Merge remote-tracking branch 'upstream/GSA-TTS-fix-path-routing-in-ge…

…nerated-openid-urls' into deploy-to-cloud-gov
GSA-TTS · Apr 8, 2024 · 76a5d44 · 76a5d44
2 parents 43d4dc4 + a84a0d7
commit 76a5d44
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 5 deletions.
diff --git a/spiffworkflow-backend/bin/local_development_environment_setup b/spiffworkflow-backend/bin/local_development_environment_setup
@@ -32,9 +32,13 @@ if [[ "$process_model_dir" == "acceptance" ]]; then
   export SPIFFWORKFLOW_BACKEND_LOAD_FIXTURE_DATA=true
   export SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME=acceptance_tests.yml
 elif [[ "$process_model_dir" == "localopenid" ]]; then
+  backend_base_url="$SPIFFWORKFLOW_BACKEND_URL"
+  if [[ -z "$backend_base_url" ]]; then
+    backend_base_url="http://localhost:$port"
+  fi
   export SPIFFWORKFLOW_BACKEND_AUTH_CONFIGS__0__identifier="default"
   export SPIFFWORKFLOW_BACKEND_AUTH_CONFIGS__0__label="internal openid"
-  export SPIFFWORKFLOW_BACKEND_AUTH_CONFIGS__0__uri="http://localhost:$port/openid"
+  export SPIFFWORKFLOW_BACKEND_AUTH_CONFIGS__0__uri="${backend_base_url}/openid"
   export SPIFFWORKFLOW_BACKEND_AUTH_CONFIGS__0__client_id="spiffworkflow-backend"
   export SPIFFWORKFLOW_BACKEND_AUTH_CONFIGS__0__client_secret="JXeQExm0JhQPLumgHtIIqf52bDalHz0q"
   export SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME="example.yml"

diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py
@@ -34,6 +34,12 @@
 SPIFF_OPEN_ID_ALGORITHM = "RS256"
 
 
+# just so /openid responds so we can route to it with url_for for populating issuer
+@openid_blueprint.route("", methods=["GET"])
+def index() -> Response:
+    return make_response({"ok": True}, 200)
+
+
 @openid_blueprint.route("/.well-known/openid-configuration", methods=["GET"])
 def well_known() -> dict:
     """Open ID Discovery endpoint.
@@ -44,7 +50,7 @@ def well_known() -> dict:
     # using or instead of setting a default so we can set the env var to None in tests and this will still work
     host_url = _host_url_without_root_path()
     return {
-        "issuer": f"{host_url}/openid",
+        "issuer": f"{host_url}{url_for('openid.index')}",
         "authorization_endpoint": f"{host_url}{url_for('openid.auth')}",
         "token_endpoint": f"{host_url}{url_for('openid.token')}",
         "end_session_endpoint": f"{host_url}{url_for('openid.end_session')}",
@@ -119,7 +125,7 @@ def token() -> Response | dict:
 
     id_token = jwt.encode(
         {
-            "iss": f"{host_url}/openid",
+            "iss": f"{host_url}{url_for('openid.index')}",
             "aud": client_id,
             "iat": math.floor(time.time()),
             "exp": round(time.time()) + 3600,

diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
@@ -119,8 +119,9 @@ def secret_key(cls, authentication_identifier: str) -> str:
     @classmethod
     def open_id_endpoint_for_name(cls, name: str, authentication_identifier: str) -> str:
         """All openid systems provide a mapping of static names to the full path of that endpoint."""
-        host_url = request.host_url.strip("/")
-        openid_config_url = f"{host_url}{url_for('openid.well_known')}"
+        appropriate_server_url = cls.server_url(authentication_identifier)
+        openid_config_url = f"{appropriate_server_url}/.well-known/openid-configuration"
+
         if authentication_identifier not in cls.ENDPOINT_CACHE:
             cls.ENDPOINT_CACHE[authentication_identifier] = {}
         if authentication_identifier not in cls.JSON_WEB_KEYSET_CACHE: