From 60b1e1448ac0b17f7b29618d8be90fb662fff7c5 Mon Sep 17 00:00:00 2001 From: Peter Lieverdink Date: Wed, 26 Jun 2024 13:36:44 +1000 Subject: [PATCH 01/25] feat: Add the modules required to use Azure AD and Azure B2C for login. Refs: OPS-10529 --- composer.json | 1 + composer.lock | 447 +++++++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 444 insertions(+), 4 deletions(-) diff --git a/composer.json b/composer.json index d7906ace..c4fd24ff 100644 --- a/composer.json +++ b/composer.json @@ -69,6 +69,7 @@ "drupal/masquerade": "^2.0@beta", "drupal/memcache": "^2.3", "drupal/metatag": "^2.0", + "drupal/openid_connect_windows_aad": "^2.0@beta", "drupal/override_node_options": "^2.6", "drupal/paragraphs_admin": "^1.4", "drupal/pathauto": "^1.8", diff --git a/composer.lock b/composer.lock index 91ab4859..c81657fa 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "da9eac0c036591f8d458391e184e31ab", + "content-hash": "1a19462d8a88a06d39982eb7f33c851a", "packages": [ { "name": "asm89/stack-cors", @@ -3067,6 +3067,60 @@ "source": "https://git.drupalcode.org/project/environment_indicator" } }, + { + "name": "drupal/externalauth", + "version": "2.0.5", + "source": { + "type": "git", + "url": "https://git.drupalcode.org/project/externalauth.git", + "reference": "2.0.5" + }, + "dist": { + "type": "zip", + "url": "https://ftp.drupal.org/files/projects/externalauth-2.0.5.zip", + "reference": "2.0.5", + "shasum": "7c262c7ca20d26aae45896daee4249e47b637abc" + }, + "require": { + "drupal/core": "^9 || ^10" + }, + "type": "drupal-module", + "extra": { + "drupal": { + "version": "2.0.5", + "datestamp": "1708329378", + "security-coverage": { + "status": "covered", + "message": "Covered by Drupal's security advisory policy" + } + } + }, + "notification-url": "https://packages.drupal.org/8/downloads", + "license": [ + "GPL-2.0-or-later" + ], + "authors": [ + { + "name": "Sven Decabooter", + "homepage": "https://www.drupal.org/u/svendecabooter", + "role": "Maintainer" + }, + { + "name": "snufkin", + "homepage": "https://www.drupal.org/user/58645" + }, + { + "name": "svendecabooter", + "homepage": "https://www.drupal.org/user/35369" + } + ], + "description": "Helper module to authenticate users using an external site / service and storing identification details", + "homepage": "https://drupal.org/project/externalauth", + "support": { + "source": "https://git.drupalcode.org/project/externalauth", + "issues": "https://www.drupal.org/project/issues/externalauth" + } + }, { "name": "drupal/field_group", "version": "3.4.0", @@ -4115,6 +4169,71 @@ "source": "https://git.drupalcode.org/project/jquery_ui_resizable" } }, + { + "name": "drupal/key", + "version": "1.18.0", + "source": { + "type": "git", + "url": "https://git.drupalcode.org/project/key.git", + "reference": "8.x-1.18" + }, + "dist": { + "type": "zip", + "url": "https://ftp.drupal.org/files/projects/key-8.x-1.18.zip", + "reference": "8.x-1.18", + "shasum": "5075295390be486ba9e372efff70f90fde764c40" + }, + "require": { + "drupal/core": ">=8.9 <12" + }, + "type": "drupal-module", + "extra": { + "drupal": { + "version": "8.x-1.18", + "datestamp": "1717376699", + "security-coverage": { + "status": "covered", + "message": "Covered by Drupal's security advisory policy" + } + }, + "drush": { + "services": { + "drush.services.yml": ">=9" + } + } + }, + "notification-url": "https://packages.drupal.org/8/downloads", + "license": [ + "GPL-2.0-or-later" + ], + "authors": [ + { + "name": "Cellar Door", + "homepage": "https://www.drupal.org/user/658076" + }, + { + "name": "crashtest_", + "homepage": "https://www.drupal.org/user/261457" + }, + { + "name": "nerdstein", + "homepage": "https://www.drupal.org/user/1557710" + }, + { + "name": "rlhawk", + "homepage": "https://www.drupal.org/user/352283" + } + ], + "description": "Provides the ability to manage site-wide keys", + "homepage": "http://drupal.org/project/key", + "keywords": [ + "Drupal" + ], + "support": { + "source": "https://git.drupalcode.org/project/key", + "issues": "http://drupal.org/project/key" + } + }, { "name": "drupal/layout_paragraphs", "version": "2.0.6", @@ -4713,6 +4832,141 @@ "source": "https://git.drupalcode.org/project/monitoring" } }, + { + "name": "drupal/openid_connect", + "version": "2.0.0-beta1", + "source": { + "type": "git", + "url": "https://git.drupalcode.org/project/openid_connect.git", + "reference": "2.0.0-beta1" + }, + "dist": { + "type": "zip", + "url": "https://ftp.drupal.org/files/projects/openid_connect-2.0.0-beta1.zip", + "reference": "2.0.0-beta1", + "shasum": "71f5a76a3d004e0d879ee36889915d755661d369" + }, + "require": { + "drupal/core": "^8.8 || ^9 || ^10", + "drupal/externalauth": "*", + "ext-json": "*", + "php": ">=7.1.0" + }, + "type": "drupal-module", + "extra": { + "drupal": { + "version": "2.0.0-beta1", + "datestamp": "1665712609", + "security-coverage": { + "status": "not-covered", + "message": "Beta releases are not covered by Drupal security advisories." + } + } + }, + "notification-url": "https://packages.drupal.org/8/downloads", + "license": [ + "GPL-2.0-or-later" + ], + "authors": [ + { + "name": "bojanz", + "homepage": "https://www.drupal.org/user/86106" + }, + { + "name": "jcnventura", + "homepage": "https://www.drupal.org/user/122464" + }, + { + "name": "pfrilling", + "homepage": "https://www.drupal.org/user/169695" + }, + { + "name": "pjcdawkins", + "homepage": "https://www.drupal.org/user/1025236" + }, + { + "name": "sanduhrs", + "homepage": "https://www.drupal.org/user/28074" + } + ], + "description": "A pluggable client implementation for the OpenID Connect protocol.", + "homepage": "https://www.drupal.org/project/openid_connect", + "keywords": [ + "Drupal" + ], + "support": { + "source": "https://git.drupalcode.org/project/openid_connect", + "issues": "https://www.drupal.org/project/issues/openid_connect" + } + }, + { + "name": "drupal/openid_connect_windows_aad", + "version": "2.0.0-beta7", + "source": { + "type": "git", + "url": "https://git.drupalcode.org/project/openid_connect_windows_aad.git", + "reference": "2.0.0-beta7" + }, + "dist": { + "type": "zip", + "url": "https://ftp.drupal.org/files/projects/openid_connect_windows_aad-2.0.0-beta7.zip", + "reference": "2.0.0-beta7", + "shasum": "fff769a63f20c2481dfcadfd1622032188007cf4" + }, + "require": { + "drupal/core": "^9 || ^10", + "drupal/key": "^1.0", + "drupal/openid_connect": "^2.0 || ^3.0", + "lcobucci/jwt": "^4.2.1", + "php": ">=8.0.0" + }, + "type": "drupal-module", + "extra": { + "drupal": { + "version": "2.0.0-beta7", + "datestamp": "1701908835", + "security-coverage": { + "status": "not-covered", + "message": "Beta releases are not covered by Drupal security advisories." + } + } + }, + "notification-url": "https://packages.drupal.org/8/downloads", + "license": [ + "GPL-2.0+" + ], + "authors": [ + { + "name": "acrazyanimal", + "homepage": "https://www.drupal.org/user/696648" + }, + { + "name": "ajayNimbolkar", + "homepage": "https://www.drupal.org/user/2876727" + }, + { + "name": "fabianderijk", + "homepage": "https://www.drupal.org/user/278745" + }, + { + "name": "tomvv", + "homepage": "https://www.drupal.org/user/2748021" + }, + { + "name": "webflo", + "homepage": "https://www.drupal.org/user/254778" + } + ], + "description": "A CTools plugin that adds a Windows Azure AD client to OpenID Connect.", + "homepage": "https://www.drupal.org/project/openid_connect_windows_aad", + "keywords": [ + "Drupal" + ], + "support": { + "source": "http://cgit.drupalcode.org/openid_connect_windows_aad", + "issues": "https://www.drupal.org/project/issues/openid_connect_windows_aad" + } + }, { "name": "drupal/override_node_options", "version": "2.8.0", @@ -7416,6 +7670,144 @@ ], "time": "2024-01-19T12:39:49+00:00" }, + { + "name": "lcobucci/clock", + "version": "3.2.0", + "source": { + "type": "git", + "url": "https://github.com/lcobucci/clock.git", + "reference": "6f28b826ea01306b07980cb8320ab30b966cd715" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/lcobucci/clock/zipball/6f28b826ea01306b07980cb8320ab30b966cd715", + "reference": "6f28b826ea01306b07980cb8320ab30b966cd715", + "shasum": "" + }, + "require": { + "php": "~8.2.0 || ~8.3.0", + "psr/clock": "^1.0" + }, + "provide": { + "psr/clock-implementation": "1.0" + }, + "require-dev": { + "infection/infection": "^0.27", + "lcobucci/coding-standard": "^11.0.0", + "phpstan/extension-installer": "^1.3.1", + "phpstan/phpstan": "^1.10.25", + "phpstan/phpstan-deprecation-rules": "^1.1.3", + "phpstan/phpstan-phpunit": "^1.3.13", + "phpstan/phpstan-strict-rules": "^1.5.1", + "phpunit/phpunit": "^10.2.3" + }, + "type": "library", + "autoload": { + "psr-4": { + "Lcobucci\\Clock\\": "src" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Luís Cobucci", + "email": "lcobucci@gmail.com" + } + ], + "description": "Yet another clock abstraction", + "support": { + "issues": "https://github.com/lcobucci/clock/issues", + "source": "https://github.com/lcobucci/clock/tree/3.2.0" + }, + "funding": [ + { + "url": "https://github.com/lcobucci", + "type": "github" + }, + { + "url": "https://www.patreon.com/lcobucci", + "type": "patreon" + } + ], + "time": "2023-11-17T17:00:27+00:00" + }, + { + "name": "lcobucci/jwt", + "version": "4.3.0", + "source": { + "type": "git", + "url": "https://github.com/lcobucci/jwt.git", + "reference": "4d7de2fe0d51a96418c0d04004986e410e87f6b4" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/lcobucci/jwt/zipball/4d7de2fe0d51a96418c0d04004986e410e87f6b4", + "reference": "4d7de2fe0d51a96418c0d04004986e410e87f6b4", + "shasum": "" + }, + "require": { + "ext-hash": "*", + "ext-json": "*", + "ext-mbstring": "*", + "ext-openssl": "*", + "ext-sodium": "*", + "lcobucci/clock": "^2.0 || ^3.0", + "php": "^7.4 || ^8.0" + }, + "require-dev": { + "infection/infection": "^0.21", + "lcobucci/coding-standard": "^6.0", + "mikey179/vfsstream": "^1.6.7", + "phpbench/phpbench": "^1.2", + "phpstan/extension-installer": "^1.0", + "phpstan/phpstan": "^1.4", + "phpstan/phpstan-deprecation-rules": "^1.0", + "phpstan/phpstan-phpunit": "^1.0", + "phpstan/phpstan-strict-rules": "^1.0", + "phpunit/php-invoker": "^3.1", + "phpunit/phpunit": "^9.5" + }, + "type": "library", + "autoload": { + "psr-4": { + "Lcobucci\\JWT\\": "src" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "BSD-3-Clause" + ], + "authors": [ + { + "name": "Luís Cobucci", + "email": "lcobucci@gmail.com", + "role": "Developer" + } + ], + "description": "A simple library to work with JSON Web Token and JSON Web Signature", + "keywords": [ + "JWS", + "jwt" + ], + "support": { + "issues": "https://github.com/lcobucci/jwt/issues", + "source": "https://github.com/lcobucci/jwt/tree/4.3.0" + }, + "funding": [ + { + "url": "https://github.com/lcobucci", + "type": "github" + }, + { + "url": "https://www.patreon.com/lcobucci", + "type": "patreon" + } + ], + "time": "2023-01-02T13:28:00+00:00" + }, { "name": "league/commonmark", "version": "1.6.0", @@ -8718,6 +9110,54 @@ }, "time": "2021-02-03T23:26:27+00:00" }, + { + "name": "psr/clock", + "version": "1.0.0", + "source": { + "type": "git", + "url": "https://github.com/php-fig/clock.git", + "reference": "e41a24703d4560fd0acb709162f73b8adfc3aa0d" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/php-fig/clock/zipball/e41a24703d4560fd0acb709162f73b8adfc3aa0d", + "reference": "e41a24703d4560fd0acb709162f73b8adfc3aa0d", + "shasum": "" + }, + "require": { + "php": "^7.0 || ^8.0" + }, + "type": "library", + "autoload": { + "psr-4": { + "Psr\\Clock\\": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "PHP-FIG", + "homepage": "https://www.php-fig.org/" + } + ], + "description": "Common interface for reading the clock.", + "homepage": "https://github.com/php-fig/clock", + "keywords": [ + "clock", + "now", + "psr", + "psr-20", + "time" + ], + "support": { + "issues": "https://github.com/php-fig/clock/issues", + "source": "https://github.com/php-fig/clock/tree/1.0.0" + }, + "time": "2022-11-25T14:36:26+00:00" + }, { "name": "psr/container", "version": "2.0.2", @@ -18335,19 +18775,18 @@ } ], "aliases": [], - "minimum-stability": "stable", + "minimum-stability": "beta", "stability-flags": { "drupal/aws": 20, "drupal/components": 10, - "drupal/config_split": 5, "drupal/default_content": 15, "drupal/flexible_permissions": 10, - "drupal/group": 5, "drupal/imageapi_optimize_binaries": 10, "drupal/inline_entity_form": 5, "drupal/link_allowed_hosts": 10, "drupal/linkchecker": 15, "drupal/masquerade": 10, + "drupal/openid_connect_windows_aad": 10, "drupal/seven": 15, "drupal/subgroup": 10 }, From 3396002c0295baedb3a7e7aa622596eca8df14a0 Mon Sep 17 00:00:00 2001 From: Peter Lieverdink Date: Wed, 26 Jun 2024 13:38:29 +1000 Subject: [PATCH 02/25] chore: Enable the new auth modules. --- config/core.extension.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/config/core.extension.yml b/config/core.extension.yml index adabe76d..a7215348 100644 --- a/config/core.extension.yml +++ b/config/core.extension.yml @@ -27,6 +27,7 @@ module: env_link_fixer: 0 environment_indicator: 0 environment_indicator_ui: 0 + externalauth: 0 field: 0 field_group: 0 field_ui: 0 @@ -56,6 +57,7 @@ module: jquery_ui_dialog: 0 jquery_ui_draggable: 0 jquery_ui_resizable: 0 + key: 0 language: 0 layout_builder: 0 layout_discovery: 0 @@ -78,6 +80,8 @@ module: node: 0 ocha_monitoring: 0 ocha_search: 0 + openid_connect: 0 + openid_connect_windows_aad: 0 options: 0 override_node_options: 0 page_cache: 0 From ddd9de76bf88aec4332cfca16a56536ce88b267c Mon Sep 17 00:00:00 2001 From: Peter Lieverdink Date: Thu, 27 Jun 2024 13:10:54 +1000 Subject: [PATCH 03/25] chore: Keep the OIDC AD patch and ensure the openid module is PHP8.2 happy. --- ...openid_connect_windows_aad-3346603-5.patch | 13 ++++++++ composer.json | 1 + composer.lock | 30 +++++++++---------- composer.patches.json | 3 ++ 4 files changed, 32 insertions(+), 15 deletions(-) create mode 100644 PATCHES/openid_connect_windows_aad-3346603-5.patch diff --git a/PATCHES/openid_connect_windows_aad-3346603-5.patch b/PATCHES/openid_connect_windows_aad-3346603-5.patch new file mode 100644 index 00000000..56a48185 --- /dev/null +++ b/PATCHES/openid_connect_windows_aad-3346603-5.patch @@ -0,0 +1,13 @@ +diff --git a/src/Plugin/OpenIDConnectClient/WindowsAad.php b/src/Plugin/OpenIDConnectClient/WindowsAad.php +index 8845843..6431581 100644 +--- a/src/Plugin/OpenIDConnectClient/WindowsAad.php ++++ b/src/Plugin/OpenIDConnectClient/WindowsAad.php +@@ -318,7 +318,7 @@ as the mapping between Azure AD accounts and Drupal users.
+ case 2: + $v2 = str_contains($endpoints['token'], '/oauth2/v2.0/'); + if (!$v2) { +- $request_options['form_params']['resource'] = 'https://graph.microsoft.com'; ++ $request_options['form_params']['scope'] = 'https://graph.microsoft.com/.default'; + } + break; + } diff --git a/composer.json b/composer.json index c4fd24ff..4cf5944a 100644 --- a/composer.json +++ b/composer.json @@ -69,6 +69,7 @@ "drupal/masquerade": "^2.0@beta", "drupal/memcache": "^2.3", "drupal/metatag": "^2.0", + "drupal/openid_connect": "dev-3.x", "drupal/openid_connect_windows_aad": "^2.0@beta", "drupal/override_node_options": "^2.6", "drupal/paragraphs_admin": "^1.4", diff --git a/composer.lock b/composer.lock index c81657fa..dd645a25 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "1a19462d8a88a06d39982eb7f33c851a", + "content-hash": "489d07555f5f360fd52d99a3ac88a9f2", "packages": [ { "name": "asm89/stack-cors", @@ -4834,32 +4834,29 @@ }, { "name": "drupal/openid_connect", - "version": "2.0.0-beta1", + "version": "dev-3.x", "source": { "type": "git", "url": "https://git.drupalcode.org/project/openid_connect.git", - "reference": "2.0.0-beta1" - }, - "dist": { - "type": "zip", - "url": "https://ftp.drupal.org/files/projects/openid_connect-2.0.0-beta1.zip", - "reference": "2.0.0-beta1", - "shasum": "71f5a76a3d004e0d879ee36889915d755661d369" + "reference": "d10926f866959b8b57204fcd3fa9584a739142fd" }, "require": { - "drupal/core": "^8.8 || ^9 || ^10", - "drupal/externalauth": "*", + "drupal/core": "^9.3 || ^10", + "drupal/externalauth": "^2.0", "ext-json": "*", "php": ">=7.1.0" }, "type": "drupal-module", "extra": { + "branch-alias": { + "dev-3.x": "3.x-dev" + }, "drupal": { - "version": "2.0.0-beta1", - "datestamp": "1665712609", + "version": "3.0.0-alpha3+1-dev", + "datestamp": "1717345768", "security-coverage": { "status": "not-covered", - "message": "Beta releases are not covered by Drupal security advisories." + "message": "Dev releases are not covered by Drupal security advisories." } } }, @@ -18775,17 +18772,20 @@ } ], "aliases": [], - "minimum-stability": "beta", + "minimum-stability": "stable", "stability-flags": { "drupal/aws": 20, "drupal/components": 10, + "drupal/config_split": 5, "drupal/default_content": 15, "drupal/flexible_permissions": 10, + "drupal/group": 5, "drupal/imageapi_optimize_binaries": 10, "drupal/inline_entity_form": 5, "drupal/link_allowed_hosts": 10, "drupal/linkchecker": 15, "drupal/masquerade": 10, + "drupal/openid_connect": 20, "drupal/openid_connect_windows_aad": 10, "drupal/seven": 15, "drupal/subgroup": 10 diff --git a/composer.patches.json b/composer.patches.json index bd89e112..97b2f880 100644 --- a/composer.patches.json +++ b/composer.patches.json @@ -24,6 +24,9 @@ "Avoid null links": "./PATCHES/linkchecker_null_link.patch", "Recognize previous revisions https://www.drupal.org/project/linkchecker/issues/3366753": "./PATCHES/linkchecker-previous-revisions-3366753.patch" }, + "drupal/openid_connect_windows_aad": { + "Failed to get authentication tokens for Windows Azure AD": "PATCHES/openid_connect_windows_aad-3346603-5.patch" + }, "drupal/social_auth_hid": { "Keep lang prefix in URL": "./PATCHES/hid_lang.patch" }, From 6b6562e20b4c86d6d5aa4246d21e79467b73985f Mon Sep 17 00:00:00 2001 From: Peter Lieverdink Date: Thu, 27 Jun 2024 13:15:46 +1000 Subject: [PATCH 04/25] chore: Drop in the OIDC AD config. Refs: