As a developer I want to login to the system with the IIASA credentials.

[Wrufesh]

Subtasks

• [x] Create user model in backed.
• [x] Collect OpenID Connect credentials.
• [ ] Design header and footer with login, profile and logout button.
• [ ] Setup global state store on vue app.
• [ ] SSO Flow on frontend after click on login.
• [ ] Logout functionality.

[Wrufesh]

Use PKCE flow. https://medium.com/swlh/pkce-flow-of-openid-connect-9b10ddbabd66 for oidc

[Wrufesh]

Azure AD not announcing code_challenge_supported metadata: https://learn.microsoft.com/en-us/answers/questions/218113/openid-connect-authorization-code-flow-with-proof

[Wrufesh]

Azure AD not announcing code_challenge_supported_metadata:m https://learn.microsoft.com/en-us/answers/questions/218113/openid-connect-authorization-code-flow-with-proof

Even though metadata is not announced, the usage are described here: https://www.linkedin.com/pulse/using-authorization-code-flow-pkce-azure-ad-from-react-pablo-cibraro/ https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-third-party-cookies-spas

[Wrufesh]

More on PKCE "pixie" flow: https://dropbox.tech/developers/pkce--what-and-why-

[Wrufesh]

From Azure AD OpenID Connect , the successful authorization response look like the following:

http://localhost:8080/auth-response?code=0.AS8AC7F5mwcAik6wcq0MjNwapeNPmFlPiIVHpLQlK2_K9newAOE.AgABAAIAAAD--DLA3VO7QrddgJg7WevrAgDs_wUA9P-fLsMFG6w50cevK7IlFHVfe2lk3-SZL0xcg3pYvCtM3ZGu79J_98Izkjn6ZOXt6O0XrxK3vVnDuPbc4YKt45ryJUCBgRH1e3JKl8PeuMYPV38EpnT1oJiIRMA-lc1FKWqiuOndVNYhhsI0dWmudZB8OGDHNJ07MW-nfMEbivfSjsggV0gSeCCpD0N2RQo6M1tY6TFuKUON_Z2hdr7AW7oG35hepX-_QgnHCWi_L8FUDEcsVNA2AMOzonwKO7AjCJY7mNRyhB9QwBh-sXDx0PtfLG7oNf3yyI7BvABn-fCABr3x5LhHRBdxZovIG6Ce1fDbrEJsXNr0mS1qUe_xh8CJlt2gsceTFywS-B3yZh6hQLM2oQTiS9u4m_JnzRX02DJUhcP3sJMIqIUDKAtybP5jVafLgRs71XAAcOhGp5592IEAmVpQJrD9hfHa1QSfK2CDOii4d_XL8-d22Ey9hYFVHHT102Es1GlbLaJhPTPeFjz9CriQdn9yjbe1nuoeiLmoFwAThPyNJ3XJuhjBFrKyYHEskjq7eePBMBrpGQ3AsaMVU94b_Cw7CiyfwN8chRsc80Sbp-Q7jTN81bxEI-kHwhjznrOkb7oTp8x97TikAEj4AnRfg4eK-_23bItxXzE8S5EH6hbo034jTk6ZW2n3TyqsJeTESkhMr21zhiw56oLiZy2B_2FGKrmRwsLG_xBvfLYM_aRdBf6Npv4nGp9Uz-uaiDu0HpruRWk&session_state=b2f8f329-d325-4ee4-8f14-39755981135e

[Wrufesh]

We need to change redirect_url type to spa. Ticket: https://mis5.iiasa.ac.at/?f=/TicketS/Ticket/&pItemKey=97821218951284984 Description: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow#redirect-uris-for-single-page-apps-spas

[Wrufesh]

Few more routines needed to setup:

• [ ] make a login api which accepts valid open_id basic authentication credential, based on those provide user with accelerator access token.
• [ ] make models to support open id from google, microsoft and apple and custom user. Also make possibility to link the user. May be yser profile linked openid services. Dont end up making duplicate users. Everything should be automatic and buttery.
• [ ] Make a logout url
• [ ] Write proper test and know the api whould be aware of openid schema and version.

