` credentials.

In order to allow access to Keycloak via the same hostname via the Open Forms backend
container and the browser, add the following entry to your `/etc/hosts` file:
In order to allow access to Keycloak via the same hostname via the Open Forms backend container and
the browser, add the following entry to your `/etc/hosts` file:

```
127.0.0.1 keycloak.open-forms.local
```

## Testing

## Load fixtures
This realm is used in the integration tests. We re-record the network traffic periodically (using
VCR.py). The primary reason this setup exists, is for automated testing reasons.

Before the DigiD login via OIDC can be tested, a fixture needs to be loaded.
Assuming the docker containers specified in `docker-compose.yml` in the root directory
are running, run the following commands:
### Test data

```bash
cat docker/keycloak/fixtures/oidc.json | docker-compose exec web src/manage.py loaddata --format=json -
```
**Clients**

- Client ID: `test-userinfo-jwt`, secret `ktGlGUELd1FR7dTXc84L7dJzUTjCtw9S`

Configured to return the user info as a JWT rather than JSON response.

- Client ID: `testid`, secret: `7DB3KUAAizYCcmZufpHRVOcD0TOkNO3I`

**Users**

- `testuser` / `testuser`, has the `bsn`, `kvk`, `name_qualifier`, `legalSubjectID` and
`actingSubjectID` attributes (authentication plugins: DigiD, eHerkenning)
- `digid-machtigen` / `digid-machtigen`, has the `aanvrager.bsn`, `gemachtigde.bsn` and
`service_id` attributes (for DigiD machtigen)
- `eherkenning-bewindvoering` / `eherkenning-bewindvoering`, has the `legalSubjectID`
(kvk), `actingSubjectID` (pseudo ID), `representeeBSN`, `service_id`, `service_uuid`,
and `name_qualifier` attributes (for eHerkenning bewindvoering)
- `admin` / `admin`, intended to create as django user (can be made staff). The email
address is `admin@example.com`.

This loads an example form configured to use DigiD via OIDC for authentication and
it loads a configuration to connect to our Keycloak instance.
## Exporting the Realm

## Test login flow
In short - exporting through the admin UI (rightfully) obfuscates client secrets and user
credentials. However, for reproducible builds/environments, we want to include this data in the
Realm export.

To test the login flow, navigate to `http://127.0.0.1:8000/digid-oidc/`
(not `localhost`, because this domain is not on the allowlist in the Keycloak config).
Ensure the service is up and running through docker-compose.

Click `Inloggen met DigiD` and fill in `testuser` for both username and password
in the Keycloak login screen. If everything succeeded, you are now redirected back to the form.
Ensure that UID `1000` can write to `./keycloak/import/`:

```bash
chmod o+rwx ./keycloak/import/
```

Then open another terminal and run:

```bash
docker-compose -f docker-compose.keycloak.yml exec keycloak \
/opt/keycloak/bin/kc.sh \
export \
--file /opt/keycloak/data/import/test-realm.json \
--realm test
```
Loading
Loading