Bump misp-core and add new OIDC library (#367)

* Integrate CertMichelin:OpenIDConnectClient #10599

* Add OpenID parameter in README.md

* Keep jakub-onderka for compatibility

* Bump misp-core

---------

Co-authored-by: Maxime Escourbiac <maxime.escourbiac@michelin.com>

Author: ostefano

README.md

@@ -215,6 +215,7 @@ For Okta, create a new application integration:
       OIDC_CODE_CHALLENGE_METHOD=S256
       OIDC_AUTH_METHOD="client_secret_post"  
       OIDC_REDIRECT_URI="https://<MISP_URL>/users/login" # (same value set in Okta)
+      OIDC_DISABLE_REQUEST_OBJECT=false
       ``` 
  Valid options for OIDC_AUTH_METHOD are:
    - client_secret_post: tested

core/Dockerfile

@@ -105,6 +105,7 @@ RUN <<-EOF
             composer require --with-all-dependencies --no-interaction \
                 elasticsearch/elasticsearch:^8.7.0 \
                 jakub-onderka/openid-connect-php:^1.0.0 \
+                certmichelin/openid-connect-php:1.3.0 \
                 aws/aws-sdk-php
         fi
 EOF

core/files/configure_misp.sh

@@ -101,7 +101,8 @@ set_up_oidc() {
                 \"default_org\": \"${OIDC_DEFAULT_ORG}\",
                 \"mixedAuth\": ${OIDC_MIXEDAUTH},
                 \"authentication_method\": \"${OIDC_AUTH_METHOD}\",
-                \"redirect_uri\": \"${OIDC_REDIRECT_URI}\"                
+                \"redirect_uri\": \"${OIDC_REDIRECT_URI}\",
+                \"disable_request_object\": \"${OIDC_DISABLE_REQUEST_OBJECT}\"
             }
         }" > /dev/null
 

core/files/entrypoint.sh

@@ -55,6 +55,7 @@ export AUTOCONF_ADMIN_KEY=${AUTOCONF_ADMIN_KEY:-true}
 export AUTOGEN_ADMIN_KEY=${AUTOGEN_ADMIN_KEY:-$AUTOCONF_ADMIN_KEY}
 export OIDC_ENABLE=${OIDC_ENABLE:-false}
 export OIDC_MIXEDAUTH=${OIDC_MIXEDAUTH:-false}
+export OIDC_DISABLE_REQUEST_OBJECT=${OIDC_DISABLE_REQUEST_OBJECT:-false}
 export LDAP_ENABLE=${LDAP_ENABLE:-false}
 export ENABLE_DB_SETTINGS=${ENABLE_DB_SETTINGS:-false}
 export ENABLE_BACKGROUND_UPDATES=${ENABLE_BACKGROUND_UPDATES:-false}

docker-compose.yml

@@ -167,6 +167,7 @@ services:
       - "OIDC_REDIRECT_URI=${OIDC_REDIRECT_URI}"
       - "OIDC_SCOPES=${OIDC_SCOPES}"
       - "OIDC_LOGOUT_URL=${OIDC_LOGOUT_URL}"
+      - "OIDC_DISABLE_REQUEST_OBJECT=${OIDC_DISABLE_REQUEST_OBJECT}"
       # APACHESECUREAUTH authentication settings
       - "APACHESECUREAUTH_LDAP_OLD_VAR_DETECT=${LDAP_ENABLE}"
       - "APACHESECUREAUTH_LDAP_ENABLE=${APACHESECUREAUTH_LDAP_ENABLE:-${LDAP_ENABLE}}"

template.env

@@ -2,7 +2,7 @@
 # Build-time variables
 ##
 
-CORE_TAG=v2.5.31
+CORE_TAG=v2.5.32
 # CORE_FLAVOR=standard
 MODULES_TAG=v3.0.5
 # MODULES_FLAVOR=standard
@@ -163,7 +163,7 @@ SYNCSERVERS_1_PULL_RULES=
 # Disable CA refresh
 # DISABLE_CA_REFRESH=true
 
-# Enable OIDC authentication, according to https://github.com/MISP/MISP/blob/2.4/app/Plugin/OidcAuth/README.md
+# Enable OIDC authentication, according to https://github.com/MISP/MISP/blob/2.5/app/Plugin/OidcAuth/README.md
 # OIDC_ENABLE=true
 # OIDC_PROVIDER_URL=
 # OIDC_ISSUER=
@@ -178,6 +178,7 @@ SYNCSERVERS_1_PULL_RULES=
 # OIDC_REDIRECT_URI=
 # OIDC_SCOPES="[\"profile\", \"email\"]"
 # OIDC_LOGOUT_URL=
+# OIDC_DISABLE_REQUEST_OBJECT=false
 
 # Enable LDAP (using the ApacheSecureAuth component) authentication, according to https://github.com/MISP/MISP/issues/6189
 # NOTE: Once you enable LDAP authentication with the ApacheSecureAuth component,