Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update CHT login page to have button for redirecting to OIDC provider #9762

Open
jkuester opened this issue Jan 29, 2025 · 2 comments
Open

Update CHT login page to have button for redirecting to OIDC provider #9762

jkuester opened this issue Jan 29, 2025 · 2 comments
Assignees
@Kymoraa
Labels
Type: Feature Add something new

Comments

@jkuester
Copy link
Contributor

jkuester commented Jan 29, 2025
edited
Loading

  • When an OIDC provider is configured for a CHT instance, the logic page should show a button to allow the user to "Login with SSO". Selecting this button should cause the user to be re-directed to the SSO login page.
  • Get the redirect URL from openid-client (might be the buildAuthorizationUrl function?)
    • Consider making an oidc service in the API to manage the openid-client functionality
    • The client_secret for communicating with the OIDC provider should be stored/loaded as a CHT credentials value. See the outbound push password_key functionality for an example of how to do this.
  • When a user visits /medic/login, the renderLogin function in api/src/controllers/login.js should serve the login page with the redirect button enabled/disabled based on config.
  • Can add integration test(s) for the login controller
    • For the integration tests, I think we will have to consider if we need to spin up an OIDC provider, or if we can just create a fake one...
@jkuester jkuester added the Type: Feature Add something new label Jan 29, 2025
@jkuester jkuester changed the title Update API login controller to redirect to OIDC provider when one is configured Update CHT login page to have button for redirecting to OIDC provider Jan 30, 2025
@Kymoraa
Copy link

Kymoraa commented Feb 3, 2025

Picking up this task. My first step is to update the UI then I will consult on the other bits @jkuester
cc. @mrjones-plip

@jkuester
Copy link
Contributor Author

jkuester commented Feb 3, 2025

The client_secret for communicating with the OIDC provider should be stored/loaded as a CHT credentials value. See the outbound push password_key functionality for an example of how to do this.

@dianabarsan can you confirm for me that this makes sense before we go through the trouble of implementing it this way? Basically for the CHT to be a confidential OIDC client, it needs a shared secret with the OIDC Provider. (E.g. a random value generated by the OIDC Provider.) The CHT api server needs to be able to access this secret when communicating with the OIDC Provider so that the OIDC Provider knows it is talking to the expected client. We could just load the secret from the app_settings, but it seems more secure to treat the secret as a password (since it basically is) and load it from the credentials store. Is there a better way for storing sensitive values in the CHT or is this what you would recommend? Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Kymoraa Kymoraa

Labels
Type: Feature Add something new
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Kymoraa @jkuester