Merge pull request #879 from maykinmedia/feature/1902-digid-oidc

✨ [#1902/1903] DigiD/eHerkenning via OIDC
maykinmedia · Dec 12, 2023 · ecf711d · ecf711d
2 parents 7d9743b + 6a019ca
commit ecf711d
Show file tree

Hide file tree

Showing 40 changed files with 4,438 additions and 72 deletions.
diff --git a/docker/docker-compose.keycloak.yml b/docker/docker-compose.keycloak.yml
@@ -0,0 +1,21 @@
+version: '3.4'
+
+services:
+  keycloak:
+    image: jboss/keycloak
+    environment:
+      - KEYCLOAK_USER=demo
+      - KEYCLOAK_PASSWORD=demo
+      - KEYCLOAK_IMPORT=/realm.json
+    volumes:
+      - ./keycloak/fixtures/realm.json:/realm.json
+    ports:
+      - 8080:8080
+    networks:
+      open-inwoner-dev:
+        aliases:
+          - keycloak.open-inwoner.local
+
+networks:
+  open-inwoner-dev:
+    name: open-inwoner-dev
diff --git a/docker/keycloak/README.md b/docker/keycloak/README.md
@@ -0,0 +1,47 @@
+# Keycloak infrastructure
+
+Open Inwoner supports OpenID Connect as an authentication protocol. Keycloak is
+an example of an Identity Provider that supports OIDC.
+
+We include a compose stack for development and CI purposes. This is **NOT** suitable
+for production usage.
+
+## docker-compose
+
+Start a Keycloak instance in your local environment from the parent directory:
+
+```bash
+docker-compose -f docker-compose.keycloak.yml up -d
+```
+
+This brings up Keycloak, the admin interface is accessible at http://localhost:8080/.
+You can log in with `demo:demo`.
+
+In order to allow access to Keycloak via the same hostname via the Open Inwoner backend
+container and the browser, add the following entry to your `/etc/hosts` file:
+
+```
+127.0.0.1 keycloak.open-inwoner.local
+```
+
+
+## Load fixtures
+
+Before the DigiD login via OIDC can be tested, a fixture needs to be loaded.
+Assuming the docker containers specified in `docker-compose.yml` in the root directory
+are running, run the following command:
+
+```bash
+cat docker/keycloak/fixtures/oidc.json | docker-compose exec web src/manage.py loaddata --format=json -
+```
+
+This loads an example form configured to use DigiD via OIDC for authentication and
+it loads a configuration to connect to our Keycloak instance.
+
+## Test login flow
+
+To test the login flow, navigate to `http://127.0.0.1:8000/digid-oidc/`
+(not `localhost`, because this domain is not on the allowlist in the Keycloak config).
+
+Click `Inloggen met DigiD` and fill in `testuser` for both username and password
+in the Keycloak login screen. If everything succeeded, you are now logged in and redirected to the Open Inwoner home page.
diff --git a/docker/keycloak/fixtures/oidc.json b/docker/keycloak/fixtures/oidc.json
@@ -0,0 +1,52 @@
+[
+    {
+        "model": "digid_eherkenning_oidc_generics.openidconnectdigidconfig",
+        "pk": 1,
+        "fields": {
+            "enabled": true,
+            "oidc_rp_client_id": "testid_public",
+            "oidc_rp_client_secret": "23a12032-e080-4f65-b733-ad2567ec1605",
+            "oidc_rp_sign_algo": "RS256",
+            "oidc_op_discovery_endpoint": "http://localhost:8080/auth/realms/test/",
+            "oidc_op_jwks_endpoint": "http://localhost:8080/auth/realms/test/protocol/openid-connect/certs",
+            "oidc_op_authorization_endpoint": "http://localhost:8080/auth/realms/test/protocol/openid-connect/auth",
+            "oidc_op_token_endpoint": "http://localhost:8080/auth/realms/test/protocol/openid-connect/token",
+            "oidc_op_user_endpoint": "http://localhost:8080/auth/realms/test/protocol/openid-connect/userinfo",
+            "oidc_rp_idp_sign_key": "",
+            "oidc_use_nonce": true,
+            "oidc_nonce_size": 32,
+            "oidc_state_size": 32,
+            "oidc_exempt_urls": "[]",
+            "userinfo_claims_source": "userinfo_endpoint",
+            "oidc_op_logout_endpoint": "http://localhost:8080/auth/realms/test/protocol/openid-connect/logout",
+            "oidc_keycloak_idp_hint": "",
+            "identifier_claim_name": "bsn",
+            "oidc_rp_scopes_list": "[\"openid\", \"bsn\"]"
+        }
+    },
+    {
+        "model": "digid_eherkenning_oidc_generics.openidconnecteherkenningconfig",
+        "pk": 1,
+        "fields": {
+            "enabled": true,
+            "oidc_rp_client_id": "testid_public",
+            "oidc_rp_client_secret": "23a12032-e080-4f65-b733-ad2567ec1605",
+            "oidc_rp_sign_algo": "RS256",
+            "oidc_op_discovery_endpoint": "http://localhost:8080/auth/realms/test/",
+            "oidc_op_jwks_endpoint": "http://localhost:8080/auth/realms/test/protocol/openid-connect/certs",
+            "oidc_op_authorization_endpoint": "http://localhost:8080/auth/realms/test/protocol/openid-connect/auth",
+            "oidc_op_token_endpoint": "http://localhost:8080/auth/realms/test/protocol/openid-connect/token",
+            "oidc_op_user_endpoint": "http://localhost:8080/auth/realms/test/protocol/openid-connect/userinfo",
+            "oidc_rp_idp_sign_key": "",
+            "oidc_use_nonce": true,
+            "oidc_nonce_size": 32,
+            "oidc_state_size": 32,
+            "oidc_exempt_urls": "[]",
+            "userinfo_claims_source": "userinfo_endpoint",
+            "oidc_op_logout_endpoint": "http://localhost:8080/auth/realms/test/protocol/openid-connect/logout",
+            "oidc_keycloak_idp_hint": "",
+            "identifier_claim_name": "kvk",
+            "oidc_rp_scopes_list": "[\"openid\", \"kvk\"]"
+        }
+    }
+]