OPS-10529 --- config/key.key.azure_b2c_client_secret.yml | 15 ++++++++++ ...connect.client.azure_b2c_signup_signin.yml | 28 +++++++++++++++++++ config/openid_connect.settings.yml | 11 ++++++++ 3 files changed, 54 insertions(+) create mode 100644 config/key.key.azure_b2c_client_secret.yml create mode 100644 config/openid_connect.client.azure_b2c_signup_signin.yml create mode 100644 config/openid_connect.settings.yml diff --git a/config/key.key.azure_b2c_client_secret.yml b/config/key.key.azure_b2c_client_secret.yml new file mode 100644 index 00000000..c9e16d25 --- /dev/null +++ b/config/key.key.azure_b2c_client_secret.yml @@ -0,0 +1,15 @@ +uuid: 7ed40dd9-dfcb-4f16-829d-5c8f11e95e8e +langcode: en +status: true +dependencies: { } +id: azure_b2c_client_secret +label: 'Azure B2C Client Secret' +description: 'Azure B2C client secret' +key_type: authentication +key_type_settings: { } +key_provider: file +key_provider_settings: + file_location: /srv/www/shared/settings/azure_b2c_client.key + strip_line_breaks: true +key_input: none +key_input_settings: { } diff --git a/config/openid_connect.client.azure_b2c_signup_signin.yml b/config/openid_connect.client.azure_b2c_signup_signin.yml new file mode 100644 index 00000000..5f04c838 --- /dev/null +++ b/config/openid_connect.client.azure_b2c_signup_signin.yml @@ -0,0 +1,28 @@ +uuid: 97b1459b-205d-432e-9ec3-eec9d0359262 +langcode: en +status: true +dependencies: + module: + - openid_connect_windows_aad +id: azure_b2c_signup_signin +label: 'Azure B2C Signup/Signin' +plugin: windows_aad +settings: + client_id: 64661a42-4710-4bfd-97ab-916bcfeddb59 + client_secret: azure_b2c_client_secret + authorization_endpoint_wa: 'https://unb2c.b2clogin.com/unb2c.onmicrosoft.com/B2C_1_OCHA_SIGNUP_SIGNIN/oauth2/v2.0/authorize' + token_endpoint_wa: 'https://unb2c.b2clogin.com/unb2c.onmicrosoft.com/B2C_1_OCHA_SIGNUP_SIGNIN/oauth2/v2.0/token' + userinfo_endpoint_wa: '' + map_ad_groups_to_roles: true + group_mapping: + method: 0 + mappings: '' + strict: false + userinfo_graph_api_wa: 0 + userinfo_graph_api_use_other_mails: false + userinfo_update_email: true + hide_email_address_warning: false + subject_key: sub + end_session_endpoint: 'https://unb2c.b2clogin.com/unb2c.onmicrosoft.com/B2C_1_OCHA_SIGNUP_SIGNIN/oauth2/v2.0/logout' + iss_allowed_domains: 'https://feature.response-reliefweb-int.ahconu.org/' + front_channel_logout_url: '' diff --git a/config/openid_connect.settings.yml b/config/openid_connect.settings.yml new file mode 100644 index 00000000..7bb73b4f --- /dev/null +++ b/config/openid_connect.settings.yml @@ -0,0 +1,11 @@ +always_save_userinfo: true +connect_existing_users: false +override_registration_settings: true +end_session_enabled: true +user_login_display: replace +redirect_login: '' +redirect_logout: '' +userinfo_mappings: { } +role_mappings: + administrator: { } + global_editor: { } From ab7f37cbd697f5b636b3d1855777574ef636fcaa Mon Sep 17 00:00:00 2001 From: Peter Lieverdink Date: Wed, 3 Jul 2024 12:08:52 +1000 Subject: [PATCH 05/25] chore: Tweak OpenID settings and just disable/remove HID. Refs: OPS-10529 --- config/core.extension.yml | 1 - config/openid_connect.settings.yml | 6 ++++-- config/social_auth.settings.yml | 5 +---- config/social_auth_hid.settings.yml | 12 ------------ 4 files changed, 5 insertions(+), 19 deletions(-) delete mode 100644 config/social_auth_hid.settings.yml diff --git a/config/core.extension.yml b/config/core.extension.yml index a7215348..486f5690 100644 --- a/config/core.extension.yml +++ b/config/core.extension.yml @@ -100,7 +100,6 @@ module: shortcut: 0 social_api: 0 social_auth: 0 - social_auth_hid: 0 sophron: 0 subgroup: 0 syslog: 0 diff --git a/config/openid_connect.settings.yml b/config/openid_connect.settings.yml index 7bb73b4f..1ebe181c 100644 --- a/config/openid_connect.settings.yml +++ b/config/openid_connect.settings.yml @@ -4,8 +4,10 @@ override_registration_settings: true end_session_enabled: true user_login_display: replace redirect_login: '' -redirect_logout: '' -userinfo_mappings: { } +redirect_logout: '/' +userinfo_mappings: + timezone: zoneinfo + user_picture: picture role_mappings: administrator: { } global_editor: { } diff --git a/config/social_auth.settings.yml b/config/social_auth.settings.yml index 23307293..a73234a2 100644 --- a/config/social_auth.settings.yml +++ b/config/social_auth.settings.yml @@ -1,9 +1,6 @@ _core: default_config_hash: 0E8z47ONguVcapiw1PGWDRs6g0NRDCzrym4mP_jcELU -auth: - social_auth_hid: - route: social_auth_hid.redirect_to_hid - img_path: modules/contrib/social_auth_hid/img/hid_logo.png +auth: { } post_login: / user_allowed: register redirect_user_form: true diff --git a/config/social_auth_hid.settings.yml b/config/social_auth_hid.settings.yml deleted file mode 100644 index 3f16c4eb..00000000 --- a/config/social_auth_hid.settings.yml +++ /dev/null @@ -1,12 +0,0 @@ -_core: - default_config_hash: ZT0ACgdXm4m65rwBVtAR0TGxX6QsMptRkbldivu-7yI -client_id: REPLACE_ME -client_secret: REPLACE_ME -base_url: 'https://auth.humanitarian.id' -auto_redirect: true -disable_default: true -disable_password_fields: true -disable_email_field: true -disable_user_field: true -disable_user_create: false -maintenance_access: false From 7c9ab83b113e8faface5d17326f62bfa73e82bd8 Mon Sep 17 00:00:00 2001 From: Peter Lieverdink Date: Tue, 9 Jul 2024 10:51:43 +1000 Subject: [PATCH 06/25] chore: Add Entra ID config and update B2C name (for the button label). Refs: OPS-10525 --- ...connect.client.azure_b2c_signup_signin.yml | 2 +- config/openid_connect.client.entraid.yml | 28 +++++++++++++++++++ 2 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 config/openid_connect.client.entraid.yml diff --git a/config/openid_connect.client.azure_b2c_signup_signin.yml b/config/openid_connect.client.azure_b2c_signup_signin.yml index 5f04c838..d249fb18 100644 --- a/config/openid_connect.client.azure_b2c_signup_signin.yml +++ b/config/openid_connect.client.azure_b2c_signup_signin.yml @@ -5,7 +5,7 @@ dependencies: module: - openid_connect_windows_aad id: azure_b2c_signup_signin -label: 'Azure B2C Signup/Signin' +label: 'Azure B2C (New HID)' plugin: windows_aad settings: client_id: 64661a42-4710-4bfd-97ab-916bcfeddb59 diff --git a/config/openid_connect.client.entraid.yml b/config/openid_connect.client.entraid.yml new file mode 100644 index 00000000..9a88dcb2 --- /dev/null +++ b/config/openid_connect.client.entraid.yml @@ -0,0 +1,28 @@ +uuid: ff1f957d-f7d8-44e2-ac3c-2050bc2befa9 +langcode: en +status: true +dependencies: + module: + - openid_connect_windows_aad +id: entraid +label: 'Entra ID (UNITE ID)' +plugin: windows_aad +settings: + client_id: 60f61dfa-1af4-4b6a-bb62-73c95ead00d1 + client_secret: '' + authorization_endpoint_wa: 'https://login.microsoftonline.com/0f9e35db-544f-4f60-bdcc-5ea416e6dc70/oauth2/v2.0/authorize' + token_endpoint_wa: 'https://login.microsoftonline.com/0f9e35db-544f-4f60-bdcc-5ea416e6dc70/oauth2/v2.0/token' + userinfo_endpoint_wa: '' + map_ad_groups_to_roles: false + group_mapping: + method: 0 + mappings: '' + strict: false + userinfo_graph_api_wa: 0 + userinfo_graph_api_use_other_mails: false + userinfo_update_email: true + hide_email_address_warning: false + subject_key: sub + end_session_endpoint: '' + iss_allowed_domains: '' + front_channel_logout_url: '' From 035c015e296805fa156b067ec238f1e7ecd6b461 Mon Sep 17 00:00:00 2001 From: Peter Lieverdink Date: Thu, 11 Jul 2024 09:42:13 +1000 Subject: [PATCH 07/25] chore: Change the B2C policy to separate signup from the login button. Refs: OPS-10526 --- config/openid_connect.client.azure_b2c_signup_signin.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/config/openid_connect.client.azure_b2c_signup_signin.yml b/config/openid_connect.client.azure_b2c_signup_signin.yml index d249fb18..5ca701a4 100644 --- a/config/openid_connect.client.azure_b2c_signup_signin.yml +++ b/config/openid_connect.client.azure_b2c_signup_signin.yml @@ -10,8 +10,8 @@ plugin: windows_aad settings: client_id: 64661a42-4710-4bfd-97ab-916bcfeddb59 client_secret: azure_b2c_client_secret - authorization_endpoint_wa: 'https://unb2c.b2clogin.com/unb2c.onmicrosoft.com/B2C_1_OCHA_SIGNUP_SIGNIN/oauth2/v2.0/authorize' - token_endpoint_wa: 'https://unb2c.b2clogin.com/unb2c.onmicrosoft.com/B2C_1_OCHA_SIGNUP_SIGNIN/oauth2/v2.0/token' + authorization_endpoint_wa: 'https://unb2c.b2clogin.com/unb2c.onmicrosoft.com/B2C_1_OCHA_SIGNIN/oauth2/v2.0/authorize' + token_endpoint_wa: 'https://unb2c.b2clogin.com/unb2c.onmicrosoft.com/B2C_1_OCHA_SIGNIN/oauth2/v2.0/token' userinfo_endpoint_wa: '' map_ad_groups_to_roles: true group_mapping: @@ -23,6 +23,6 @@ settings: userinfo_update_email: true hide_email_address_warning: false subject_key: sub - end_session_endpoint: 'https://unb2c.b2clogin.com/unb2c.onmicrosoft.com/B2C_1_OCHA_SIGNUP_SIGNIN/oauth2/v2.0/logout' + end_session_endpoint: 'https://unb2c.b2clogin.com/unb2c.onmicrosoft.com/B2C_1_OCHA_SIGNIN/oauth2/v2.0/logout' iss_allowed_domains: 