From e79dfa3e66dab94195ae1d11176a35a58590d50b Mon Sep 17 00:00:00 2001 From: Phil Owen Date: Wed, 12 Nov 2025 07:36:38 -0500 Subject: [PATCH 01/14] Startup issue when configuring the color scheme. fix suggested by GR. --- appstore/product/configuration.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/appstore/product/configuration.py b/appstore/product/configuration.py index bdd7a7723..f8c10663c 100644 --- a/appstore/product/configuration.py +++ b/appstore/product/configuration.py @@ -34,6 +34,6 @@ class ProductSettings: brand: str = "CommonsShare" title: str = "CommonsShare" logo_url: str = "/static/images/commonsshare/logo-lg.png" - color_scheme: ProductColorScheme = ProductColorScheme() + color_scheme: ProductColorScheme = field(default_factory=lambda: ProductColorScheme()) capabilities: List[str] = field(default_factory=lambda: ['app', 'search']) From da3da2f7742625bee19f3ed71d63f3e6b163a5b2 Mon Sep 17 00:00:00 2001 From: Phil Owen Date: Wed, 19 Nov 2025 13:59:07 -0500 Subject: [PATCH 02/14] improving message comment --- appstore/core/management/commands/addingwhitelistedsocialapp.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/appstore/core/management/commands/addingwhitelistedsocialapp.py b/appstore/core/management/commands/addingwhitelistedsocialapp.py index f6c13b40f..b07f910c0 100644 --- a/appstore/core/management/commands/addingwhitelistedsocialapp.py +++ b/appstore/core/management/commands/addingwhitelistedsocialapp.py @@ -25,4 +25,4 @@ def handle(self, *args, **kwargs): if not Group.objects.filter(name='whitelisted'): Group.objects.create(name='whitelisted') - print("Successfully added social applications GitHub and Google and whitelisted to the Group!") + print("Successfully added social applications and whitelisted them into the Group!") From 2fc11def6e51131780005d89c6eca991450fec70 Mon Sep 17 00:00:00 2001 From: Phil Owen Date: Wed, 19 Nov 2025 14:02:18 -0500 Subject: [PATCH 03/14] adding CILogon --- README.md | 58 ++++++++++++++++++++++++++++++++----------------------- 1 file changed, 34 insertions(+), 24 deletions(-) diff --git a/README.md b/README.md index 313671beb..8b00d4f0d 100644 --- a/README.md +++ b/README.md @@ -75,28 +75,31 @@ concerns are: During development, environment variables can be set to control execution: -| Variable | Description | -| :------------------------------------- | :---------------------------------------------------------------- | -| BRAND=[braini, cat, heal, restartr, scidas, eduhelx] | Product context configuration for the appstore. | -| DJANGO_SETTINGS_MODULE=[appstore.settings._settings] | Product settings module configuration for the appstore. | -| DEV_PHASE=[stub, local, dev, val, prod] | In stub, does not require a Tycho service. | -| ALLOW_DJANGO_LOGIN=[TRUE, FALSE] | When true, presents username and password authentication options. | -| SECRET_KEY | Key for securing the application. | -| OAUTH_PROVIDERS | Contains all the providers(google, github). | -| GOOGLE_CLIENT_ID | Contains the client_id of the provider. | -| GOOGLE_SECRET | Contains the secret key for provider. | -| GOOGLE_NAME | Sets the name for the provider. | -| GITHUB_CLIENT_ID | Contains the client_id of the provider. | -| GITHUB_SECRET | Contains the secret key of the provider. | -| GITHUB_NAME | Sets the name for the provider. | -| APPSTORE_DJANGO_USERNAME | Holds superuser username credentials. | -| APPSTORE_DJANGO_PASSWORD | Holds superuser password credentials. | -| TYCHO_URL | Contains the url of the running tycho host. | -| OAUTH_DB_DIR | Contains the path for the database directory. | -| OAUTH_DB_FILE | Contains the path for the database file. | -| APPSTORE_DEFAULT_FROM_EMAIL | Default email address for appstore. | -| APPSTORE_DEFAULT_SUPPORT_EMAIL | Default support email for appstore. | -| ACCOUNT_DEFAULT_HTTP_PROTOCOL | Allows to switch between http and https protocol. | +| Variable | Description | +|:-------------------------------------------------------------|:------------------------------------------------------------------| +| BRAND=[braini, cat, heal, restartr, scidas, eduhelx] | Product context configuration for the appstore. | +| DJANGO_SETTINGS_MODULE=[appstore.settings._settings] | Product settings module configuration for the appstore. | +| DEV_PHASE=[stub, local, dev, val, prod] | In stub, does not require a Tycho service. | +| ALLOW_DJANGO_LOGIN=[TRUE, FALSE] | When true, presents username and password authentication options. | +| SECRET_KEY | Key for securing the application. | +| OAUTH_PROVIDERS | Contains all the providers(google, github, cilogon). | +| CILOGON_CLIENT_ID | Contains the client_id of the provider. | +| CILOGON_SECRET | Contains the secret key for provider. | +| CILOGON_NAME | Sets the name for the provider. | +| GOOGLE_CLIENT_ID | Contains the client_id of the provider. | +| GOOGLE_SECRET | Contains the secret key for provider. | +| GOOGLE_NAME | Sets the name for the provider. | +| GITHUB_CLIENT_ID | Contains the client_id of the provider. | +| GITHUB_SECRET | Contains the secret key of the provider. | +| GITHUB_NAME | Sets the name for the provider. | +| APPSTORE_DJANGO_USERNAME | Holds superuser username credentials. | +| APPSTORE_DJANGO_PASSWORD | Holds superuser password credentials. | +| TYCHO_URL | Contains the url of the running tycho host. | +| OAUTH_DB_DIR | Contains the path for the database directory. | +| OAUTH_DB_FILE | Contains the path for the database file. | +| APPSTORE_DEFAULT_FROM_EMAIL | Default email address for appstore. | +| APPSTORE_DEFAULT_SUPPORT_EMAIL | Default support email for appstore. | +| ACCOUNT_DEFAULT_HTTP_PROTOCOL | Allows to switch between http and https protocol. | The provided .env.sample contains a starter that you can update and source for development. @@ -527,13 +530,17 @@ appstore: EMAIL_HOST_PASSWORD: DOCKSTORE_APPS_BRANCH: oauth: - OAUTH_PROVIDERS: "github,google" + OAUTH_PROVIDERS: "github,google,cilogon" GITHUB_NAME: GITHUB_CLIENT_ID: GITHUB_SECRET: GOOGLE_NAME: GOOGLE_CLIENT_ID: - GOOGLE_SECRET: + GOOGLE_SECRET: + CILOGON_NAME: + CILOGON_CLIENT_ID: + CILOGON_SECRET: + ACCOUNT_DEFAULT_HTTP_PROTOCOL: https appstoreEntrypointArgs: "make start" userStorage: @@ -558,6 +565,9 @@ As part of user configuration, system administration will obtain the following - GOOGLE_NAME - GOOGLE_CLIENT_ID - GOOGLE_SECRET + - CILOGON_NAME + - CILOGON_CLIENT_ID + - CILOGON_SECRET - serverName - IP - nginxTLSSecret From 305e12c6324dfb9498d67814acb648da4e0db834 Mon Sep 17 00:00:00 2001 From: Phil Owen Date: Thu, 20 Nov 2025 14:40:25 -0500 Subject: [PATCH 04/14] adding override to see what social accounts are returning for data. --- appstore/appstore/adapter.