@@ -18,25 +18,15 @@ You will require env variables:
1818 SP_PASSWORD=<password>
1919 BRING_API_KEY=<key>
2020 BRING_API_USER=<e-mail>
21- SLACK_CLIENT=<client ID>
22- SLACK_SECRET=<client secret>
23- SLACK_BOT_TOKEN=<app bot token>
24- SLACK_CHANNEL=<channel ID>
25- SLACK_CHANNEL_NAME=<channel name>
26- SLACK_CALLBACK=<callback URL>
27- JWT_SECRET=<jwt secret - defaults to "secret" - should be set to something else via env for deployments>
21+ OIDC_WELL_KNOWN_URL=<OIDC discovery endpoint URL, e.g. https://auth.example.com/realms/myrealm/.well-known/openid-configuration>
22+ OIDC_EXPECTED_AZP=<expected client ID - defaults to "cupcake-client">
2823 JWT_ENABLED=true/false
29- JWT_REDIRECT=URL for redirect on successful login - optional - defaults to "/"
3024
31- Note - if using slack authorization locally (JWT_ENABLED=true) you will have to expose your
32- localhost [ frosting ] ( ./ frontend) instance via something like [ ngrok ] ( https://ngrok.com/ ) (free
33- version is more than good enough) and add your exposed callback URL to the slack app's accepted list of callback URLs .
25+ Note - the frontend OIDC authority and client ID are currently hardcoded in
26+ ` frontend/app/composables/useAuth.ts ` . If you need to use a different OIDC provider locally,
27+ update ` AUTHORITY ` and ` CLIENT_ID ` in that file .
3428
35- You must then access the site via the exposed URL.
36-
37- Slack does ** not** support localhost or http protocol.
38-
39- If you are not running with auth then localhost is fine.
29+ If you are not running with auth (` JWT_ENABLED=false ` ) then localhost is fine.
4030
4131## Local running with docker compose
4232
@@ -50,8 +40,7 @@ This file MUST NOT be committed to git (it is in .gitignore).
5040
5141Assuming we will build a docker container - add to [ backend action] ( ./.github/workflows/backend.yaml ) when decided.
5242
53- Currently it is setup for the frontend to proxy the backend - anything on ` /api/* ` , as well as ` /login ` and
54- ` /slackCallback `
43+ Currently it is setup for the frontend to proxy the backend - anything on ` /api/* `
5544
5645For example - let's say we setup:
5746
@@ -68,7 +57,6 @@ If deploying with docker - you can place both on the same docker network and use
6857
6958### JWT
7059
71- JWT_SECRET - set some random long string here
7260 JWT_ENABLED - true
7361
7462### Sleepingpill
@@ -85,71 +73,17 @@ We use the same user and password for dev and deploy here but it must be set in
8573 BRING_API_USER
8674 BRING_API_KEY
8775
88- ### Slack
89-
90- This provides login and access checking.
91-
92- We can use the same slack client for dev and deploy but we have to set the correct callback URL both in the environment
93- AND in the slack app config on https://api.slack.com
94-
95- SLACK_CLIENT
96- SLACK_SECRET
97- SLACK_BOT_TOKEN
98- SLACK_CALLBACK - must be https - using the example above it would be https://cupcake.javazone.no/slackCallback
99-
100- ## Slack authorization
101-
102- This application requires a slack app that provides two functions:
103-
104- * OIDC login
105- * A bot that can check channel membership
106-
107- This is currently provided via the [ javaBinAccess] ( https://api.slack.com/apps/A0817M6EQF3/general ) app.
108-
109- App manifest:
110-
111- ``` json
112- {
113- "display_information" : {
114- "name" : " javaBinAccess"
115- "description" : " Access bot for javaBin"
116- "background_color" : " #2121cf"
117- },
118- "features" : {
119- "bot_user" : {
120- "display_name" : " javaBinAccess"
121- "always_online" : true
122- }
123- },
124- "oauth_config" : {
125- "redirect_urls" : [
126- " <list of allowed callback URLs>"
127- ],
128- "scopes" : {
129- "user" : [
130- " email"
131- " openid"
132- " profile"
133- ],
134- "bot" : [
135- " channels:read"
136- " groups:read"
137- " users:read"
138- ]
139- }
140- },
141- "settings" : {
142- "org_deploy_enabled" : false ,
143- "socket_mode_enabled" : false ,
144- "token_rotation_enabled" : false
145- }
146- }
147- ```
148-
149- To find the environment settings required:
150-
151- - Client ID and Client Secret from the slack app > Settings > Basic Information
152- - Bot User OAuth Token token from the slack app > Features > OAuth & Permissions
153- - Channel ID - right click channel - channel details - ID is at the end of the dialog
154- - Channel Name - just the channel name with leading #
76+ ### OIDC
77+
78+ This provides authentication and access checking. Users must have the ` pkom ` role assigned
79+ in the OIDC provider under the client specified by ` OIDC_EXPECTED_AZP ` .
80+
81+ OIDC_WELL_KNOWN_URL - the OIDC discovery endpoint (e.g. https://auth.example.com/realms/myrealm/.well-known/openid-configuration)
82+ OIDC_EXPECTED_AZP - the expected client ID (defaults to "cupcake-client")
83+
84+ The backend fetches the JWKS from the discovery document and validates incoming tokens against it.
85+
86+ Note - the frontend has the OIDC authority and client ID hardcoded in
87+ ` frontend/app/composables/useAuth.ts ` (` AUTHORITY ` and ` CLIENT_ID ` constants). These must be
88+ kept in sync with the backend ` OIDC_WELL_KNOWN_URL ` and ` OIDC_EXPECTED_AZP ` settings.
15589
0 commit comments