Merge pull request #2096 from onaio/2093_oidc_cleanup

openid cleanup

.github/workflows/docker-image-build.yml

@@ -59,7 +59,7 @@ jobs:
           file: ./docker/onadata-uwsgi/Dockerfile
           platforms: linux/amd64,linux/arm64
           build-args: |
-            release_version=${{ github.event.inputs.versionTag || steps.get-version.outputs.VERSION }}
+            release_version=${{ github.event.inputs.versionTag || steps.get-version.outputs.VERSION || steps.get-branch-name.outputs.BRANCH }}
             optional_packages=PyYAML django-redis
           push: true
           cache-from: type=local,src=/tmp/.buildx-cache

.github/workflows/ecr-image-build.yml

@@ -4,6 +4,9 @@ on:
   release:
       types:
           - "released"
+  push:
+    branches:
+      - "master"
   workflow_dispatch:
       inputs:
           versionTag:
@@ -26,9 +29,14 @@ jobs:
 
       - name: Get the version
         id: get-version
-        if: github.event.inputs.versionTag == ''
+        if: github.event.inputs.versionTag == '' && github.event_name != 'push'
         run: echo ::set-output name=VERSION::${GITHUB_REF/refs\/tags\//}
 
+      - name: Get the branch name
+        id: get-branch-name
+        if: github.event_name == 'push'
+        run: echo "##[set-output name=BRANCH;]$(echo ${GITHUB_REF#refs/heads/})"
+
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v1
         with:
@@ -59,14 +67,13 @@ jobs:
           ssh: |
             default=/tmp/ssh-agent.sock
           build-args: |
-            release_version=${{ github.event.inputs.versionTag || steps.get-version.outputs.VERSION }}
+            release_version=${{ github.event.inputs.versionTag || steps.get-version.outputs.VERSION || steps.get-branch-name.outputs.BRANCH }}
             optional_packages=PyYAML django-redis ${{ secrets.ECR_OPTIONAL_PACKAGES }}
           push: true
           cache-from: type=local,src=/tmp/.buildx-cache
           cache-to: type=local,dest=/tmp/.buildx-cache
           tags: |
-            ${{ steps.login-ecr.outputs.registry }}/onaio/onadata:latest
-            ${{ steps.login-ecr.outputs.registry }}/onaio/onadata:${{ github.event.inputs.versionTag || steps.get-version.outputs.VERSION }}
+            ${{ steps.login-ecr.outputs.registry }}/onaio/onadata:${{ github.event.inputs.versionTag || steps.get-version.outputs.VERSION || steps.get-branch-name.outputs.BRANCH }}
 
       - name: Image digest
         run: echo ${{ steps.docker-build.outputs.digest }}

docs/authentication.rst

@@ -218,3 +218,11 @@ The following is a jquery code snippet on how to make a CORS request.
            'Authorization': 'Token TOKEN_KEY'
        },
    });
+
+OpenID Connect Authentication
+------------------------------
+
+.. toctree::
+    :maxdepth: 2
+
+open-id-connect

docs/open-id-connect.rst

@@ -5,50 +5,54 @@ OpenID Connect (Beta)
 Overview
 -------------
 
-This endpoint provides the ability to authenticate users on onadata using an OpenID Connect provider, as such users can be created or logged in to the platform using OpenID Connect Providers such as Microsoft.
+This includes the ability to authenticate users on onadata using an OpenID Connect provider, as such users can be created or logged in to the platform using OpenID Connect Providers such as Microsoft.
 
-The OpenID Connect endpoint has only been tested with the Microsoft Platform.
+The |OpenIDConnectlibrary| has currently only been tested with the Microsoft Platform.
+
+.. |OpenIDConnectlibrary| raw:: html
+
+    <a href="https://github.com/onaio/ona-oidc"
+    target="_blank">OpenID Connect library</a>
 
 When utilizing the OpenID Connect flow ensure the ``given_name``, ``family_name`` and ``email`` claims are available in the ID Token provided by the OpenID Connect provider.
 
 Enabling OpenID Connect on onadata
------------------------------------------------
+----------------------------------
 
-In order to enable OpenID Connect authentication for a particular provider on the platform set the ``OPENID_CONNECT_PROVIDERS`` variable within your onadata ``local_settings.py``. The ``OPENID_CONNECT_PROVIDERS`` variable should be a ``dict``.
+In order to enable OpenID Connect authentication for a particular provider on the platform set `OPENID_CONNECT_VIEWSET_CONFIG` and `OPENID_CONNECT_AUTH_SERVERS` variables within your onadata ``local_settings.py``.
 