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/appstore/appstore/adapter.py b/appstore/appstore/adapter.py index b2816809d..8fd8c93fa 100644 --- a/appstore/appstore/adapter.py +++ b/appstore/appstore/adapter.py @@ -16,7 +16,6 @@ def clean_email(self, email): ) return email - class LoginRedirectAdapter(DefaultAccountAdapter, DefaultSocialAccountAdapter): """ For regular form login redirect the user to the correct @@ -60,6 +59,12 @@ def get_logout_redirect_url(self, request): return url class SocialAccountAdapter(DefaultSocialAccountAdapter): + + def populate_user(self, request, sociallogin, data): + user = super().populate_user(request, sociallogin, data) + print('sociallogin.account.extra_data:', sociallogin.account.extra_data) + return user + def on_authentication_error(self, request, provider, error=None, exception=None, extra_context=None): provider_id = provider.id if provider else "unknown" error_code = error.name if error else "unknown" From c39fe62d424db4a629cc75b090aeb5e9005578ec Mon Sep 17 00:00:00 2001 From: Phil Owen Date: Thu, 20 Nov 2025 14:55:13 -0500 Subject: [PATCH 05/14] tidying up, correcting spelling mistake. --- appstore/appstore/settings/base.py | 29 ++++++++++++++++++++++------- 1 file changed, 22 insertions(+), 7 deletions(-) diff --git a/appstore/appstore/settings/base.py b/appstore/appstore/settings/base.py index f3ab83c82..93e8be709 100644 --- a/appstore/appstore/settings/base.py +++ b/appstore/appstore/settings/base.py @@ -11,6 +11,27 @@ logger = logging.getLogger(__name__) +# SECURITY WARNING: don't run with debug turned on in production! +# Empty quotes equates to false in kubernetes env. +DEBUG_STRING = os.environ.get("DEBUG", "") +if DEBUG_STRING.lower() == "false": + DEBUG_STRING = "" + +DEBUG = bool(DEBUG_STRING) + +if DEBUG: + from product.configuration import ProductSettings, ProductColorScheme + + APPLICATION_BRAND = os.environ.get("BRAND", "") + + PRODUCT_SETTINGS = ProductSettings( + brand=APPLICATION_BRAND, + title=APPLICATION_BRAND, + logo_url=f"/static/images/{APPLICATION_BRAND}/logo.png", + color_scheme=ProductColorScheme("#191348", "#0079bc"), + links=None, + ) + APPSTORE_NESTED_SETTINGS_DIR = Path(__file__).parent.resolve(strict=True) APPSTORE_CONFIG_DIR = APPSTORE_NESTED_SETTINGS_DIR.parent DJANGO_PROJECT_ROOT_DIR = APPSTORE_CONFIG_DIR.parent @@ -35,12 +56,6 @@ # SECURITY WARNING: keep the secret key used in production secret! SECRET_KEY = os.environ["SECRET_KEY"] -# SECURITY WARNING: don't run with debug turned on in production! -# Empty quotes equates to false in kubernetes env. -DEBUG_STRING = os.environ.get("DEBUG", "") -if DEBUG_STRING.lower() == "false": - DEBUG_STRING = "" -DEBUG = bool(DEBUG_STRING) # stub, local, dev, val, prod. DEV_PHASE = os.environ.get("DEV_PHASE", "local") @@ -159,7 +174,7 @@ SAML_URL = "/accounts/saml" SAML_ACS_URL = "/saml2_auth/acs/" #SAML_ACS_URL = "/sso/acs/" -SOCIALACCOUNT_ADAPATER = "appstore.adapter.SocialAccountAdapter" +SOCIALACCOUNT_ADAPTER = "appstore.adapter.SocialAccountAdapter" SOCIALACCOUNT_QUERY_EMAIL = ACCOUNT_EMAIL_REQUIRED SOCIALACCOUNT_STORE_TOKENS = True SOCIALACCOUNT_PROVIDERS = { From 