🔧 [#390] Configure OIDC

maykinmedia · Oct 2, 2024 · 9586e84 · 9586e84
1 parent fadd46a
commit 9586e84
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 4 deletions.
diff --git a/backend/src/openarchiefbeheer/conf/base.py b/backend/src/openarchiefbeheer/conf/base.py
@@ -128,6 +128,9 @@
     "django_filters",
     "solo",
     "ordered_model",
+    "django_jsonform",
+    "mozilla_django_oidc",
+    "mozilla_django_oidc_db",
     # Project applications.
     "openarchiefbeheer.accounts",
     "openarchiefbeheer.destruction",
@@ -151,6 +154,7 @@
     "django.contrib.messages.middleware.MessageMiddleware",
     "django.middleware.clickjacking.XFrameOptionsMiddleware",
     "hijack.middleware.HijackUserMiddleware",
+    "mozilla_django_oidc_db.middleware.SessionRefresh",
     # should be last according to docs
     "axes.middleware.AxesMiddleware",
     "djangorestframework_camel_case.middleware.CamelCaseMiddleWare",
@@ -322,6 +326,7 @@
     "axes.backends.AxesBackend",
     "openarchiefbeheer.accounts.backends.UserModelEmailBackend",
     "django.contrib.auth.backends.ModelBackend",
+    "mozilla_django_oidc_db.backends.OIDCAuthenticationBackend",
 ]
 
 SESSION_COOKIE_NAME = "openarchiefbeheer_sessionid"
@@ -458,7 +463,7 @@
 # add entries from AUTHENTICATION_BACKENDS that already enforce their own two-factor
 # auth, avoiding having some set up MFA again in the project.
 MAYKIN_2FA_ALLOW_MFA_BYPASS_BACKENDS = [
-    # "mozilla_django_oidc_db.backends.OIDCAuthenticationBackend",
+    "mozilla_django_oidc_db.backends.OIDCAuthenticationBackend",
 ]
 
 #
@@ -622,3 +627,9 @@
         "schedule": crontab(hour="12", minute="0"),
     },
 }
+
+#
+# Django OIDC
+#
+OIDC_AUTHENTICATE_CLASS = "mozilla_django_oidc_db.views.OIDCAuthenticationRequestView"
+OIDC_CALLBACK_CLASS = "mozilla_django_oidc_db.views.OIDCCallbackView"
diff --git a/backend/src/openarchiefbeheer/templates/maykin_2fa/login.html b/backend/src/openarchiefbeheer/templates/maykin_2fa/login.html
@@ -1,14 +1,19 @@
 {% extends "maykin_2fa/login.html" %}
-{% load i18n %}
-
+{% load i18n solo_tags %}
 
 {% block footer %}
     <div id="footer"></div>
 {% endblock %}
 
 
 {% block extra_login_options %}
-{#Include additional (OIDC) authentication options here #}
+{% get_solo 'mozilla_django_oidc_db.OpenIDConnectConfig' as oidc_config %}
+
+{% if oidc_config.enabled %}
+<div class="submit-row">
+    <a href="{% url 'oidc_authentication_init' %}">{% trans "Login with OIDC" %}</a>
+</div>
+{% endif %}
 {% endblock %}
 
 

diff --git a/backend/src/openarchiefbeheer/urls.py b/backend/src/openarchiefbeheer/urls.py
@@ -6,6 +6,7 @@
 from django.contrib.staticfiles.urls import staticfiles_urlpatterns
 from django.urls import include, path
 from django.views.generic.base import TemplateView
+from mozilla_django_oidc_db.views import AdminLoginFailure
 
 from maykin_2fa import monkeypatch_admin
 from maykin_2fa.urls import urlpatterns, webauthn_urlpatterns
@@ -39,6 +40,7 @@
     path("admin/", include((webauthn_urlpatterns, "two_factor"))),
     path("admin/hijack/", include("hijack.urls")),
     path("admin/", admin.site.urls),
+    path("admin/login/failure/", AdminLoginFailure.as_view(), name="admin-oidc-error"),
     path(
         "reset/<uidb64>/<token>/",
         auth_views.PasswordResetConfirmView.as_view(),
@@ -49,6 +51,7 @@
         auth_views.PasswordResetCompleteView.as_view(),
         name="password_reset_complete",
     ),
+    path("oidc/", include("mozilla_django_oidc.urls")),
     path("api/", include("openarchiefbeheer.api.urls", namespace="api")),
     # Simply show the master template.
     path("", TemplateView.as_view(template_name="master.html"), name="root"),