 ::
 
-    {
-        <provider_name>: {
-            'authorization_endpoint': <authorization-endpoint>,
-            'client_id': <client-id>,
-            'client_secret': <client-secrete>,
-            'jwks_endpoint': <json-web-key-set-endpoint>,
-            'token_endpoint': <token-endpoint>,
-            'callback_uri': <callback-url>,
-            'target_url_after_auth': <target-url-after-authentication>,
-            'target_url_after_logout': <target_url_after_logout>,
-            'domain_cookie': <single-sign-on-cookie>,
-            'end_session_endpoint': <end_session_endpoint>,
-            'scope': <scope>,
-            'response_type': <response_type>,
-            'response_mode': <response_mode>,
+    OPENID_CONNECT_VIEWSET_CONFIG = {
+        "REDIRECT_AFTER_AUTH": "http://localhost:3000",
+        "USE_SSO_COOKIE": True,
+        "SSO_COOKIE_DATA": "email",
+        "JWT_SECRET_KEY": JWT_SECRET_KEY,
+        "JWT_ALGORITHM": JWT_ALGORITHM,
+        "SSO_COOKIE_MAX_AGE": None,
+        "SSO_COOKIE_DOMAIN": "localhost",
+        "USE_AUTH_BACKEND": False,
+        "AUTH_BACKEND": "",  # Defaults to django.contrib.auth.backends.ModelBackend
+        "USE_RAPIDPRO_VIEWSET": False, 
+    }
+
+    OPENID_CONNECT_AUTH_SERVERS = {
+        "microsoft": {
+            "AUTHORIZATION_ENDPOINT": "https://login.microsoftonline.com/common/oauth2/v2.0/authorize",
+            "CLIENT_ID": "client_id",
+            "JWKS_ENDPOINT": "https://login.microsoftonline.com/common/discovery/v2.0/keys",
+            "SCOPE": "openid profile",
+            "RESPONSE_MODE": "form_post",
+            "USE_NONCES": True
         }
     }
 
-Where:
-
--  ``<provider_name>`` - provider name or abbreaviation(utilized in ``/oidc/<provider_name>/callback`` and ``/oidc/<provide_name>/logout``
--  ``<authorization-endpoint>`` - url link to authorization endpoint, retrieved from chosen OpenID Connect providers OpenID configuration
--  ``<client_id>`` - Unique identifier for the applicaion, acquired from chosen OpenID connect provider
--  ``<client_secret>`` - Secret between onadata and the OpenID Connect provider, acquired from chosen OpenID connect provider
--  ``<jwks_endpoint>`` - url link to the JSON Web Key Set(JWKS), retrieved from chosen OpenID Connect providers OpenID configuration
--  ``<token_endpoint>`` - url link used to request for the ``id_token`` or ``code``, retrieved from chosen OpenID Connect providers OpenID configuration
--  ``<callback_uri>`` - url link set as the Callback URI on the OpenID Connect providers Application Registration, usually defaults to ``/oidc/<provider_name>/callback``.
--  ``<target_url_after_auth>`` - url to redirect to after a user has been authenicated on onadata.
--  ``<target_url_after_logout>`` - url to redirect to after a user has been successfully logged out from the Open ID Connect Provider ( This url must be a valid redirect uri on the Open ID Connect Providers Application Configuration )
--  ``<domain_cookie>`` - domain that the Single Sign On(SSO) cookie should be registered to
--  ``<end_session_endpoint>`` - url to call to end the Open ID Connect Providers session,
--  ``<scope>`` - a space-separated list of scopes, should include the ``openid`` scope,
--  ``<response_type>`` - type of response the OpenID Connect Provider should return on authorization. Valid types are ``code`` and ``id_token``.
--  ``<response_mode>`` - the method that should be used to send the resulting authorization code back to onadata the value should be ``form_post``,
+(Optional) If you would want to use cookie authentication, update the `REST_FRAMEWORK` settings.
+::
+    
+    REST_FRAMEWORK = {
+    'DEFAULT_AUTHENTICATION_CLASSES': (
+        'onadata.libs.authentication.SSOHeaderAuthentication',
+        ...,
+        ),
+    }

extras/reserved_accounts.txt

@@ -239,6 +239,7 @@ ns2
 ns3
 ns4
 odk
+oidc
 old
 omg
 ona