Merge pull request #169 from itk-dev/feature/openid-connect-login

Updated OpenID Connect module

composer.json

@@ -62,8 +62,7 @@
         "drupal/gin_toolbar": "^1.0@beta",
         "drupal/masquerade": "^2.0@beta",
         "drupal/message": "^1.2",
-        "drupal/openid_connect": "^1.0",
-        "drupal/openid_connect_windows_aad": "^1.3",
+        "drupal/openid_connect": "2.x-dev@dev",
         "drupal/paragraphs": "^1.12",
         "drupal/pathauto": "^1.8",
         "drupal/samlauth": "~3.2.0",
@@ -185,8 +184,8 @@
                 "Implement Migration Paths for Flag 7.x (https://www.drupal.org/project/flag/issues/2409901#comment-13082245)": "https://www.drupal.org/files/issues/2019-04-25/2409901_flag_migration_paths_52.patch",
                 "Implement Migration Paths for Flag 7.x (https://www.drupal.org/project/flag/issues/2409901#comment-13281955)": "https://www.drupal.org/files/issues/2019-10-02/2409901-60.patch"
             },
-            "drupal/openid_connect_windows_aad": {
-                "https://www.drupal.org/project/openid_connect_windows_aad/issues/3021812#comment-13945473": "https://www.drupal.org/files/issues/2020-12-21/openid_conect_windows_aad_version2_0_2.patch"
+            "drupal/openid_connect": {
+                "Revoking group access does not reflect on applied roles (https://www.drupal.org/project/openid_connect/issues/3224128)": "https://git.drupalcode.org/project/openid_connect/-/merge_requests/31.diff"
             }
         }
     },

config/sync/core.extension.yml

@@ -39,7 +39,6 @@ module:
   message: 0
   node: 0
   openid_connect: 0
-  openid_connect_windows_aad: 0
   options: 0
   os2loop_analytics: 0
   os2loop_cookie_information: 0

config/sync/openid_connect.client.generic.yml

@@ -0,0 +1,18 @@
+uuid: 398e2246-b9c9-4721-8036-28076d5028c8
+langcode: en
+status: true
+dependencies: {  }
+id: generic
+label: generic
+plugin: generic
+settings:
+  issuer_url: ''
+  authorization_endpoint: 'file:///settings.local.php#$config[''openid_connect.client.generic][''settings''][''client_id'']'
+  token_endpoint: 'file:///settings.local.php#$config[''openid_connect.client.generic][''settings''][token_endpoint'']'
+  userinfo_endpoint: ''
+  end_session_endpoint: ''
+  scopes:
+    - openid
+    - email
+  client_id: 'file:///settings.local.php#$config[''openid_connect.client.generic''][''settings''][''client_id'']'
+  client_secret: 'file:///settings.local.php#$config[''openid_connect.client.generic''][''settings''][''client_secret'']'

config/sync/openid_connect.client.windows_aad.yml

@@ -0,0 +1,18 @@
+uuid: 7a551b1d-f957-45bc-a54e-11d227cce0d8
+langcode: en
+status: false
+dependencies: {  }
+id: windows_aad
+label: windows_aad
+plugin: generic
+settings:
+  issuer_url: ''
+  authorization_endpoint: 'file:///settings.local.php#$config[''openid_connect.client.windows_aad][''settings''][''client_id'']'
+  token_endpoint: 'file:///settings.local.php#$config[''openid_connect.client.windows_aad][''settings''][token_endpoint'']'
+  userinfo_endpoint: ''
+  end_session_endpoint: ''
+  scopes:
+    - openid
+    - email
+  client_id: 'file:///settings.local.php#$config[''openid_connect.client.windows_aad''][''settings''][''client_id'']'
+  client_secret: 'file:///settings.local.php#$config[''openid_connect.client.windows_aad''][''settings''][''client_secret'']'

config/sync/openid_connect.settings.yml

@@ -3,19 +3,28 @@ connect_existing_users: true
 override_registration_settings: true
 userinfo_mappings:
   timezone: zoneinfo
-  os2loop_mail_notifications_intvl: 0
-  os2loop_user_address: 0
-  os2loop_user_areas_of_expertise: 0
-  os2loop_user_biography: 0
-  os2loop_user_city: 0
-  os2loop_user_external_list: 0
   os2loop_user_family_name: family_name
   os2loop_user_given_name: given_name
-  os2loop_user_image: 0
-  os2loop_user_internal_list: 0
-  os2loop_user_job_title: 0
-  os2loop_user_phone_number: 0
-  os2loop_user_place: 0
-  os2loop_user_postal_code: 0
-  os2loop_user_professions: 0
 user_login_display: above
+redirect_login: ''
+redirect_logout: ''
+end_session_enabled: true
+role_mappings:
+  os2loop_user_administrator:
+    - administrator
+  os2loop_user_documentation_coordinator:
+    - documentation_coordinator
+  os2loop_user_manager:
+    - manager
+  os2loop_user_read_only:
+    - read_only
+  os2loop_user_external_sources_editor:
+    - external_sources_editor
+  os2loop_user_document_author:
+    - document_author
+  os2loop_user_document_collection_editor:
+    - document_collection_editor
+  os2loop_user_post_author:
+    - post_author
+  os2loop_user_user_administrator:
+    - user_administrator

web/profiles/custom/os2loop/modules/os2loop_user_login/README.md

@@ -32,6 +32,25 @@ The following claims are required to make signing in work:
 | `email`  | Drupal user mail                                                                             |
 | `groups` | Mapped to Drupal user roles (see [Groups to roles mapping](#groups-to-roles-mapping) below). |
 
