-
Notifications
You must be signed in to change notification settings - Fork 108
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Switch to OIDC for SSO #8414
Switch to OIDC for SSO #8414
Conversation
d215b1a
to
84d0462
Compare
84d0462
to
26ca7a6
Compare
There needs to be final internal configuration before this PR is merged, so I've labeled it "Hold", but it is ready for code review. |
7355bc2
to
bd38495
Compare
480b48d
to
0e2b109
Compare
ca63940
to
61a4805
Compare
61a4805
to
986b7ea
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know cf.gov logging is pretty lacking right now, but there doesn't seem to be a way to see the logging messages for this either in prod or locally. In either place we never log debug messages. We could log everything as info, just to have it, or, punt until a future logging review.
Re: logging, I'd rather do a deep-dive into our logging and rework it for our current needs generally, rather than iterate on that in this PR. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is looking great! Really solid work.
This change replaces our SAML2 authentication implementation with OIDC based on mozilla-django-oidc. This also moves our SSO config to base.py
This allows us to handle group/admin assignment, first name/last name synchronizing, etc. Co-authored-by: Andy Chosak <andy.chosak@cfpb.gov>
This change moves our login template override to the `login` app, adds a subclass of Wagtail's `LoginView` to provide extra SSO context, and then adds a "Sign-in with SSO" button if SSO is enabled. This simplifies some of our URLs around SSO (always having /admin/login respond), and moves one of our override templates out of `wagtailadmin_overrides` and justifies its existence a little bit more. Co-authored-by: Andy Chosak <andy.chosak@cfpb.gov>
c8f5f04
to
3950e8e
Compare
This PR replaces our existing SSO implementation with OIDC based on mozilla-django-oidc, Mozilla's OIDC library.
This library was chosen for its maturity, its support by a major open source ecosystem contributor, its auditing by Mozilla InfoSec, and its testability. This last point is important, as Mozilla maintains a test OIDC provider for development of the library that we can use in development to test our implementation based on it.
Much about the implementation of OIDC SSO is written up in the Single Sign-On document included in this PR, including how to test the implementation using the Mozilla test provider in its Docker compose file.
This PR extends Mozilla's library to map roles in our OIDC provider to either the Django
is_superuser
in the case of admin users, and a default group that receives thewagtailadmin.access_admin
permission in the case of regular users. I've tried to do this in a way that lets us process any and all OIDC claims in code that can be unittested in isolation, and configurable in settings. The Local implementation portion of the documentation details this.As part of this, the PR removes django-axes and our custom login/password handling in favor of moving that complexity entirely to the SSO provider.
How to review this PR
I've tried to keep the commits in this PR limited to specific goals. I recommend going commit-by-commit for clarity:
These commits should be testable together locally to prove the concept, OIDC authentication should work against the test provider, which is runnable via the docker-compose file. They're also limited to code removal or configuration and documentation.
After this commit, OIDC claim processing for first and last name should also be testable with the test provider, however the group/role mapping is not.
How to test this PR
See Testing OIDC single sign-on locally in the Single Sign-On document this PR adds.
Additionally, our dev2 environment is configured if you have an account in our test OIDC provider.
Checklist