Switch to OIDC for SSO #8414
Merged
Switch to OIDC for SSO #8414
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
willbarton
force-pushed
the
sso-mozilla-oidc
branch
11 times, most recently
from
d215b1a
to
84d0462
Compare
willbarton
force-pushed
the
sso-mozilla-oidc
branch
from
84d0462
to
26ca7a6
Compare
|
There needs to be final internal configuration before this PR is merged, so I've labeled it "Hold", but it is ready for code review. |
chosak
reviewed
May 20, 2024
chosak
reviewed
May 20, 2024
chosak
reviewed
May 20, 2024
willbarton
force-pushed
the
sso-mozilla-oidc
branch
4 times, most recently
from
7355bc2
to
bd38495
Compare
willbarton
force-pushed
the
sso-mozilla-oidc
branch
2 times, most recently
from
480b48d
to
0e2b109
Compare
willbarton
force-pushed
the
sso-mozilla-oidc
branch
2 times, most recently
from
ca63940
to
61a4805
Compare
chosak
reviewed
May 22, 2024
willbarton
force-pushed
the
sso-mozilla-oidc
branch
from
61a4805
to
986b7ea
Compare
chosak
reviewed
May 23, 2024
There was a problem hiding this comment.
I know cf.gov logging is pretty lacking right now, but there doesn't seem to be a way to see the logging messages for this either in prod or locally. In either place we never log debug messages. We could log everything as info, just to have it, or, punt until a future logging review.
|
Re: logging, I'd rather do a deep-dive into our logging and rework it for our current needs generally, rather than iterate on that in this PR. |
chosak
approved these changes
May 23, 2024
This change replaces our SAML2 authentication implementation with OIDC based on mozilla-django-oidc. This also moves our SSO config to base.py
This allows us to handle group/admin assignment, first name/last name synchronizing, etc. Co-authored-by: Andy Chosak <andy.chosak@cfpb.gov>
This change moves our login template override to the `login` app, adds a subclass of Wagtail's `LoginView` to provide extra SSO context, and then adds a "Sign-in with SSO" button if SSO is enabled. This simplifies some of our URLs around SSO (always having /admin/login respond), and moves one of our override templates out of `wagtailadmin_overrides` and justifies its existence a little bit more. Co-authored-by: Andy Chosak <andy.chosak@cfpb.gov>
willbarton
force-pushed
the
sso-mozilla-oidc
branch
from
c8f5f04
to
3950e8e
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR replaces our existing SSO implementation with OIDC based on mozilla-django-oidc, Mozilla's OIDC library.
This library was chosen for its maturity, its support by a major open source ecosystem contributor, its auditing by Mozilla InfoSec, and its testability. This last point is important, as Mozilla maintains a test OIDC provider for development of the library that we can use in development to test our implementation based on it.
Much about the implementation of OIDC SSO is written up in the Single Sign-On document included in this PR, including how to test the implementation using the Mozilla test provider in its Docker compose file.
This PR extends Mozilla's library to map roles in our OIDC provider to either the Django
is_superuserin the case of admin users, and a default group that receives thewagtailadmin.access_adminpermission in the case of regular users. I've tried to do this in a way that lets us process any and all OIDC claims in code that can be unittested in isolation, and configurable in settings. The Local implementation portion of the documentation details this.As part of this, the PR removes django-axes and our custom login/password handling in favor of moving that complexity entirely to the SSO provider.
How to review this PR
I've tried to keep the commits in this PR limited to specific goals. I recommend going commit-by-commit for clarity:
These commits should be testable together locally to prove the concept, OIDC authentication should work against the test provider, which is runnable via the docker-compose file. They're also limited to code removal or configuration and documentation.
After this commit, OIDC claim processing for first and last name should also be testable with the test provider, however the group/role mapping is not.
How to test this PR
See Testing OIDC single sign-on locally in the Single Sign-On document this PR adds.
Additionally, our dev2 environment is configured if you have an account in our test OIDC provider.
Checklist