Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ log
NOTES.md
dep.tree
application-test2.yml
application-dev.yml
api-docs.json
dist
account-gui/public/index.html
Expand Down
4 changes: 2 additions & 2 deletions account-gui/src/routes/WebAuthn.svelte
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@
})
.catch(() => {
//happens when the key is already registered
window.location.href = $conf.eduIDWebAuthnRedirectSpUrl;
window.location.href = $conf.myconextWebAuthnRedirectSpUrl;
})
})
.catch(() => navigate("/404"));
Expand Down Expand Up @@ -63,4 +63,4 @@
<p class="info">{I18n.t("WebAuthn.BrowserPrompt.COPY")}</p>
<Button label={I18n.t("Webauthn.SetUpdate.COPY")} onClick={startWebAuthnRegistration}/>
{/if}
</div>
</div>
4 changes: 2 additions & 2 deletions account-gui/src/stores/conf.js
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ export const conf = writable({
magicLinkUrl: "",
continueAfterLoginUrl: "",
domain: "",
eduIDWebAuthnRedirectSpUrl: "",
myconextWebAuthnRedirectSpUrl: "",
featureWebAuthn: false,
featureAllowList: false,
idpBaseUrl: "",
Expand All @@ -21,4 +21,4 @@ export const conf = writable({
export const links = writable({
userLink: true,
displayBackArrow: true
});
});
4 changes: 2 additions & 2 deletions myconext-gui/src/routes/WebAuthn.svelte
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
const startWebAuthn = () => {
loading = true;
startWebAuthFlow().then(res => {
window.location.href = `${$config.eduIDWebAuthnUrl}?token=${res.token}&name=${encodeURIComponent(credentialName)}`
window.location.href = `${$config.myconextWebAuthUrl}?token=${res.token}&name=${encodeURIComponent(credentialName)}`
});
}

Expand Down Expand Up @@ -81,4 +81,4 @@
</div>
{/if}

</div>
</div>
2 changes: 1 addition & 1 deletion myconext-gui/src/stores/user.js
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ export const config = writable({
myConextUrlGuestIdp: "",
spBaseUrl: "",
createEduIDInstitutionLanding: false,
eduIDWebAuthnUrl: "",
myconextWebAuthUrl: "",
magicLinkUrl: "",
domain: "",
idpBaseUrl: "",
Expand Down
2 changes: 1 addition & 1 deletion myconext-gui/src/utils/utils.js
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ export const doLogOutAfterRateLimit = idpBaseUrl => {
export const redirectToLogin = (loginUrl, redirectTo) => {
const url = new URL(loginUrl);
url.searchParams.set("redirect_path", redirectTo || "/");
url.searchParams.set("registration_id", "mijn_eduid");
url.searchParams.set("registration_id", "my_conext");
window.location.href = url.toString();
}

Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,7 @@ public class LoginController {
private final List<String> createFromInstitutionAllowedReturnDomains;
private final String spBaseUrl;
private final String spServiceDeskBaseUrl;
private final String myconextLoginUrl;

public LoginController(UserRepository userRepository,
AuthenticationRequestRepository authenticationRequestRepository,
Expand Down Expand Up @@ -101,9 +102,8 @@ public LoginController(UserRepository userRepository,
this.config.put("idpBaseUrl", idpBaseUrl);
this.config.put("spBaseUrl", spBaseUrl);
this.config.put("spServiceDeskBaseUrl", spServiceDeskBaseUrl);
this.config.put("eduIDWebAuthnUrl", String.format("%s/webauthn", idpBaseUrl));
this.config.put("eduIDLoginUrl", myConextUrl + "/oauth2/authorization/oidcng");
this.config.put("eduIDWebAuthnRedirectSpUrl", String.format("%s/security", spBaseUrl));
this.config.put("myconextWebAuthUrl", String.format("%s/webauthn", idpBaseUrl));
this.config.put("myconextWebAuthnRedirectSpUrl", String.format("%s/security", spBaseUrl));
this.config.put("domain", domain);
this.config.put("featureWebAuthn", featureWebAuthn);
this.config.put("featureWarningEducationalEmailDomain", featureWarningEducationalEmailDomain);
Expand Down Expand Up @@ -131,6 +131,7 @@ public LoginController(UserRepository userRepository,
this.createFromInstitutionAllowedReturnDomains = createFromInstitutionProperties.getReturnUrlAllowedDomains();
this.spBaseUrl = spBaseUrl;
this.spServiceDeskBaseUrl = spServiceDeskBaseUrl;
this.myconextLoginUrl = myConextUrl + "/oauth2/authorization/oidcng";
}

