OIDC_END_SESSION_ENDPOINT

mlibrary · Aug 31, 2023 · 149b007 · 149b007
1 parent bcf7e3c
commit 149b007
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 11 deletions.
diff --git a/app/config.rb b/app/config.rb
@@ -1,6 +1,8 @@
+AppConfig[:default_admin_password] = ENV["DEFAULT_ADMIN_PASSWORD"]
 AppConfig[:host_url] = ENV["HOST_URL"]
 AppConfig[:db_url] = ENV["DB_URL"]
 AppConfig[:solr_url] = ENV["SOLR_URL"]
+AppConfig[:frontend_proxy_url] = "#{ENV["FRONTEND_PROXY_URL"].delete_suffix('/')}/"
 
 AppConfig[:backend_url] = "#{AppConfig[:host_url]}:8089"
 AppConfig[:frontend_url] = "#{AppConfig[:host_url]}:8080"
@@ -20,20 +22,22 @@
 AppConfig[:indexer_log] = "/archivesspace/logs/archivesspace.out"
 AppConfig[:indexer_log_level] = "warn"
 
-AppConfig[:default_admin_password] = ENV["DEFAULT_ADMIN_PASSWORD"]
+## Plug-ins to load. They will load in the order specified
+#AppConfig[:plugins] = ['local', 'lcnaf'] (default)
 
-AppConfig[:allow_user_registration] = false
-AppConfig[:plugins] << "aspace-oauth"
 oidc_issuer = ENV["OIDC_ISSUER"]
 oidc_client_id = ENV["OIDC_CLIENT_ID"]
 oidc_client_secret = ENV["OIDC_CLIENT_SECRET"]
-if oidc_issuer && oidc_client_id && oidc_client_secret
-  puts "OIDC settings were found; adding them to the configuration"
+oidc_end_session_endpoint = ENV["OIDC_END_SESSION_ENDPOINT"]
+if oidc_issuer && oidc_client_id && oidc_client_secret && oidc_end_session_endpoint
+  AppConfig[:allow_password_reset] = false
+  AppConfig[:allow_user_registration] = false
+  AppConfig[:authentication_restricted_by_source] = true
   AppConfig[:authentication_sources] = [
     {
       model: "ASOauth",
       label: "U-M WebLogin",
-      provider: :openid_connect,
+      provider: "openid_connect",
       config: {
         issuer: oidc_issuer,
         discovery: true,
@@ -43,11 +47,15 @@
         client_options: {
           identifier: oidc_client_id,
           secret: oidc_client_secret,
-          redirect_uri: "#{ENV["PUBLIC_URL"]}/auth/openid_connect/callback"
+          redirect_uri: "#{AppConfig[:frontend_proxy_url]}auth/openid_connect/callback",
+          end_session_endpoint: oidc_end_session_endpoint
         }
       }
-   }
+    }
   ]
+
+  puts "OIDC settings were found; adding aspace-oauth plugin."
+  AppConfig[:plugins] << "aspace-oauth"
 end
 
 AppConfig[:plugins] = AppConfig[:plugins] + ENV.fetch("PLUGINS", "").split(",").map { |x| x.strip }
diff --git a/app/env.example b/app/env.example
@@ -1,11 +1,10 @@
 HOST_URL=http://localhost
 DB_URL=jdbc:mysql://db:3306/archivesspace?user=as&password=as123&useUnicode=true&characterEncoding=UTF-8&connectionCollation=utf8mb4_general_ci
 SOLR_URL=http://solr:8983/solr/archivesspace
+FRONTEND_PROXY_URL=http://localhost:8080
 # With deployments, use a secure unpredictable secret for DEFAULT_ADMIN_PASSWORD
 DEFAULT_ADMIN_PASSWORD=admin_pw
-
-# PUBLIC_URL should be your FQDN in deployments; this is used for the OIDC callback URL
-PUBLIC_URL=http://localhost:8080
 OIDC_ISSUER=
 OIDC_CLIENT_ID=
 OIDC_CLIENT_SECRET=
+OIDC_END_SESSION_ENDPOINT=