72df14eaad8b636c4459e9960d95a638b36f4087 Mon Sep 17 00:00:00 2001 From: Phil Owen Date: Wed, 10 Dec 2025 10:31:00 -0500 Subject: [PATCH 06/14] adding config items for dex auth --- appstore/appstore/settings/base.py | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/appstore/appstore/settings/base.py b/appstore/appstore/settings/base.py index 93e8be709..4565ce694 100644 --- a/appstore/appstore/settings/base.py +++ b/appstore/appstore/settings/base.py @@ -125,7 +125,10 @@ OAUTH_PROVIDERS = os.environ.get("OAUTH_PROVIDERS", "").split(",") for PROVIDER in OAUTH_PROVIDERS: if PROVIDER != '': - THIRD_PARTY_APPS.append(f"allauth.socialaccount.providers.{PROVIDER}") + if PROVIDER != 'dex': + THIRD_PARTY_APPS.append(f"allauth.socialaccount.providers.{PROVIDER}") + else: + THIRD_PARTY_APPS.append("allauth.socialaccount.providers.openid_connect") INSTALLED_APPS = DJANGO_APPS + THIRD_PARTY_APPS + LOCAL_APPS @@ -178,7 +181,21 @@ SOCIALACCOUNT_QUERY_EMAIL = ACCOUNT_EMAIL_REQUIRED SOCIALACCOUNT_STORE_TOKENS = True SOCIALACCOUNT_PROVIDERS = { - "google": {"SCOPE": ["profile", "email"], "AUTH_PARAMS": {"access_type": "offline"}} + "google": {"SCOPE": ["profile", "email"], "AUTH_PARAMS": {"access_type": "offline"}}, + "openid_connect": { + "EMAIL_VERIFIED": False, + "SERVERS": { + "dex": { + "ISSUER": "https://helx-dex-server.apps.renci.org/dex", + "CLIENT_ID": "django", # matches Dex static client id + "SECRET": "xL4QMryQ_6TrIzYBbpnZt864vFJtD_dkOFQJZmrYIZbV5Gz5LfNdzbFpCYk6aki3dOwrIqnuRhGKmU8WXz757Q", + "AUTHORIZATION_ENDPOINT": "https://helx-dex-server.apps.renci.org/dex/auth", + "TOKEN_ENDPOINT": "https://helx-dex-server.apps.renci.org/dex/token", + "USERINFO_ENDPOINT": "https://helx-dex-server.apps.renci.org/dex/userinfo", + "SCOPES": ["openid", "email", "profile"], + } + } + } } SECURE_CROSS_ORIGIN_OPENER_POLICY = None From a02af714fc48d48b02c026588b63aa0dddec77ff Mon Sep 17 00:00:00 2001 From: frostyfan109 Date: Wed, 10 Dec 2025 12:44:50 -0500 Subject: [PATCH 07/14] add oidc dex config --- appstore/appstore/settings/base.py | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/appstore/appstore/settings/base.py b/appstore/appstore/settings/base.py index 93e8be709..ec922d18f 100644 --- a/appstore/appstore/settings/base.py +++ b/appstore/appstore/settings/base.py @@ -107,6 +107,7 @@ "crispy_forms", "rest_framework", "drf_spectacular", + "allauth.socialaccount.providers.openid_connect" ] ## Setting to allow for a seamless login that was breaking at django-allauth 0.47. @@ -178,7 +179,20 @@ SOCIALACCOUNT_QUERY_EMAIL = ACCOUNT_EMAIL_REQUIRED SOCIALACCOUNT_STORE_TOKENS = True SOCIALACCOUNT_PROVIDERS = { - "google": {"SCOPE": ["profile", "email"], "AUTH_PARAMS": {"access_type": "offline"}} + "google": {"SCOPE": ["profile", "email"], "AUTH_PARAMS": {"access_type": "offline"}}, + "openid_connect": { + "APPS": [ + { + "provider_id": "dex", + "name": "Dex IDP", + "client_id": "django", + "secret": "xL4QMryQ_6TrIzYBbpnZt864vFJtD_dkOFQJZmrYIZbV5Gz5LfNdzbFpCYk6aki3dOwrIqnuRhGKmU8WXz757Q", + "settings": { + "server_url": "https://helx-dex-server.apps.renci.org/dex" + }, + } + ] + } } SECURE_CROSS_ORIGIN_OPENER_POLICY = None From 15d5124d8d75baa54eec8462d3e792741ed4a0a9 Mon Sep 17 00:00:00 2001 From: frostyfan109 Date: Wed, 10 Dec 2025 15:04:18 -0500 Subject: [PATCH 08/14] fix providers endpoint, move openid_connect installation --- appstore/api/v1/views.py | 7 ++++--- appstore/appstore/settings/base.py | 4 ++-- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/appstore/api/v1/views.py b/appstore/api/v1/views.py index e29089457..9285670ed 100644 --- a/appstore/api/v1/views.py +++ b/appstore/api/v1/views.py @@ -873,11 +873,12 @@ def _get_social_providers(self, request, settings): "allauth.account.auth_backends.AuthenticationBackend" in settings.AUTHENTICATION_BACKENDS ): - for provider in socialaccount.providers.registry.get_class_list(): - inst = provider(request, "allauth.socialaccount") + adapter = socialaccount.adapter.get_adapter(request) + providers = adapter.list_providers(request) + for provider in providers: provider_data.append( asdict( - LoginProvider(inst.name, inst.get_login_url(request)) + LoginProvider(provider.name, provider.get_login_url(request)) ) ) diff --git a/appstore/appstore/settings/base.py b/appstore/appstore/settings/base.py index ec922d18f..7c6659e53 100644 --- a/appstore/appstore/settings/base.py +++ b/appstore/appstore/settings/base.py @@ -106,8 +106,7 @@ "corsheaders", "crispy_forms", "rest_framework", - "drf_spectacular", - "allauth.socialaccount.providers.openid_connect" + "drf_spectacular" ] ## Setting to allow for a seamless login that was breaking at django-allauth 0.47. @@ -127,6 +126,7 @@ for PROVIDER in OAUTH_PROVIDERS: if PROVIDER != '': THIRD_PARTY_APPS.append(f"allauth.socialaccount.providers.{PROVIDER}") +THIRD_PARTY_APPS.append("allauth.socialaccount.providers.openid_connect") INSTALLED_APPS = DJANGO_APPS + THIRD_PARTY_APPS + LOCAL_APPS From 2b27805aec4caade290ec79625bcb4701f9760fb Mon Sep 17 00:00:00 2001 From: frostyfan109 Date: Wed, 10 Dec 2025 17:35:12 -0500 Subject: [PATCH 09/14] update whitelist required URL --- appstore/appstore/settings/base.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/appstore/appstore/settings/base.py b/appstore/appstore/settings/base.py index 7c6659e53..b057de70b 100644 --- a/appstore/appstore/settings/base.py +++ b/appstore/appstore/settings/base.py @@ -170,7 +170,7 @@ ACCOUNT_LOGOUT_REDIRECT_URL = "/helx" LOGIN_REDIRECT_URL = "/helx/workspaces/login/success" LOGIN_URL = "/accounts/login" -LOGIN_WHITELIST_URL = "/login_whitelist/" +LOGIN_WHITELIST_URL = "/helx/workspaces/login?whitelist_required=true" OIDC_SESSION_MANAGEMENT_ENABLE = True SAML_URL = "/accounts/saml" SAML_ACS_URL = "/saml2_auth/acs/" From 6d7ad5d458824cb8604a3a2750f93d18cd09c74f Mon Sep 17 00:00:00 2001 From: Phil Owen Date: Mon, 9 Feb 2026 13:25:14 -0500 Subject: [PATCH 10/14] restoring file to remove debug settings --- appstore/appstore/settings/base.py | 27 ++++++--------------------- 1 file changed, 6 insertions(+), 21 deletions(-) diff --git a/appstore/appstore/settings/base.py b/appstore/appstore/settings/base.py index b057de70b..9ce9f5b7d 100644 --- a/appstore/appstore/settings/base.py +++ b/appstore/appstore/settings/base.py @@ -11,27 +11,6 @@ logger = logging.getLogger(__name__) -# SECURITY WARNING: don't run with debug turned on in production! -# Empty quotes equates to false in kubernetes env. -DEBUG_STRING = os.environ.get("DEBUG", "") -if DEBUG_STRING.lower() == "false": - DEBUG_STRING = "" - -DEBUG = bool(DEBUG_STRING) - -if DEBUG: - from product.configuration import ProductSettings, ProductColorScheme - - APPLICATION_BRAND = os.environ.get("BRAND", "") - - PRODUCT_SETTINGS = ProductSettings( - brand=APPLICATION_BRAND, - title=APPLICATION_BRAND, - logo_url=f"/static/images/{APPLICATION_BRAND}/logo.png", - color_scheme=ProductColorScheme("#191348", "#0079bc"), - links=None, - ) - APPSTORE_NESTED_SETTINGS_DIR = Path(__file__).parent.resolve(strict=True) APPSTORE_CONFIG_DIR = APPSTORE_NESTED_SETTINGS_DIR.parent DJANGO_PROJECT_ROOT_DIR = APPSTORE_CONFIG_DIR.parent @@ -56,6 +35,12 @@ # SECURITY WARNING: keep the secret key used in production secret! SECRET_KEY = os.environ["SECRET_KEY"] +# SECURITY WARNING: don't run with debug turned on in production! +# Empty quotes equates to false in kubernetes env. +DEBUG_STRING = os.environ.get("DEBUG", "") +if DEBUG_STRING.lower() == "false": + DEBUG_STRING = "" +DEBUG = bool(DEBUG_STRING) # stub, local, dev, val, prod. DEV_PHASE = os.environ.get("DEV_PHASE", "local") From df085a75c6bb99e16b06abcb808e80df611aa83f Mon Sep 17 00:00:00 2001 From: Phil Owen Date: Mon, 9 Feb 2026 15:46:44 -0500 Subject: [PATCH 11/14] commenting out as it could be useful later though --- appstore/appstore/adapter.py | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/appstore/appstore/adapter.py b/appstore/appstore/adapter.py index 8fd8c93fa..33be39bc6 100644 --- a/appstore/appstore/adapter.py +++ b/appstore/appstore/adapter.py @@ -60,10 +60,11 @@ def get_logout_redirect_url(self, request): class SocialAccountAdapter(DefaultSocialAccountAdapter): - def populate_user(self, request, sociallogin, data): - user = super().populate_user(request, sociallogin, data) - print('sociallogin.account.extra_data:', sociallogin.account.extra_data) - return user + # debug commenting out for now. + # def populate_user(self, request, sociallogin, data): + # user = super().populate_user(request, sociallogin, data) + # print('sociallogin.account.extra_data:', sociallogin.account.extra_data) + # return user def on_authentication_error(self, request, provider, error=None, exception=None, extra_context=None): provider_id = provider.id if provider else "unknown" From 92bcd33766a97f718bc8a160002c68b0ec03fb57 Mon Sep 17 00:00:00 2001 From: Phil Owen Date: Tue, 10 Feb 2026 11:47:36 -0500 Subject: [PATCH 12/14] adding code to better support dex deployment --- appstore/appstore/settings/base.py | 45 ++++++++++++++++++------------ 1 file changed, 27 insertions(+), 18 deletions(-) diff --git a/appstore/appstore/settings/base.py b/appstore/appstore/settings/base.py index 910676cff..18b2d50e4 100644 --- a/appstore/appstore/settings/base.py +++ b/appstore/appstore/settings/base.py @@ -108,10 +108,13 @@ ] OAUTH_PROVIDERS = os.environ.get("OAUTH_PROVIDERS", "").split(",") + +# Notes: there are currently 4 types of providers that can be specified: +# ensure openid_connect is selected if the helx deploy is to use Dex +# github,google,openid_connect,cilogon for PROVIDER in OAUTH_PROVIDERS: if PROVIDER != '': THIRD_PARTY_APPS.append(f"allauth.socialaccount.providers.