[Wrufesh]

https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-key-set-properties

alg was missing in jwks provided by jwks_uri in well known configuration of open id

Error we were facing

raise JWKError("Unable to find an algorithm for key: %s" % key_data)
E           jose.exceptions.JWKError: Unable to find an algorithm for key: {'kty': 'RSA', 'use': 'sig', 'kid': '-KI3Q9nNR7bRofxmeZoXqbHZGew', 'x5t': '-KI3Q9nNR7bRofxmeZoXqbHZGew', 'n': 'tJL6Wr2JUsxLyNezPQh1J6zn6wSoDAhgRYSDkaMuEHy75VikiB8wg25WuR96gdMpookdlRvh7SnRvtjQN9b5m4zJCMpSRcJ5DuXl4mcd7Cg3Zp1C5-JmMq8J7m7OS9HpUQbA1yhtCHqP7XA4UnQI28J-TnGiAa3viPLlq0663Cq6hQw7jYo5yNjdJcV5-FS-xNV7UHR4zAMRruMUHxte1IZJzbJmxjKoEjJwDTtcd6DkI3yrkmYt8GdQmu0YBHTJSZiz-M10CY3LbvLzf-tbBNKQ_gfnGGKF7MvRCmPA_YF_APynrIG7p4vPDRXhpG3_CIt317NyvGoIwiv0At83kQ', 'e': 'AQAB', 'x5c': ['MIIDBTCCAe2gAwIBAgIQGQ6YG6NleJxJGDRAwAd/ZTANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MB4XDTIyMTAwMjE4MDY0OVoXDTI3MTAwMjE4MDY0OVowLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALSS+lq9iVLMS8jXsz0IdSes5+sEqAwIYEWEg5GjLhB8u+VYpIgfMINuVrkfeoHTKaKJHZUb4e0p0b7Y0DfW+ZuMyQjKUkXCeQ7l5eJnHewoN2adQufiZjKvCe5uzkvR6VEGwNcobQh6j+1wOFJ0CNvCfk5xogGt74jy5atOutwquoUMO42KOcjY3SXFefhUvsTVe1B0eMwDEa7jFB8bXtSGSc2yZsYyqBIycA07XHeg5CN8q5JmLfBnUJrtGAR0yUmYs/jNdAmNy27y83/rWwTSkP4H5xhihezL0QpjwP2BfwD8p6yBu6eLzw0V4aRt/wiLd9ezcrxqCMIr9ALfN5ECAwEAAaMhMB8wHQYDVR0OBBYEFJcSH+6Eaqucndn9DDu7Pym7OA8rMA0GCSqGSIb3DQEBCwUAA4IBAQADKkY0PIyslgWGmRDKpp/5PqzzM9+TNDhXzk6pw8aESWoLPJo90RgTJVf8uIj3YSic89m4ftZdmGFXwHcFC91aFe3PiDgCiteDkeH8KrrpZSve1pcM4SNjxwwmIKlJdrbcaJfWRsSoGFjzbFgOecISiVaJ9ZWpb89/+BeAz1Zpmu8DSyY22dG/K6ZDx5qNFg8pehdOUYY24oMamd4J2u2lUgkCKGBZMQgBZFwk+q7H86B/byGuTDEizLjGPTY/sMms1FAX55xBydxrADAer/pKrOF1v7Dq9C1Z9QVcm5D9G4DcenyWUdMyK43NXbVQLPxLOng51KO9icp2j4U7pwHP'], 'issuer': 'https://login.microsoftonline.com/9b79b10b-0007-4e8a-b072-ad0c8cdc1aa5/v2.0'}

Solution: Update the alg value manually from well known conf. Look for id_token_signing_alg_values_supported