'https://feature.response-reliefweb-int.ahconu.org/' front_channel_logout_url: '' From 985f74de90e6becf60f867a7b24d9a6ac2a0062d Mon Sep 17 00:00:00 2001 From: Peter Lieverdink Date: Thu, 11 Jul 2024 10:18:49 +1000 Subject: [PATCH 08/25] chore: Rename the B2C client because the policy is different. --- ...up_signin.yml => openid_connect.client.azure_b2c_signin.yml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename config/{openid_connect.client.azure_b2c_signup_signin.yml => openid_connect.client.azure_b2c_signin.yml} (97%) diff --git a/config/openid_connect.client.azure_b2c_signup_signin.yml b/config/openid_connect.client.azure_b2c_signin.yml similarity index 97% rename from config/openid_connect.client.azure_b2c_signup_signin.yml rename to config/openid_connect.client.azure_b2c_signin.yml index 5ca701a4..91a85577 100644 --- a/config/openid_connect.client.azure_b2c_signup_signin.yml +++ b/config/openid_connect.client.azure_b2c_signin.yml @@ -4,7 +4,7 @@ status: true dependencies: module: - openid_connect_windows_aad -id: azure_b2c_signup_signin +id: azure_b2c_signin label: 'Azure B2C (New HID)' plugin: windows_aad settings: From ee143d8cf850a6fcacde275bf5291389558a3b36 Mon Sep 17 00:00:00 2001 From: Peter Lieverdink Date: Thu, 11 Jul 2024 10:19:10 +1000 Subject: [PATCH 09/25] chore: Add a new B2C client with the `SIGNUP` only policy. --- ...openid_connect.client.azure_b2c_signup.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 config/openid_connect.client.azure_b2c_signup.yml diff --git a/config/openid_connect.client.azure_b2c_signup.yml b/config/openid_connect.client.azure_b2c_signup.yml new file mode 100644 index 00000000..d4debc23 --- /dev/null +++ b/config/openid_connect.client.azure_b2c_signup.yml @@ -0,0 +1,28 @@ +uuid: b038b819-9f20-4081-8255-6629e99cf657 +langcode: en +status: true +dependencies: + module: + - openid_connect_windows_aad +id: azure_b2c_signup +label: 'Create new account (New HID)' +plugin: windows_aad +settings: + client_id: 64661a42-4710-4bfd-97ab-916bcfeddb59 + client_secret: azure_b2c_client_secret + authorization_endpoint_wa: 'https://unb2c.b2clogin.com/unb2c.onmicrosoft.com/B2C_1_OCHA_SIGNUP/oauth2/v2.0/authorize' + token_endpoint_wa: 'https://unb2c.b2clogin.com/unb2c.onmicrosoft.com/B2C_1_OCHA_SIGNUP/oauth2/v2.0/token' + userinfo_endpoint_wa: '' + map_ad_groups_to_roles: true + group_mapping: + method: 0 + mappings: '' + strict: false + userinfo_graph_api_wa: 0 + userinfo_graph_api_use_other_mails: false + userinfo_update_email: true + hide_email_address_warning: false + subject_key: sub + end_session_endpoint: 'https://unb2c.b2clogin.com/unb2c.onmicrosoft.com/B2C_1_OCHA_SIGNUP/oauth2/v2.0/logout' + iss_allowed_domains: 'https://feature.response-reliefweb-int.ahconu.org/' + front_channel_logout_url: '' From b74bb3a4d653b2d7ad8dc82a46b6be715a7849de Mon Sep 17 00:00:00 2001 From: Peter Lieverdink Date: Thu, 11 Jul 2024 10:49:04 +1000 Subject: [PATCH 10/25] feat: Enable the Graph endpoint. --- config/openid_connect.client.azure_b2c_signin.yml | 2 +- config/openid_connect.client.azure_b2c_signup.yml | 2 +- config/openid_connect.client.entraid.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/config/openid_connect.client.azure_b2c_signin.yml b/config/openid_connect.client.azure_b2c_signin.yml index 91a85577..83234d41 100644 --- a/config/openid_connect.client.azure_b2c_signin.yml +++ b/config/openid_connect.client.azure_b2c_signin.yml @@ -18,7 +18,7 @@ settings: method: 0 mappings: '' strict: false - userinfo_graph_api_wa: 0 + userinfo_graph_api_wa: 1 userinfo_graph_api_use_other_mails: false userinfo_update_email: true hide_email_address_warning: false diff --git a/config/openid_connect.client.azure_b2c_signup.yml b/config/openid_connect.client.azure_b2c_signup.yml index d4debc23..5dee837d 100644 --- a/config/openid_connect.client.azure_b2c_signup.yml +++ b/config/openid_connect.client.azure_b2c_signup.yml @@ -18,7 +18,7 @@ settings: method: 0 mappings: '' strict: false - userinfo_graph_api_wa: 0 + userinfo_graph_api_wa: 1 userinfo_graph_api_use_other_mails: false userinfo_update_email: true hide_email_address_warning: false diff --git a/config/openid_connect.client.entraid.yml b/config/openid_connect.client.entraid.yml index 9a88dcb2..613162b4 100644 --- a/config/openid_connect.client.entraid.yml +++ b/config/openid_connect.client.entraid.yml @@ -18,7 +18,7 @@ settings: method: 0 mappings: '' strict: false - userinfo_graph_api_wa: 0 + userinfo_graph_api_wa: 1 userinfo_graph_api_use_other_mails: false userinfo_update_email: true hide_email_address_warning: false From 7e770641e8bee47fdf17bf8aaada2a41b3e4ee89 Mon Sep 17 00:00:00 2001 From: Peter Lieverdink Date: Thu, 11 Jul 2024 12:25:20 +1000 Subject: [PATCH 11/25] feat: Connect existing users, because the entry is keyed with the oidc client name. Which means if you signed up with workflow A, you could not login with workflow B. Oops? Refs: OPS-10529 --- config/openid_connect.settings.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/openid_connect.settings.yml b/config/openid_connect.settings.yml index 1ebe181c..701c64d7 100644 --- a/config/openid_connect.settings.yml +++ b/config/openid_connect.settings.yml @@ -1,5 +1,5 @@ always_save_userinfo: true -connect_existing_users: false +connect_existing_users: true override_registration_settings: true end_session_enabled: true user_login_display: replace From bf97741cfdd81111f6c46a115100e604f47dc60f Mon Sep 17 00:00:00 2001 From: Peter Lieverdink Date: Thu, 11 Jul 2024 12:39:22 +1000 Subject: [PATCH 12/25] chore: Add azure_tweaks to override the Drupal user register/password tabs. And also modify it a bit to allow redirecting to the correct OpenID CLient URLs. Refs: OPS-10529 --- .../custom/azure_tweaks/azure_tweaks.info.yml | 7 +++ .../azure_tweaks/azure_tweaks.links.task.yml | 9 +++ .../custom/azure_tweaks/azure_tweaks.module | 6 ++ .../azure_tweaks/azure_tweaks.routing.yml | 16 ++++++ .../azure_tweaks/azure_tweaks.services.yml | 7 +++ .../config/install/azure_tweaks.settings.yml | 3 + .../config/schema/azure_tweaks.schema.yml | 13 +++++ .../src/Controller/AuthController.php | 52 +++++++++++++++++ .../src/Routing/RouteSubscriber.php | 56 +++++++++++++++++++ 9 files changed, 169 insertions(+) create mode 100755 html/modules/custom/azure_tweaks/azure_tweaks.info.yml create mode 100644 html/modules/custom/azure_tweaks/azure_tweaks.links.task.yml create mode 100755 html/modules/custom/azure_tweaks/azure_tweaks.module create mode 100644 html/modules/custom/azure_tweaks/azure_tweaks.routing.yml create mode 100644 html/modules/custom/azure_tweaks/azure_tweaks.services.yml create mode 100644 html/modules/custom/azure_tweaks/config/install/azure_tweaks.settings.yml create mode 100644 html/modules/custom/azure_tweaks/config/schema/azure_tweaks.schema.yml create mode 100644 html/modules/custom/azure_tweaks/src/Controller/AuthController.php create mode 100644 html/modules/custom/azure_tweaks/src/Routing/RouteSubscriber.php diff --git a/html/modules/custom/azure_tweaks/azure_tweaks.info.yml b/html/modules/custom/azure_tweaks/azure_tweaks.info.yml new file mode 100755 index 00000000..e8dd64c4 --- /dev/null +++ b/html/modules/custom/azure_tweaks/azure_tweaks.info.yml @@ -0,0 +1,7 @@ +name: 'Azure tweaks' +description: Tweaks for Azure B2C. +type: module +core_version_requirement: ^9 || ^10 +package: 'UNOCHA' +dependencies: + - openid_connect_windows_aad:openid_connect_windows_aad diff --git a/html/modules/custom/azure_tweaks/azure_tweaks.links.task.yml b/html/modules/custom/azure_tweaks/azure_tweaks.links.task.yml new file mode 100644 index 00000000..1f451598 --- /dev/null +++ b/html/modules/custom/azure_tweaks/azure_tweaks.links.task.yml @@ -0,0 +1,9 @@ +azure_tweaks.register: + route_name: azure_tweaks.register + base_route: user.page + title: 'Create new account' + +azure_tweaks.pass: + route_name: azure_tweaks.pass + base_route: user.page + title: 'Reset your password' diff --git a/html/modules/custom/azure_tweaks/azure_tweaks.module b/html/modules/custom/azure_tweaks/azure_tweaks.module new file mode 100755 index 00000000..62aa67d7 --- /dev/null +++ b/html/modules/custom/azure_tweaks/azure_tweaks.module @@ -0,0 +1,6 @@ +config('azure_tweaks.settings')->get('register_url'); + $openid_client = $this->config('azure_tweaks.settings')->get('openid_connect_client'); + $client_id = $this->config('openid_connect.client.' . $openid_client)->get('settings.client_id'); + $redirect = Url::fromRoute('')->setAbsolute()->toString(); + $redirect .= 'openid-connect/azure_b2c_signin'; + + $url .= '&client_id=' . $client_id; + $url .= '&redirect_uri=' . $redirect; + + /** @var \Drupal\Core\Routing\TrustedRedirectResponse|\Symfony\Component\HttpFoundation\RedirectResponse $response */ + $response = new TrustedRedirectResponse($url); + + return $response->send(); + } + + /** + * Redirect the password reset page. + */ + public function redirectResetPassword() { + $url = $this->config('azure_tweaks.settings')->get('password_url'); + $openid_client = $this->config('azure_tweaks.settings')->get('openid_connect_client'); + $client_id = $this->config('openid_connect.client.' . $openid_client)->get('settings.client_id'); + $redirect = Url::fromRoute('')->setAbsolute()->toString(); + $redirect .