{PROVIDER}") -THIRD_PARTY_APPS.append("allauth.socialaccount.providers.openid_connect") INSTALLED_APPS = DJANGO_APPS + THIRD_PARTY_APPS + LOCAL_APPS @@ -165,20 +168,26 @@ SOCIALACCOUNT_STORE_TOKENS = True SOCIALACCOUNT_PROVIDERS = { "google": {"SCOPE": ["profile", "email"], "AUTH_PARAMS": {"access_type": "offline"}}, - "openid_connect": { - "APPS": [ - { - "provider_id": "dex", - "name": "Dex IDP", - "client_id": "django", - "secret": "xL4QMryQ_6TrIzYBbpnZt864vFJtD_dkOFQJZmrYIZbV5Gz5LfNdzbFpCYk6aki3dOwrIqnuRhGKmU8WXz757Q", - "settings": { - "server_url": "https://helx-dex-server.apps.renci.org/dex" - }, - } - ] - } } + +# TODO: some values need to be parameterized +if 'openid_connect' in OAUTH_PROVIDERS: + SOCIALACCOUNT_PROVIDERS.update( + { + "openid_connect": { + "APPS": [ + { + "provider_id": "dex", + "name": "Dex", + "client_id": "django", + "secret": "xL4QMryQ_6TrIzYBbpnZt864vFJtD_dkOFQJZmrYIZbV5Gz5LfNdzbFpCYk6aki3dOwrIqnuRhGKmU8WXz757Q", + "settings": { "server_url": "https://helx-dex-server.apps.renci.org/dex" } + } + ] + } + } + ) + SECURE_CROSS_ORIGIN_OPENER_POLICY = None TEMPLATES = [ @@ -388,10 +397,10 @@ ] CSRF_TRUSTED_ORIGINS += [ - "https://localhost:3000", - "https://127.0.0.1:3000", - "http://localhost:3000", - "http://127.0.0.1:3000", + "https://localhost", + "https://127.0.0.1", + "http://localhost", + "http://127.0.0.1", ] CORS_ALLOWED_ORIGINS = [ From 55b6ab22404cb46b748a11244de7da78d535d061 Mon Sep 17 00:00:00 2001 From: Phil Owen Date: Wed, 11 Feb 2026 16:17:53 -0500 Subject: [PATCH 13/14] changing the way oidc is handled. there is now a generic OIDC settings bank that is used to declare a provider like Dex --- appstore/appstore/settings/base.py | 78 +++++++++++++++++------------- 1 file changed, 44 insertions(+), 34 deletions(-) diff --git a/appstore/appstore/settings/base.py b/appstore/appstore/settings/base.py index 18b2d50e4..d4da717a5 100644 --- a/appstore/appstore/settings/base.py +++ b/appstore/appstore/settings/base.py @@ -46,11 +46,11 @@ DEV_PHASE = os.environ.get("DEV_PHASE", "local") TYCHO_MODE = os.environ.get("TYCHO_MODE", "null" if DEV_PHASE == "stub" else "live") -# Needs to be JSON-encoded since expressions can contain basically any character that would be used as a delimiter. +# Needs to be JSON-encoded since expressions can contain basically any character that would be used as a delimiter. AUTO_WHITELIST_PATTERNS = json.loads(os.environ.get("AUTO_WHITELIST_PATTERNS", "[]")) # Variables used for an external Tycho app registry. -# ToDo: Consider setting the default value of TYCHO_APP_REGISTRY_REPO to +# ToDo: Consider setting the default value of TYCHO_APP_REGISTRY_REPO to # "https://github.com/helxplatform/helx-apps/raw" and remove any other similar # variable. Maybe don't set and raise a fatal error if not set (still remove # other similar variables). @@ -107,15 +107,50 @@ "tycho", ] +ACCOUNT_EMAIL_REQUIRED = True + +SOCIALACCOUNT_ADAPTER = "appstore.adapter.SocialAccountAdapter" +SOCIALACCOUNT_QUERY_EMAIL = ACCOUNT_EMAIL_REQUIRED +SOCIALACCOUNT_STORE_TOKENS = True +SOCIALACCOUNT_PROVIDERS = { + "google": {"SCOPE": ["profile", "email"], "AUTH_PARAMS": {"access_type": "offline"}}, +} + OAUTH_PROVIDERS = os.environ.get("OAUTH_PROVIDERS", "").split(",") -# Notes: there are currently 4 types of providers that can be specified: -# ensure openid_connect is selected if the helx deploy is to use Dex -# github,google,openid_connect,cilogon +# Notes: there are currently 3 types of SSO providers that can be specified: +# github,google,cilogon for PROVIDER in OAUTH_PROVIDERS: if PROVIDER != '': THIRD_PARTY_APPS.append(f"allauth.socialaccount.providers.