@GetMapping("/config")
Expand Down Expand Up @@ -225,7 +226,7 @@ private void doRedirect(String lang, String location, HttpServletResponse respon
String cookieValue = String.format("%s=true; Max-Age=%s; SameSite=None%s", REGISTER_MODUS_COOKIE_NAME, 60 * 10, secureCookie ? "; Secure" : "");
response.setHeader("Set-Cookie", cookieValue);
}
String redirectLocation = StringUtils.hasText(location) ? location : this.config.get("eduIDLoginUrl") + "?lang=" + lang;
String redirectLocation = StringUtils.hasText(location) ? location : this.myconextLoginUrl + "?lang=" + lang;

LOG.info(String.format("Redirecting to %s", redirectLocation));

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -58,11 +58,11 @@
public class SecurityConfiguration {

// Overview of the security configuration:
// 1. SamlSecurity (@Order(1)) — Secures the SAML guest IdP endpoint (eduID guest login).
// 2. InternalSecurityConfigurationAdapter (@Order default) — Secures the Mijn eduID and Service Desk portals via OAuth2/OIDC login against OpenConext.
// 1. SamlSecurity (@Order(1)) — Secures the SAML guest IdP endpoint (myconext guest login).
// 2. InternalSecurityConfigurationAdapter (@Order default) — Secures the myconext and Service Desk portals via OAuth2/OIDC login against OpenConext.
// 3. AppSecurity (@Order(2)) — Secures system-to-system OpenConext APIs with HTTP Basic auth.
// 4. JWTSecurityConfig (@Order(3)) — Secures mobile app and eduID APIs via OAuth2 opaque token introspection.
// 4. JWTSecurityConfig (@Order(3)) — Secures mobile app and myconext APIs via OAuth2 opaque token introspection.

private static final Log LOG = LogFactory.getLog(SecurityConfiguration.class);

@Bean
Expand All @@ -86,7 +86,7 @@ public void addCorsMappings(CorsRegistry registry) {
}
}

//1. SamlSecurity (@Order(1)) — Secures the SAML guest IdP endpoint (eduID guest login).
//1. SamlSecurity (@Order(1)) — Secures the SAML guest IdP endpoint (myconext guest login).
@Configuration
@Order(1)
@EnableConfigurationProperties(IdentityProviderMetaData.class)
Expand Down Expand Up @@ -229,7 +229,7 @@ private String read(Resource resource) throws IOException {
}
}

//2. InternalSecurityConfigurationAdapter (@Order default) — Secures the Mijn eduID and Service Desk portals via OAuth2/OIDC login against OpenConext.
//2. InternalSecurityConfigurationAdapter (@Order default) — Secures the myconext and Service Desk portals via OAuth2/OIDC login against OpenConext.
@Order
@Configuration
public static class InternalSecurityConfigurationAdapter {
Expand All @@ -238,11 +238,11 @@ public static class InternalSecurityConfigurationAdapter {

public static final String ROLE_GUEST = "ROLE_GUEST";
public static final String SERVICE_DESK = "SERVICE_DESK";
public static final String REGISTRATION_ID_MIIN_EDUID = "mijn_eduid";
public static final String REGISTRATION_ID_MY_CONEXT = "my_conext";
public static final String REGISTRATION_ID_SERVICE_DESK = "service_desk";

private static final Set<String> ALLOWED_REGISTRATION_IDS =
Set.of(REGISTRATION_ID_MIIN_EDUID, REGISTRATION_ID_SERVICE_DESK);
Set.of(REGISTRATION_ID_MY_CONEXT, REGISTRATION_ID_SERVICE_DESK);

public InternalSecurityConfigurationAdapter(AppAwareAuthorizationRequestResolver authorizationRequestResolver) {
this.authorizationRequestResolver = authorizationRequestResolver;
Expand Down Expand Up @@ -315,7 +315,7 @@ private AuthenticationEntryPoint appAwareAuthenticationEntryPoint() {
return (request, response, authException) -> {
String registrationId = request.getParameter("registration_id");
if (!ALLOWED_REGISTRATION_IDS.contains(registrationId)) {
registrationId = "mijn_eduid";
registrationId = REGISTRATION_ID_MY_CONEXT;
}
response.sendRedirect(request.getContextPath() + "/oauth2/authorization/" + registrationId);
};
Expand Down Expand Up @@ -363,7 +363,7 @@ private DaoAuthenticationProvider inMemoryAuthenticationProvider() {

}

//4. JWTSecurityConfig (@Order(3)) — Secures mobile app and eduID APIs via OAuth2 opaque token introspection.
//4. JWTSecurityConfig (@Order(3)) — Secures mobile app and myconext APIs via OAuth2 opaque token introspection.
@Configuration
@Order(3)
public static class JWTSecurityConfig {
Expand Down
Original file line number Diff line number Diff line change
@@ -1,9 +1,7 @@
# Spring profile: 'servicedesk'
# Activate with -Dspring.profiles.active=servicedesk (or SPRING_PROFILES_ACTIVE=servicedesk)
# Overrides for running the backend in Service Desk mode (servicedesk-gui as the front-end).