= 'openid-connect/azure_b2c_signin'; + + $url .= '&client_id=' . $client_id; + $url .= '&redirect_uri=' . $redirect; + + /** @var \Drupal\Core\Routing\TrustedRedirectResponse|\Symfony\Component\HttpFoundation\RedirectResponse $response */ + $response = new TrustedRedirectResponse($url); + + return $response->send(); + } + +} diff --git a/html/modules/custom/azure_tweaks/src/Routing/RouteSubscriber.php b/html/modules/custom/azure_tweaks/src/Routing/RouteSubscriber.php new file mode 100644 index 00000000..dc17fdff --- /dev/null +++ b/html/modules/custom/azure_tweaks/src/Routing/RouteSubscriber.php @@ -0,0 +1,56 @@ +config = $configFactory->get('azure_tweaks.settings'); + } + + /** + * {@inheritdoc} + */ + protected function alterRoutes(RouteCollection $collection) { + if ($route = $collection->get('user.login.http')) { + $route->setRequirement('_access', 'FALSE'); + } + if ($route = $collection->get('user.pass')) { + $route->setRequirement('_access', 'FALSE'); + } + if ($route = $collection->get('user.pass.http')) { + $route->setRequirement('_access', 'FALSE'); + } + if ($route = $collection->get('user.register')) { + $route->setRequirement('_access', 'FALSE'); + } + + // Deny access to user_create form. + if ($this->config->get('disable_user_create')) { + if ($route = $collection->get('user.admin_create')) { + $route->setRequirement('_access', 'FALSE'); + } + } + } + +} From 3e311c389aae88b4c835b30cb87b886d86fa306b Mon Sep 17 00:00:00 2001 From: Peter Lieverdink Date: Thu, 11 Jul 2024 12:44:08 +1000 Subject: [PATCH 13/25] chore: Configure Azure Tweaks and enable it. Drop the uneeded signup client. Refs: OPS-10529 --- config/azure_tweaks.settings.yml | 3 ++ config/core.extension.yml | 1 + ...openid_connect.client.azure_b2c_signup.yml | 28 ------------------- 3 files changed, 4 insertions(+), 28 deletions(-) create mode 100644 config/azure_tweaks.settings.yml delete mode 100644 config/openid_connect.client.azure_b2c_signup.yml diff --git a/config/azure_tweaks.settings.yml b/config/azure_tweaks.settings.yml new file mode 100644 index 00000000..368f1e59 --- /dev/null +++ b/config/azure_tweaks.settings.yml @@ -0,0 +1,3 @@ +password_url: 'https://unb2c.b2clogin.com/unb2c.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_OCHA_PASSWORD_RESET&nonce=defaultNonce&scope=openid&response_type=code&prompt=login' +register_url: 'https://unb2c.b2clogin.com/unb2c.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_OCHA_SIGNUP&nonce=defaultNonce&scope=openid&response_type=code&prompt=login' +openid_connect_client: 'azure_b2c_signin' diff --git a/config/core.extension.yml b/config/core.extension.yml index 486f5690..b1925d29 100644 --- a/config/core.extension.yml +++ b/config/core.extension.yml @@ -5,6 +5,7 @@ module: admin_denied: 0 amazon_ses: 0 aws: 0 + azure_tweaks: 0 big_pipe: 0 block: 0 breakpoint: 0 diff --git a/config/openid_connect.client.azure_b2c_signup.yml b/config/openid_connect.client.azure_b2c_signup.yml deleted file mode 100644 index 5dee837d..00000000 --- a/config/openid_connect.client.azure_b2c_signup.yml +++ /dev/null @@ -1,28 +0,0 @@ -uuid: b038b819-9f20-4081-8255-6629e99cf657 -langcode: en -status: true -dependencies: - module: - - openid_connect_windows_aad -id: azure_b2c_signup -label: 'Create new account (New HID)' -plugin: windows_aad -settings: - client_id: 64661a42-4710-4bfd-97ab-916bcfeddb59 - client_secret: azure_b2c_client_secret - authorization_endpoint_wa: 'https://unb2c.b2clogin.com/unb2c.onmicrosoft.com/B2C_1_OCHA_SIGNUP/oauth2/v2.0/authorize' - token_endpoint_wa: 'https://unb2c.b2clogin.com/unb2c.onmicrosoft.com/B2C_1_OCHA_SIGNUP/oauth2/v2.0/token' - userinfo_endpoint_wa: '' - map_ad_groups_to_roles: true - group_mapping: - method: 0 - mappings: '' - strict: false - userinfo_graph_api_wa: 1 - userinfo_graph_api_use_other_mails: false - userinfo_update_email: true - hide_email_address_warning: false - subject_key: sub - end_session_endpoint: 'https://unb2c.b2clogin.com/unb2c.onmicrosoft.com/B2C_1_OCHA_SIGNUP/oauth2/v2.0/logout' - iss_allowed_domains: 'https://feature.response-reliefweb-int.ahconu.org/' - front_channel_logout_url: '' From 014e69dfe32e77864665cfb01dda4bf5d201a694 Mon Sep 17 00:00:00 2001 From: Peter Lieverdink Date: Thu, 11 Jul 2024 14:30:50 +1000 Subject: [PATCH 14/25] chore: No need for that extra lookup, just use the id. --- config/azure_tweaks.settings.yml | 2 +- .../azure_tweaks/config/install/azure_tweaks.settings.yml | 2 +- .../azure_tweaks/config/schema/azure_tweaks.schema.yml | 4 ++-- .../custom/azure_tweaks/src/Controller/AuthController.php | 6 ++---- 4 files changed, 6 insertions(+), 8 deletions(-) diff --git a/config/azure_tweaks.settings.yml b/config/azure_tweaks.settings.yml index 368f1e59..00cbf28f 100644 --- a/config/azure_tweaks.settings.yml +++ b/config/azure_tweaks.settings.yml @@ -1,3 +1,3 @@ password_url: 'https://unb2c.b2clogin.com/unb2c.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_OCHA_PASSWORD_RESET&nonce=defaultNonce&scope=openid&response_type=code&prompt=login' register_url: 'https://unb2c.b2clogin.com/unb2c.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_OCHA_SIGNUP&nonce=defaultNonce&scope=openid&response_type=code&prompt=login' -openid_connect_client: 'azure_b2c_signin' +openid_connect_client_id: 'azure_b2c_signin' diff --git a/html/modules/custom/azure_tweaks/config/install/azure_tweaks.settings.yml b/html/modules/custom/azure_tweaks/config/install/azure_tweaks.settings.yml index f18f79de..057a38ef 100644 --- a/html/modules/custom/azure_tweaks/config/install/azure_tweaks.settings.yml +++ b/html/modules/custom/azure_tweaks/config/install/azure_tweaks.settings.yml @@ -1,3 +1,3 @@ password_url: 'https://unb2c.b2clogin.com/unb2c.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_OCHA_PASSWORD_RESET&nonce=defaultNonce&scope=openid&response_type=code&prompt=login' register_url: 'https://unb2c.b2clogin.com/unb2c.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_OCHA_SIGNUP&nonce=defaultNonce&scope=openid&response_type=code&prompt=login' -openid_connect_client: 'entraid' +openid_connect_client_id: 'entraid' diff --git a/html/modules/custom/azure_tweaks/config/schema/azure_tweaks.schema.yml b/html/modules/custom/azure_tweaks/config/schema/azure_tweaks.schema.yml index 1f5eba45..39da1098 100644 --- a/html/modules/custom/azure_tweaks/config/schema/azure_tweaks.schema.yml +++ b/html/modules/custom/azure_tweaks/config/schema/azure_tweaks.schema.yml @@ -8,6 +8,6 @@ azure_tweaks.settings: register_url: type: string label: 'Register URL' - openid_connect_client: + openid_connect_client_id: type: string - label: 'OpenID Client' + label: 'OpenID Client ID' diff --git a/html/modules/custom/azure_tweaks/src/Controller/AuthController.php b/html/modules/custom/azure_tweaks/src/Controller/AuthController.php index 381bd73a..6019ef2f 100644 --- a/html/modules/custom/azure_tweaks/src/Controller/AuthController.php +++ b/html/modules/custom/azure_tweaks/src/Controller/AuthController.php @@ -16,8 +16,7 @@ class AuthController extends ControllerBase { */ public function redirectRegister() { $url = $this->config('azure_tweaks.settings')->get('register_url'); - $openid_client = $this->config('azure_tweaks.settings')->get('openid_connect_client'); - $client_id = $this->config('openid_connect.client.' . $openid_client)->get('settings.client_id'); + $client_id = $this->config('azure_tweaks.settings')->get('openid_connect_client_id'); $redirect = Url::fromRoute('')->setAbsolute()->toString(); $redirect .= 'openid-connect/azure_b2c_signin'; @@ -35,8 +34,7 @@ public function redirectRegister() { */ public function redirectResetPassword() { $url = $this->config('azure_tweaks.settings')->get('password_url'); - $openid_client = $this->config('azure_tweaks.settings')->get('openid_connect_client'); - $client_id = $this->config('openid_connect.client.' . $openid_client)->get('settings.client_id'); + $client_id = $this->config('azure_tweaks.settings')->get('openid_connect_client_id'); $redirect = Url::fromRoute('')->setAbsolute()->toString(); $redirect .