{PROVIDER}") +# get the OIDC name if exists +OIDC_NAME = os.environ.get("OIDC_NAME", "") + +# add in the OIDC params +if OIDC_NAME != "": + # add the oidc provider to the django config + THIRD_PARTY_APPS.append(f"allauth.socialaccount.providers.openid_connect") + + # get the rest of the OIDC parameters + OIDC_CLIENT_ID = os.environ.get("OIDC_CLIENT_ID","") + OIDC_SECRET = os.environ.get("OIDC_SECRET","") + OIDC_SERVER_URL = os.environ.get("OIDC_SERVER_URL","") + + SOCIALACCOUNT_PROVIDERS.update( + { + "openid_connect": { + "APPS": [ + { + "provider_id": OIDC_NAME, + "name": OIDC_NAME, + "client_id": OIDC_CLIENT_ID, + "secret": OIDC_SECRET, + "settings": { "server_url": OIDC_SERVER_URL } + }] + } + }) + INSTALLED_APPS = DJANGO_APPS + THIRD_PARTY_APPS + LOCAL_APPS WSGI_APPLICATION = "appstore.wsgi.application" @@ -150,7 +185,6 @@ ACCOUNT_ADAPTER = "appstore.adapter.LoginRedirectAdapter" ACCOUNT_DEFAULT_HTTP_PROTOCOL = os.environ.get("ACCOUNT_DEFAULT_HTTP_PROTOCOL", "http") -ACCOUNT_EMAIL_REQUIRED = True ACCOUNT_EMAIL_CONFIRMATION_EXPIRE_DAYS = 1 ACCOUNT_EMAIL_VERIFICATION = "none" ACCOUNT_RATE_LIMITS= {'login_failed':10} @@ -163,30 +197,6 @@ SAML_URL = "/accounts/saml" SAML_ACS_URL = "/saml2_auth/acs/" #SAML_ACS_URL = "/sso/acs/" -SOCIALACCOUNT_ADAPTER = "appstore.adapter.SocialAccountAdapter" -SOCIALACCOUNT_QUERY_EMAIL = ACCOUNT_EMAIL_REQUIRED -SOCIALACCOUNT_STORE_TOKENS = True -SOCIALACCOUNT_PROVIDERS = { - "google": {"SCOPE": ["profile", "email"], "AUTH_PARAMS": {"access_type": "offline"}}, -} - -# TODO: some values need to be parameterized -if 'openid_connect' in OAUTH_PROVIDERS: - SOCIALACCOUNT_PROVIDERS.update( - { - "openid_connect": { - "APPS": [ - { - "provider_id": "dex", - "name": "Dex", - "client_id": "django", - "secret": "xL4QMryQ_6TrIzYBbpnZt864vFJtD_dkOFQJZmrYIZbV5Gz5LfNdzbFpCYk6aki3dOwrIqnuRhGKmU8WXz757Q", - "settings": { "server_url": "https://helx-dex-server.apps.renci.org/dex" } - } - ] - } - } - ) SECURE_CROSS_ORIGIN_OPENER_POLICY = None @@ -397,10 +407,10 @@ ] CSRF_TRUSTED_ORIGINS += [ - "https://localhost", - "https://127.0.0.1", - "http://localhost", - "http://127.0.0.1", + "https://localhost:3000", + "https://127.0.0.1:3000", + "http://localhost:3000", + "http://127.0.0.1:3000", ] CORS_ALLOWED_ORIGINS = [ From 286aca20bf753d62b64cb5119d086931c0f52728 Mon Sep 17 00:00:00 2001 From: Phil Owen Date: Wed, 18 Feb 2026 16:14:27 -0500 Subject: [PATCH 14/14] adding SOCIALACCOUNT_EMAIL_AUTHENTICATION_AUTO_CONNECT = True --- appstore/appstore/settings/base.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/appstore/appstore/settings/base.py b/appstore/appstore/settings/base.py index d4da717a5..4f5a5bc54 100644 --- a/appstore/appstore/settings/base.py +++ b/appstore/appstore/settings/base.py @@ -112,6 +112,8 @@ SOCIALACCOUNT_ADAPTER = "appstore.adapter.SocialAccountAdapter" SOCIALACCOUNT_QUERY_EMAIL = ACCOUNT_EMAIL_REQUIRED SOCIALACCOUNT_STORE_TOKENS = True +SOCIALACCOUNT_EMAIL_AUTHENTICATION_AUTO_CONNECT = True + SOCIALACCOUNT_PROVIDERS = { "google": {"SCOPE": ["profile", "email"], "AUTH_PARAMS": {"access_type": "offline"}}, }