host_headers:
active: servicedesk.test2.eduid.nl
active: servicedesk.myconext.nl

service_desk_role_auto_provisioning: True

Expand Down
18 changes: 9 additions & 9 deletions myconext-server/src/main/resources/application.yml
Original file line number Diff line number Diff line change
Expand Up @@ -106,11 +106,11 @@ create-from-institution:

# The host headers to identify the service the user is logged in
host_headers:
service_desk: servicedesk.test2.eduid.nl
mijn_ediuid: mijn.test2.eduid.nl
service_desk: servicedesk.myconext.nl
mijn_ediuid: mijn.myconext.nl
#Only for testing purposes
# active: servicedesk.test2.eduid.nl
active: mijn.test2.eduid.nl
# active: servicedesk.myconext.nl
active: mijn.myconext.nl

feature:
webauthn: True
Expand Down Expand Up @@ -299,7 +299,7 @@ spring:
oauth2:
client:
registration:
mijn_eduid:
my_conext:
client-id: playground_client
client-secret: secret
redirect-uri: "{baseUrl}/login/oauth2/code/{registrationId}"
Expand All @@ -315,10 +315,10 @@ spring:
provider: oidcng
provider:
oidcng:
authorization-uri: "https://connect.test2.surfconext.nl/oidc/authorize"
token-uri: "https://connect.test2.surfconext.nl/oidc/token"
user-info-uri: "https://connect.test2.surfconext.nl/oidc/userinfo"
jwk-set-uri: "https://connect.test2.surfconext.nl/oidc/certs"
authorization-uri: "http://localhost:8098/oidc/authorize"
token-uri: "http://localhost:8098/oidc/token"
user-info-uri: "http://localhost:8098/oidc/userinfo"
jwk-set-uri: "http://localhost:8098/oidc/certs"
user-name-attribute: sub
user-info-authentication-method: client_secret_basic

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@
import org.junit.Before;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpMethod;
import org.springframework.test.context.ActiveProfiles;
import org.springframework.test.util.ReflectionTestUtils;

import java.io.IOException;
Expand All @@ -18,6 +17,7 @@

import static io.restassured.RestAssured.given;
import static myconext.security.GuestIdpAuthenticationRequestFilter.GUEST_IDP_REMEMBER_ME_COOKIE_NAME;
import static myconext.security.SecurityConfiguration.InternalSecurityConfigurationAdapter.REGISTRATION_ID_MY_CONEXT;
import static org.hamcrest.core.IsEqual.equalTo;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNull;
Expand Down Expand Up @@ -46,7 +46,7 @@ public void config() {
public void login() {
given().redirects().follow(false)
.when()
.queryParam("registration_id", "mijn_eduid")
.queryParam("registration_id", REGISTRATION_ID_MY_CONEXT)
.get("/auth/login")
.then()
.statusCode(302)
Expand All @@ -58,7 +58,7 @@ public void loginWithRedirectPath() {
given().redirects().follow(false)
.when()
.queryParam("redirect_path", "/security")
.queryParam("registration_id", "mijn_eduid")
.queryParam("registration_id", REGISTRATION_ID_MY_CONEXT)
.get("/auth/login")
.then()
.statusCode(302)
Expand All @@ -70,7 +70,7 @@ public void loginWithEncodedRedirectPath() {
given().redirects().follow(false)
.when()
.queryParam("redirect_path", "%2Fpersonal%3Fservicedesk%3Dstart")
.queryParam("registration_id", "mijn_eduid")
.queryParam("registration_id", REGISTRATION_ID_MY_CONEXT)
.get("/auth/login")
.then()
.statusCode(302)
Expand All @@ -82,7 +82,7 @@ public void loginWithExternalRedirectPathIsIgnored() {
given().redirects().follow(false)
.when()
.queryParam("redirect_path", "https://evil.example.com/phishing")
.queryParam("registration_id", "mijn_eduid")
.queryParam("registration_id", REGISTRATION_ID_MY_CONEXT)
.get("/auth/login")
.then()
.statusCode(302)
Expand All @@ -94,7 +94,7 @@ public void loginWithProtocolRelativeRedirectPathIsIgnored() {
given().redirects().follow(false)
.when()
.queryParam("redirect_path", "//evil.example.com/phishing")
.queryParam("registration_id", "mijn_eduid")
.queryParam("registration_id", REGISTRATION_ID_MY_CONEXT)
.get("/auth/login")
.then()
.statusCode(302)
Expand Down
Loading