= 'openid-connect/azure_b2c_signin'; From af0cbe9c2a75d1131459a883841c956ca1dd9022 Mon Sep 17 00:00:00 2001 From: Peter Lieverdink Date: Thu, 11 Jul 2024 14:33:32 +1000 Subject: [PATCH 15/25] chore: Use the same settings as CD, where the register/password tabs show up. --- config/openid_connect.settings.yml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/config/openid_connect.settings.yml b/config/openid_connect.settings.yml index 701c64d7..d5b01c6a 100644 --- a/config/openid_connect.settings.yml +++ b/config/openid_connect.settings.yml @@ -1,13 +1,11 @@ always_save_userinfo: true connect_existing_users: true -override_registration_settings: true +override_registration_settings: false end_session_enabled: true -user_login_display: replace +user_login_display: above redirect_login: '' -redirect_logout: '/' +redirect_logout: '' userinfo_mappings: timezone: zoneinfo user_picture: picture -role_mappings: - administrator: { } - global_editor: { } +role_mappings: { } From dff162bfb24e8c550195a8d65d3f149885f9fab5 Mon Sep 17 00:00:00 2001 From: Peter Lieverdink Date: Tue, 16 Jul 2024 11:24:29 +1000 Subject: [PATCH 16/25] fix: Remove Drupa login fields and show the register/password tabs. --- ...block.block.common_design_subtheme_local_tasks.yml | 11 +---------- config/openid_connect.settings.yml | 2 +- 2 files changed, 2 insertions(+), 11 deletions(-) diff --git a/config/block.block.common_design_subtheme_local_tasks.yml b/config/block.block.common_design_subtheme_local_tasks.yml index b7b75feb..d7de9c6b 100644 --- a/config/block.block.common_design_subtheme_local_tasks.yml +++ b/config/block.block.common_design_subtheme_local_tasks.yml @@ -2,8 +2,6 @@ uuid: c5c9acdd-386d-4c9c-a63b-0d2c851b0d08 langcode: en status: true dependencies: - module: - - user theme: - common_design_subtheme _core: @@ -21,11 +19,4 @@ settings: provider: core primary: true secondary: false -visibility: - user_role: - id: user_role - negate: false - context_mapping: - user: '@user.current_user_context:current_user' - roles: - authenticated: authenticated +visibility: { } diff --git a/config/openid_connect.settings.yml b/config/openid_connect.settings.yml index d5b01c6a..fd9e72df 100644 --- a/config/openid_connect.settings.yml +++ b/config/openid_connect.settings.yml @@ -2,7 +2,7 @@ always_save_userinfo: true connect_existing_users: true override_registration_settings: false end_session_enabled: true -user_login_display: above +user_login_display: replace redirect_login: '' redirect_logout: '' userinfo_mappings: From f652420e44dd5b510be21858bed5beec964b678e Mon Sep 17 00:00:00 2001 From: Peter Lieverdink Date: Tue, 16 Jul 2024 11:29:07 +1000 Subject: [PATCH 17/25] chore: This is the OpenID client ID we need. --- config/azure_tweaks.settings.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/azure_tweaks.settings.yml b/config/azure_tweaks.settings.yml index 00cbf28f..2418ab97 100644 --- a/config/azure_tweaks.settings.yml +++ b/config/azure_tweaks.settings.yml @@ -1,3 +1,3 @@ password_url: 'https://unb2c.b2clogin.com/unb2c.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_OCHA_PASSWORD_RESET&nonce=defaultNonce&scope=openid&response_type=code&prompt=login' register_url: 'https://unb2c.b2clogin.com/unb2c.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_OCHA_SIGNUP&nonce=defaultNonce&scope=openid&response_type=code&prompt=login' -openid_connect_client_id: 'azure_b2c_signin' +openid_connect_client_id: '64661a42-4710-4bfd-97ab-916bcfeddb59' From 049a6a6b2a792ce0d6b8c169cc0801d542c837f7 Mon Sep 17 00:00:00 2001 From: Peter Lieverdink Date: Tue, 16 Jul 2024 13:02:58 +1000 Subject: [PATCH 18/25] chore: Use the packagist-managed ocha_azure_tweaks module. Refs: OPS-10529 --- config/core.extension.yml | 2 +- ...ngs.yml => ocha_azure_tweaks.settings.yml} | 3 +- .../custom/azure_tweaks/azure_tweaks.info.yml | 7 --- .../azure_tweaks/azure_tweaks.links.task.yml | 9 --- .../custom/azure_tweaks/azure_tweaks.module | 6 -- .../azure_tweaks/azure_tweaks.routing.yml | 16 ------ .../azure_tweaks/azure_tweaks.services.yml | 7 --- .../config/install/azure_tweaks.settings.yml | 3 - .../config/schema/azure_tweaks.schema.yml | 13 ----- .../src/Controller/AuthController.php | 50 ----------------- .../src/Routing/RouteSubscriber.php | 56 ------------------- 11 files changed, 3 insertions(+), 169 deletions(-) rename config/{azure_tweaks.settings.yml => ocha_azure_tweaks.settings.yml} (94%) delete mode 100755 html/modules/custom/azure_tweaks/azure_tweaks.info.yml delete mode 100644 html/modules/custom/azure_tweaks/azure_tweaks.links.task.yml delete mode 100755 html/modules/custom/azure_tweaks/azure_tweaks.module delete mode 100644 html/modules/custom/azure_tweaks/azure_tweaks.routing.yml delete mode 100644 html/modules/custom/azure_tweaks/azure_tweaks.services.yml delete mode 100644 html/modules/custom/azure_tweaks/config/install/azure_tweaks.settings.yml delete mode 100644 html/modules/custom/azure_tweaks/config/schema/azure_tweaks.schema.yml delete mode 100644 html/modules/custom/azure_tweaks/src/Controller/AuthController.php delete mode 100644 html/modules/custom/azure_tweaks/src/Routing/RouteSubscriber.php diff --git a/config/core.extension.yml b/config/core.extension.yml index b1925d29..e398af01 100644 --- a/config/core.extension.yml +++ b/config/core.extension.yml @@ -5,7 +5,6 @@ module: admin_denied: 0 amazon_ses: 0 aws: 0 - azure_tweaks: 0 big_pipe: 0 block: 0 breakpoint: 0 @@ -79,6 +78,7 @@ module: monitoring: 0 mysql: 0 node: 0 + ocha_azure_tweaks: 0 ocha_monitoring: 0 ocha_search: 0 openid_connect: 0 diff --git a/config/azure_tweaks.settings.yml b/config/ocha_azure_tweaks.settings.yml similarity index 94% rename from config/azure_tweaks.settings.yml rename to config/ocha_azure_tweaks.settings.yml index 2418ab97..501e9dd5 100644 --- a/config/azure_tweaks.settings.yml +++ b/config/ocha_azure_tweaks.settings.yml @@ -1,3 +1,4 @@ +disable_user_create: true +openid_connect_client_id: '64661a42-4710-4bfd-97ab-916bcfeddb59' password_url: 'https://unb2c.b2clogin.com/unb2c.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_OCHA_PASSWORD_RESET&nonce=defaultNonce&scope=openid&response_type=code&prompt=login' register_url: 'https://unb2c.b2clogin.com/unb2c.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_OCHA_SIGNUP&nonce=defaultNonce&scope=openid&response_type=code&prompt=login' -openid_connect_client_id: '64661a42-4710-4bfd-97ab-916bcfeddb59' diff --git a/html/modules/custom/azure_tweaks/azure_tweaks.info.yml b/html/modules/custom/azure_tweaks/azure_tweaks.info.yml deleted file mode 100755 index e8dd64c4..00000000 --- a/html/modules/custom/azure_tweaks/azure_tweaks.info.yml +++ /dev/null @@ -1,7 +0,0 @@ -name: 'Azure tweaks' -description: Tweaks for Azure B2C. -type: module -core_version_requirement: ^9 || ^10 -package: 'UNOCHA' -dependencies: - - openid_connect_windows_aad:openid_connect_windows_aad diff --git a/html/modules/custom/azure_tweaks/azure_tweaks.links.task.yml b/html/modules/custom/azure_tweaks/azure_tweaks.links.task.yml deleted file mode 100644 index 1f451598..00000000 --- a/html/modules/custom/azure_tweaks/azure_tweaks.links.task.yml +++ /dev/null @@ -1,9 +0,0 @@ -azure_tweaks.register: - route_name: azure_tweaks.register - base_route: user.page - title: 'Create new account' - -azure_tweaks.pass: - route_name: azure_tweaks.pass - base_route: user.page - title: 'Reset your password' diff --git a/html/modules/custom/azure_tweaks/azure_tweaks.module b/html/modules/custom/azure_tweaks/azure_tweaks.module deleted file mode 100755 index 62aa67d7..00000000 --- a/html/modules/custom/azure_tweaks/azure_tweaks.module +++ /dev/null @@ -1,6 +0,0 @@ -config('azure_tweaks.settings')->get('register_url'); - $client_id = $this->config('azure_tweaks.settings')->get('openid_connect_client_id'); - $redirect = Url::fromRoute('')->setAbsolute()->toString(); - $redirect .= 'openid-connect/azure_b2c_signin'; - - $url .= '&client_id=' . $client_id; - $url .= '&redirect_uri=' . $redirect; - - /** @var \Drupal\Core\Routing\TrustedRedirectResponse|\Symfony\Component\HttpFoundation\RedirectResponse $response */ - $response = new TrustedRedirectResponse($url); - - return $response->send(); - } - - /** - * Redirect the password reset page. - */ - public function redirectResetPassword() { - $url = $this->config('azure_tweaks.settings')->get('password_url'); - $client_id = $this->config('azure_tweaks.settings')->get('openid_connect_client_id'); - $redirect = Url::fromRoute('')->setAbsolute()->toString(); - $redirect .= 'openid-connect/azure_b2c_signin'; - - $url .= '&client_id=' . $client_id; - $url .= '&redirect_uri=' . $redirect; - - /** @var \Drupal\Core\Routing\TrustedRedirectResponse|\Symfony\Component\HttpFoundation\RedirectResponse $response */ - $response = new TrustedRedirectResponse($url); - - return $response->send(); - } - -} diff --git a/html/modules/custom/azure_tweaks/src/Routing/RouteSubscriber.php b/html/modules/custom/azure_tweaks/src/Routing/RouteSubscriber.php deleted file mode 100644 index dc17fdff..00000000 --- a/html/modules/custom/azure_tweaks/src/Routing/RouteSubscriber.php +++ /dev/null @@ -1,56 +0,0 @@ -config = $configFactory->get('azure_tweaks.settings'); - } - - /** - * {@inheritdoc} - */ - protected function alterRoutes(RouteCollection $collection) { - if ($route = $collection->get('user.login.http')) { - $route->setRequirement('_access', 'FALSE'); - } - if ($route = $collection->get('user.pass')) { - $route->setRequirement('_access', 'FALSE'); - } - if ($route = $collection->get('user.pass.http')) { - $route->setRequirement('_access', 'FALSE'); - } - if ($route = $collection->get('user.register')) { - $route->setRequirement('_access', 'FALSE'); - } - - // Deny access to user_create form. - if ($this->config->get('disable_user_create')) { - if ($route = $collection->get('user.admin_create')) { - $route->setRequirement('_access', 'FALSE'); - } - } - } - -} From 47aeaa05944b8074e2bfde980b5d2a9811a7818b Mon Sep 17 00:00:00 2001 From: Peter Lieverdink Date: Tue, 16 Jul 2024 13:08:19 +1000 Subject: [PATCH 19/25] =?UTF-8?q?