+#### Mapping claims
+
+If needed you can map claims from the IdP response to match the claims required
+for login (cf. above).
+
+For example to use the `sub` claim as `preferred_username` (which will be used
+as Drupal user name) and `upn` as `email`, add this to `settings.local.php`:
+
+```php
+// Map IdP claim `sub` to `preferred_username`
+$config['os2loop_user_login.settings']['claims_mapping']['preferred_username'] = 'sub';
+// Map IdP claim `upn` to `email`
+$config['os2loop_user_login.settings']['claims_mapping']['email'] = 'upn';
+```
+
+**Note**: Mapping claims will never overwrite an existing claim from the IdP,
+i.e. if `email` is aldready set it will no be overwritten (with the value of
+`upn`).
+
 ### Claim to field mapping
 
 As mentioned above, the default configuration maps the `name` claim to the
@@ -51,28 +70,31 @@ Changes and additions to the default field mapping can be made in
 $config['openid_connect.settings']['userinfo_mappings']['os2loop_user_place'] = 'department';
 ```
 
-### Microsoft Azure Active Directory
-
-**Note**: This login method is not limited to Microsoft Azure Active Directory,
-but can be used by other IdPs as well.
+### IdP configuration
 
 Your identity provider must allow `https://«OS2Loop
-url»/openid-connect/windows_aad` as a valid return url.
+url»/openid-connect/generic` as a valid return url.
 
 ```php
 // web/sites/*/settings.local.php
-// Enable Windows Azure AD
-$config['openid_connect.settings.windows_aad']['enabled'] = 'windows_aad';
-$config['openid_connect.settings.windows_aad']['settings']['client_id'] = …; // Get this from your IdP provider
-$config['openid_connect.settings.windows_aad']['settings']['client_secret'] = …; // Get this from your IdP provider
-$config['openid_connect.settings.windows_aad']['settings']['authorization_endpoint_wa'] = …; // Get this from your OpenID Connect Discovery endpoint
-$config['openid_connect.settings.windows_aad']['settings']['token_endpoint_wa'] = …; // Get this from your OpenID Connect Discovery endpoint
+$config['openid_connect.client.generic']['settings']['client_id'] = …; // Get this from your IdP provider
+$config['openid_connect.client.generic']['settings']['client_secret'] = …; // Get this from your IdP provider
+$config['openid_connect.client.generic']['settings']['authorization_endpoint'] = …; // Get this from your OpenID Connect Discovery endpoint
+$config['openid_connect.client.generic']['settings']['token_endpoint'] = …; // Get this from your OpenID Connect Discovery endpoint
+// Optional
+$config['openid_connect.client.generic']['settings']['end_session_endpoint'] = …; // Get this from your OpenID Connect Discovery endpoint
+```
+
+Check your overwrites by running
+
+```sh
+vendor/bin/drush config:get --include-overridden openid_connect.client.generic
 ```
 
 #### Groups to roles mapping
 
 [The default configuration groups to roles
-mapping](../../../../../../config/sync/openid_connect.settings.windows_aad.yml)
+mapping](../../../../../../config/sync/config/sync/openid_connect.settings.yml)
 maps groups (in the `groups` claim which must be a list of names) as follows:
 
 | Drupal role                             | group                      |
@@ -91,8 +113,14 @@ Any changes can be made in `settings.local.php`, e.g
 
 ```php
 // web/sites/*/settings.local.php
-$config['openid_connect.settings.windows_aad']['settings']['group_mapping']['method'] = 1; // Manual mapping
-$config['openid_connect.settings.windows_aad']['settings']['group_mapping']['mappings'] = "os2loop_user_administrator|administrator\r\nos2loop_user_manager|manager";
+$config['openid_connect.settings']['role_mappings']['os2loop_user_administrator'] = ['Loop-Admin'];
+$config['openid_connect.settings']['role_mappings']['os2loop_user_manager'] = ['Loop-Manager'];
+```
+
+Check your overwrites by running
+
+```sh
+vendor/bin/drush config:get --include-overridden openid_connect.settings
 ```
 
 ## SAML

web/profiles/custom/os2loop/modules/os2loop_user_login/os2loop_user_login.info.yml

@@ -6,5 +6,5 @@ core_version_requirement: ^8 || ^9
 package: 'OS2Loop'
 
 dependencies:
-  - drupal:openid_connect_windows_aad
+  - drupal:openid_connect
   - drupal:samlauth

web/profiles/custom/os2loop/modules/os2loop_user_login/os2loop_user_login.module

@@ -32,3 +32,10 @@ function os2loop_user_login_menu_local_tasks_alter(&$data, $route_name) {
 function os2loop_user_user_login(UserInterface $account) {
   Drupal::service('os2loop_user_login.helper')->userLogin($account);
 }
+
+/**
+ * Implements hook_openid_connect_userinfo_alter().
+ */
+function os2loop_user_login_openid_connect_userinfo_alter(array &$userinfo, array $context) {
+  Drupal::service('os2loop_user_login.helper')->openidConnectUserinfoAlter($userinfo, $context);
+}