=F0=9F=AB=A3?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- composer.json | 1 + composer.lock | 42 +++++++++++++++++++++++++++++++++++++++++- 2 files changed, 42 insertions(+), 1 deletion(-) diff --git a/composer.json b/composer.json index 4cf5944a..5577d898 100644 --- a/composer.json +++ b/composer.json @@ -103,6 +103,7 @@ "rlanvin/php-rrule": "2.3.1", "unocha/common_design": "^9", "unocha/gtm_barebones": "^1.0", + "unocha/ocha_azure_tweaks": "^0.0.1", "unocha/ocha_monitoring": "^1.0", "unocha/ocha_search": "^1.0" }, diff --git a/composer.lock b/composer.lock index dd645a25..a2420e20 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "489d07555f5f360fd52d99a3ac88a9f2", + "content-hash": "7b98d0c0ce896d065065aee67cdb5d2b", "packages": [ { "name": "asm89/stack-cors", @@ -12550,6 +12550,46 @@ }, "time": "2024-07-17T12:52:34+00:00" }, + { + "name": "unocha/ocha_azure_tweaks", + "version": "0.0.1", + "source": { + "type": "git", + "url": "https://github.com/UN-OCHA/ocha_azure_tweaks.git", + "reference": "41adb36060d81b91880e48d5169ef7a55f6eb40e" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/UN-OCHA/ocha_azure_tweaks/zipball/41adb36060d81b91880e48d5169ef7a55f6eb40e", + "reference": "41adb36060d81b91880e48d5169ef7a55f6eb40e", + "shasum": "" + }, + "require": { + "drupal/openid_connect_windows_aad": "^2.0@beta", + "php": ">=8.2" + }, + "require-dev": { + "dealerdirect/phpcodesniffer-composer-installer": "^1.0", + "drupal/coder": "^8.3", + "phpcompatibility/php-compatibility": "^9.3" + }, + "type": "drupal-module", + "notification-url": "https://packagist.org/downloads/", + "license": [ + "GPL-2.0-or-later" + ], + "authors": [ + { + "name": "UNOCHA" + } + ], + "description": "OCHA Azure tweaks module", + "support": { + "issues": "https://github.com/UN-OCHA/ocha_azure_tweaks/issues", + "source": "https://github.com/UN-OCHA/ocha_azure_tweaks/tree/0.0.1" + }, + "time": "2024-07-16T02:41:48+00:00" + }, { "name": "unocha/ocha_monitoring", "version": "1.0.18", From 4e488fe92fbc0a15773562e88115c6a8475e279b Mon Sep 17 00:00:00 2001 From: Peter Lieverdink Date: Tue, 16 Jul 2024 13:27:37 +1000 Subject: [PATCH 20/25] chore: Bump azure tweaks after fixing embarassing typo and adding new feature. --- composer.json | 2 +- composer.lock | 14 +++++++------- config/ocha_azure_tweaks.settings.yml | 1 + 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/composer.json b/composer.json index 5577d898..c31d2816 100644 --- a/composer.json +++ b/composer.json @@ -103,7 +103,7 @@ "rlanvin/php-rrule": "2.3.1", "unocha/common_design": "^9", "unocha/gtm_barebones": "^1.0", - "unocha/ocha_azure_tweaks": "^0.0.1", + "unocha/ocha_azure_tweaks": "^0.0.2", "unocha/ocha_monitoring": "^1.0", "unocha/ocha_search": "^1.0" }, diff --git a/composer.lock b/composer.lock index a2420e20..8209f551 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "7b98d0c0ce896d065065aee67cdb5d2b", + "content-hash": "2a7fa0591e32391909cd08666484b0c7", "packages": [ { "name": "asm89/stack-cors", @@ -12552,16 +12552,16 @@ }, { "name": "unocha/ocha_azure_tweaks", - "version": "0.0.1", + "version": "0.0.2", "source": { "type": "git", "url": "https://github.com/UN-OCHA/ocha_azure_tweaks.git", - "reference": "41adb36060d81b91880e48d5169ef7a55f6eb40e" + "reference": "134e947e7351e5dcc50de690e9034f6b01642750" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/UN-OCHA/ocha_azure_tweaks/zipball/41adb36060d81b91880e48d5169ef7a55f6eb40e", - "reference": "41adb36060d81b91880e48d5169ef7a55f6eb40e", + "url": "https://api.github.com/repos/UN-OCHA/ocha_azure_tweaks/zipball/134e947e7351e5dcc50de690e9034f6b01642750", + "reference": "134e947e7351e5dcc50de690e9034f6b01642750", "shasum": "" }, "require": { @@ -12586,9 +12586,9 @@ "description": "OCHA Azure tweaks module", "support": { "issues": "https://github.com/UN-OCHA/ocha_azure_tweaks/issues", - "source": "https://github.com/UN-OCHA/ocha_azure_tweaks/tree/0.0.1" + "source": "https://github.com/UN-OCHA/ocha_azure_tweaks/tree/0.0.2" }, - "time": "2024-07-16T02:41:48+00:00" + "time": "2024-07-16T03:24:24+00:00" }, { "name": "unocha/ocha_monitoring", diff --git a/config/ocha_azure_tweaks.settings.yml b/config/ocha_azure_tweaks.settings.yml index 501e9dd5..98691015 100644 --- a/config/ocha_azure_tweaks.settings.yml +++ b/config/ocha_azure_tweaks.settings.yml @@ -2,3 +2,4 @@ disable_user_create: true openid_connect_client_id: '64661a42-4710-4bfd-97ab-916bcfeddb59' password_url: 'https://unb2c.b2clogin.com/unb2c.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_OCHA_PASSWORD_RESET&nonce=defaultNonce&scope=openid&response_type=code&prompt=login' register_url: 'https://unb2c.b2clogin.com/unb2c.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_OCHA_SIGNUP&nonce=defaultNonce&scope=openid&response_type=code&prompt=login' +redirect_endpoint: 'openid-connect/azure_b2c_signin' From 92e8d5cd5e9dc8870aaff7acd5eea8d8e17ec9af Mon Sep 17 00:00:00 2001 From: Peter Lieverdink Date: Fri, 19 Jul 2024 10:52:17 +1000 Subject: [PATCH 21/25] chore: Update the EntraID config with the new client secret. So it works. Refs: OPS-10529 --- config/key.key.entraid_client_secret.yml | 15 +++++++++++++++ config/openid_connect.client.entraid.yml | 6 +++--- 2 files changed, 18 insertions(+), 3 deletions(-) create mode 100644 config/key.key.entraid_client_secret.yml diff --git a/config/key.key.entraid_client_secret.yml b/config/key.key.entraid_client_secret.yml new file mode 100644 index 00000000..4e6da649 --- /dev/null +++ b/config/key.key.entraid_client_secret.yml @@ -0,0 +1,15 @@ +uuid: fbbdd5c7-ec5e-417d-a829-52df6ce2e78e +langcode: en +status: true +dependencies: { } +id: entraid_client_secret +label: 'Entra ID Client Secret' +description: 'Entra ID Client Secret' +key_type: authentication +key_type_settings: { } +key_provider: file +key_provider_settings: + file_location: /srv/www/shared/entraid.key + strip_line_breaks: true +key_input: none +key_input_settings: { } diff --git a/config/openid_connect.client.entraid.yml b/config/openid_connect.client.entraid.yml index 613162b4..d9eae404 100644 --- a/config/openid_connect.client.entraid.yml +++ b/config/openid_connect.client.entraid.yml @@ -9,7 +9,7 @@ label: 'Entra ID (UNITE ID)' plugin: windows_aad settings: client_id: 60f61dfa-1af4-4b6a-bb62-73c95ead00d1 - client_secret: '' + client_secret: entraid_client_secret authorization_endpoint_wa: 'https://login.microsoftonline.com/0f9e35db-544f-4f60-bdcc-5ea416e6dc70/oauth2/v2.0/authorize' token_endpoint_wa: 'https://login.microsoftonline.com/0f9e35db-544f-4f60-bdcc-5ea416e6dc70/oauth2/v2.0/token' userinfo_endpoint_wa: '' @@ -18,11 +18,11 @@ settings: method: 0 mappings: '' strict: false - userinfo_graph_api_wa: 1 + userinfo_graph_api_wa: 0 userinfo_graph_api_use_other_mails: false userinfo_update_email: true hide_email_address_warning: false subject_key: sub end_session_endpoint: '' - iss_allowed_domains: '' + iss_allowed_domains: 'https://feature.response-reliefweb-int.ahconu.org' front_channel_logout_url: '' From 13e03e9db71a382f22ddff724b2e858138503c21 Mon Sep 17 00:00:00 2001 From: Peter Lieverdink Date: Fri, 19 Jul 2024 11:11:06 +1000 Subject: [PATCH 22/25] fix: Avoid displaying an error if the user is in blocked state. --- PATCHES/openid_connect-3390668-6.patch | 17 +++++++++++++++++ composer.patches.json | 3 +++ 2 files changed, 20 insertions(+) create mode 100644 PATCHES/openid_connect-3390668-6.patch diff --git a/PATCHES/openid_connect-3390668-6.patch b/PATCHES/openid_connect-3390668-6.patch new file mode 100644 index 00000000..a2390b18 --- /dev/null +++ b/PATCHES/openid_connect-3390668-6.patch @@ -0,0 +1,17 @@ +diff --git a/src/Controller/OpenIDConnectRedirectController.php b/src/Controller/OpenIDConnectRedirectController.php +index 3271c54..a4fc578 100644 +--- a/src/Controller/OpenIDConnectRedirectController.php ++++ b/src/Controller/OpenIDConnectRedirectController.php +@@ -295,7 +295,11 @@ class OpenIDConnectRedirectController implements ContainerInjectionInterface, Ac + if ($op === 'login') { + $success = $this->openIDConnect->completeAuthorization($openid_connect_client, $tokens); + +- if (!$success) { ++ // We need the full user object to check if the account is blocked. ++ $account = $this->currentUser->getAccount(); ++ ++ // Display an error if the current user is blocked and not anonymous. ++ if (!$success && $this->currentUser->id() && !$account->isBlocked()) { + $this->messenger()->addError($this->t('Logging in with @provider could not be completed due to an error.', $provider_param)); + } + } diff --git a/composer.patches.json b/composer.patches.json index 97b2f880..652d6e7b 100644 --- a/composer.patches.json +++ b/composer.patches.json @@ -24,6 +24,9 @@ "Avoid null links": "./PATCHES/linkchecker_null_link.patch", "Recognize previous revisions https://www.drupal.org/project/linkchecker/issues/3366753": "./PATCHES/linkchecker-previous-revisions-3366753.patch" }, + "drupal/openid_connect": { + "Handle case if user is in blocked state after SSO Authorization": "PATCHES/openid_connect-3390668-6.patch" + }, "drupal/openid_connect_windows_aad": { "Failed to get authentication tokens for Windows Azure AD": "PATCHES/openid_connect_windows_aad-3346603-5.patch" }, From c6891dcdd0354839486f0388a147b0f79200d0dd Mon Sep 17 00:00:00 2001 From: Peter Lieverdink Date: Fri, 26 Jul 2024 15:09:42 +1000 Subject: [PATCH 23/25] chore: Update config to work with the (to be updated) ocha_azure_tweaks module. Refs: OPS-10529 --- config/ocha_azure_tweaks.settings.yml | 6 ++-- .../openid_connect.client.azure_b2c_reset.yml | 28 +++++++++++++++++++ ...openid_connect.client.azure_b2c_signin.yml | 2 +- ...openid_connect.client.azure_b2c_signup.yml | 28 +++++++++++++++++++ config/openid_connect.settings.yml | 2 +- 5 files changed, 60 insertions(+), 6 deletions(-) create mode 100644 config/openid_connect.client.azure_b2c_reset.yml create mode 100644 config/openid_connect.client.azure_b2c_signup.yml diff --git a/config/ocha_azure_tweaks.settings.yml b/config/ocha_azure_tweaks.settings.yml index 98691015..72be8bdc 100644 --- a/config/ocha_azure_tweaks.settings.yml +++ b/config/ocha_azure_tweaks.settings.yml @@ -1,5 +1,3 @@ disable_user_create: true -openid_connect_client_id: '64661a42-4710-4bfd-97ab-916bcfeddb59' -password_url: 'https://unb2c.b2clogin.com/unb2c.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_OCHA_PASSWORD_RESET&nonce=defaultNonce&scope=openid&response_type=code&prompt=login' -register_url: 'https://unb2c.b2clogin.com/unb2c.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_OCHA_SIGNUP&nonce=defaultNonce&scope=openid&response_type=code&prompt=login' -redirect_endpoint: 'openid-connect/azure_b2c_signin' +openid_register_client: azure_b2c_signup +openid_reset_client: azure_b2c_reset diff --git a/config/openid_connect.client.azure_b2c_reset.yml b/config/openid_connect.client.azure_b2c_reset.yml new file mode 100644 index 00000000..22b7622b --- /dev/null +++ b/config/openid_connect.client.azure_b2c_reset.yml @@ -0,0 +1,28 @@ +uuid: 10e8c90a-5d57-4604-bc1e-ffcfb2cb3f9f +langcode: en +status: true +dependencies: + module: + - openid_connect_windows_aad +id: azure_b2c_signin +label: 'Azure B2C (Password Reset Workflow)' +plugin: windows_aad +settings: + client_id: 64661a42-4710-4bfd-97ab-916bcfeddb59 + client_secret: azure_b2c_client_secret + authorization_endpoint_wa: 'https://unb2c.b2clogin.com/unb2c.onmicrosoft.com/B2C_1_OCHA_PASSWORD_RESET/oauth2/v2.0/authorize' + token_endpoint_wa: 'https://unb2c.b2clogin.com/unb2c.onmicrosoft.com/B2C_1_OCHA_PASSWORD_RESET/oauth2/v2.0/token' + userinfo_endpoint_wa: '' + map_ad_groups_to_roles: true + group_mapping: + method: 0 + mappings: '' + strict: false + userinfo_graph_api_wa: 1 + userinfo_graph_api_use_other_mails: false + userinfo_update_email: true + hide_email_address_warning: false + subject_key: sub + end_session_endpoint: 'https://unb2c.b2clogin.com/unb2c.onmicrosoft.com/B2C_1_OCHA_PASSWORD_RESET/oauth2/v2.0/logout' + iss_allowed_domains: 'https://feature.response-reliefweb-int.ahconu.org' + front_channel_logout_url: '' diff --git a/config/openid_connect.client.azure_b2c_signin.yml b/config/openid_connect.client.azure_b2c_signin.yml index 83234d41..c5f7f9d8 100644 --- a/config/openid_connect.client.azure_b2c_signin.yml +++ b/config/openid_connect.client.azure_b2c_signin.yml @@ -24,5 +24,5 @@ settings: hide_email_address_warning: false subject_key: sub end_session_endpoint: 'https://unb2c.b2clogin.com/unb2c.onmicrosoft.com/B2C_1_OCHA_SIGNIN/oauth2/v2.0/logout' - iss_allowed_domains: 'https://feature.response-reliefweb-int.ahconu.org/' + iss_allowed_domains: 'https://feature.response-reliefweb-int.ahconu.org' front_channel_logout_url: '' diff --git a/config/openid_connect.client.azure_b2c_signup.yml b/config/openid_connect.client.azure_b2c_signup.yml new file mode 100644 index 00000000..3b350660 --- /dev/null +++ b/config/openid_connect.client.azure_b2c_signup.yml @@ -0,0 +1,28 @@ +uuid: 4c32d99c-e393-41c5-9c81-02a8630f2768 +langcode: en +status: true +dependencies: + module: + - openid_connect_windows_aad +id: azure_b2c_signup +label: 'Azure B2C (Signup Workflow)' +plugin: windows_aad +settings: + client_id: 64661a42-4710-4bfd-97ab-916bcfeddb59 + client_secret: azure_b2c_client_secret + authorization_endpoint_wa: 'https://unb2c.b2clogin.com/unb2c.onmicrosoft.com/B2C_1_OCHA_SIGNUP/oauth2/v2.0/authorize' + token_endpoint_wa: 'https://unb2c.b2clogin.com/unb2c.onmicrosoft.com/B2C_1_OCHA_SIGNUP/oauth2/v2.0/token' + userinfo_endpoint_wa: '' + map_ad_groups_to_roles: true + group_mapping: + method: 0 + mappings: '' + strict: false + userinfo_graph_api_wa: 1 + userinfo_graph_api_use_other_mails: false + userinfo_update_email: true + hide_email_address_warning: false + subject_key: sub + end_session_endpoint: 'https://unb2c.b2clogin.com/unb2c.onmicrosoft.com/B2C_1_OCHA_SIGNUP/oauth2/v2.0/logout' + iss_allowed_domains: 'https://feature.response-reliefweb-int.ahconu.org' + front_channel_logout_url: '' diff --git a/config/openid_connect.settings.yml b/config/openid_connect.settings.yml index fd9e72df..683ddbd1 100644 --- a/config/openid_connect.settings.yml +++ b/config/openid_connect.settings.yml @@ -4,7 +4,7 @@ override_registration_settings: false end_session_enabled: true user_login_display: replace redirect_login: '' -redirect_logout: '' +redirect_logout: '/' userinfo_mappings: timezone: zoneinfo user_picture: picture From 3942cdb92401e8ec723ac6186307351bf49c99f3 Mon Sep 17 00:00:00 2001 From: Peter Lieverdink Date: Mon, 29 Jul 2024 10:34:30 +1000 Subject: [PATCH 24/25] chore: Bump ocha_azure_tweaks to the version that does what we need it to do. --- composer.json | 2 +- composer.lock | 16 ++++++++-------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/composer.json b/composer.json index c31d2816..0538b6d9 100644 --- a/composer.json +++ b/composer.json @@ -103,7 +103,7 @@ "rlanvin/php-rrule": "2.3.1", "unocha/common_design": "^9", "unocha/gtm_barebones": "^1.0", - "unocha/ocha_azure_tweaks": "^0.0.2", + "unocha/ocha_azure_tweaks": "^0.1.0", "unocha/ocha_monitoring": "^1.0", "unocha/ocha_search": "^1.0" }, diff --git a/composer.lock b/composer.lock index 8209f551..6cacb637 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "2a7fa0591e32391909cd08666484b0c7", + "content-hash": "3e5f31a99c4fca0b632da771dc6f1498", "packages": [ { "name": "asm89/stack-cors", @@ -12552,16 +12552,16 @@ }, { "name": "unocha/ocha_azure_tweaks", - "version": "0.0.2", + "version": "v0.1.0", "source": { "type": "git", "url": "https://github.com/UN-OCHA/ocha_azure_tweaks.git", - "reference": "134e947e7351e5dcc50de690e9034f6b01642750" + "reference": "1505e707623a917da492cd6acdb46666c6917698" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/UN-OCHA/ocha_azure_tweaks/zipball/134e947e7351e5dcc50de690e9034f6b01642750", - "reference": "134e947e7351e5dcc50de690e9034f6b01642750", + "url": "https://api.github.com/repos/UN-OCHA/ocha_azure_tweaks/zipball/1505e707623a917da492cd6acdb46666c6917698", + "reference": "1505e707623a917da492cd6acdb46666c6917698", "shasum": "" }, "require": { @@ -12586,9 +12586,9 @@ "description": "OCHA Azure tweaks module", "support": { "issues": "https://github.com/UN-OCHA/ocha_azure_tweaks/issues", - "source": "https://github.com/UN-OCHA/ocha_azure_tweaks/tree/0.0.2" + "source": "https://github.com/UN-OCHA/ocha_azure_tweaks/tree/v0.1.0" }, - "time": "2024-07-16T03:24:24+00:00" + "time": "2024-07-29T00:31:58+00:00" }, { "name": "unocha/ocha_monitoring", @@ -18836,5 +18836,5 @@ "php": "8.*" }, "platform-dev": [], - "plugin-api-version": "2.3.0" + "plugin-api-version": "2.6.0" } From 5c41f5e41e4b17a0c0c4941739e9bbc21467fa46 Mon Sep 17 00:00:00 2001 From: Peter Lieverdink Date: Tue, 3 Sep 2024 12:57:13 +1000 Subject: [PATCH 25/25] chore: Update lock file. --- composer.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/composer.lock b/composer.lock index 00036d88..b5fd7f68 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "b35cbd3270c9abf26b9108489685cc96", + "content-hash": "b40ca52efcfed35976bc10039398fd89", "packages": [ { "name": "asm89/stack-cors", @@ -18860,7 +18860,7 @@ "version": "2.3.0", "source": { "type": "git", - "url": "https://git.drupalcode.org/project/dtt/", + "url": "https://git.drupalcode.org/project/dtt.git", "reference": "9385da6be0db48ecdb27e6646ae2bb0864c1dcee" }, "require": {