VCST-1415: Platform as OpenID Provider (#2)

feat: Add support for multiple identity providers (#2)
feat: Add more options (#2)
feat: Add default values to options (#2)
feat: Cleanup and multiple improvements (#2)

.deployment/module/cloudDeploy.json

@@ -1,5 +1,5 @@
 {
-    "artifactKey": "VirtoCommerce.Customer",
+    "artifactKey": "VirtoCommerce.OpenIdConnectModule",
     "deployRepo": "vc-deploy-dev",
     "cmPath": "backend/packages.json",
     "dev": {

.editorconfig

@@ -102,7 +102,7 @@ csharp_preserve_single_line_statements = false
 csharp_preserve_single_line_blocks = true
 csharp_using_directive_placement = outside_namespace:silent
 csharp_prefer_simple_using_statement = true:suggestion
-csharp_style_namespace_declarations = block_scoped:silent
+csharp_style_namespace_declarations = file_scoped:silent
 csharp_style_prefer_method_group_conversion = true:silent
 csharp_style_prefer_top_level_statements = true:silent
 csharp_style_expression_bodied_lambdas = true:silent

.github/CODEOWNERS

@@ -1,8 +1,8 @@
 # Common settings
 
-.github/* @mvktsk @Vectorfield4
-.gitignore @mvktsk @Vectorfield4
-.dockerignore @mvktsk @Vectorfield4
+.github/* @VirtoCommerce/platform
+.gitignore @VirtoCommerce/platform
+.dockerignore @VirtoCommerce/platform
 
 # Main Code and Tests
 
@@ -13,4 +13,4 @@ tests/* @VirtoCommerce/platform
 VirtoCommerce.Platform.sln  @VirtoCommerce/platform
 
 # Docs
-docs/* @zashchitnik-kuka
+docs/* @VirtoCommerce/platform

.github/workflows/module-ci.yml

@@ -1,5 +1,5 @@
-# v3.800.6
-# https://virtocommerce.atlassian.net/browse/VCST-915
+# v3.800.10
+# https://virtocommerce.atlassian.net/browse/VCST-1738
 name: Module CI
 
 on:
@@ -239,9 +239,9 @@ jobs:
 
   module-katalon-tests:
     if: ${{ ((github.ref == 'refs/heads/dev') && (github.event_name == 'push') && (needs.ci.outputs.run-e2e == 'true')) ||
-        (github.event_name == 'workflow_dispatch')}}
+        (github.event_name == 'workflow_dispatch') || (github.base_ref == 'dev') && (github.event_name == 'pull_request') }}
     needs: 'ci'
-    uses: VirtoCommerce/.github/.github/workflows/[email protected].6
+    uses: VirtoCommerce/.github/.github/workflows/[email protected].10
 
     with:
       katalonRepo: 'VirtoCommerce/vc-quality-gate-katalon'
@@ -260,7 +260,7 @@ jobs:
   deploy-cloud:
     if: ${{ (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev') && github.event_name == 'push' }}
     needs: ci
-    uses: VirtoCommerce/.github/.github/workflows/[email protected].6
+    uses: VirtoCommerce/.github/.github/workflows/[email protected].10
     with:
       releaseSource: module
       moduleId: ${{ needs.ci.outputs.moduleId }}

.github/workflows/module-release-hotfix.yml

@@ -1,5 +1,5 @@
-# v3.800.6
-# https://virtocommerce.atlassian.net/browse/VCST-915
+# v3.800.10
+# https://virtocommerce.atlassian.net/browse/VCST-1738
 name: Release hotfix
 
 on:
@@ -13,12 +13,12 @@ on:
 
 jobs:
   test:
-    uses: VirtoCommerce/.github/.github/workflows/[email protected].6
+    uses: VirtoCommerce/.github/.github/workflows/[email protected].10
     secrets:
       sonarToken: ${{ secrets.SONAR_TOKEN }}
 
   build:
-    uses: VirtoCommerce/.github/.github/workflows/[email protected].6    
+    uses: VirtoCommerce/.github/.github/workflows/[email protected].10    
     with:
       uploadPackage: 'true'
       uploadDocker: 'false'
@@ -46,7 +46,7 @@ jobs:
   publish-github-release:
     needs:
       [build, test, get-metadata]
-    uses: VirtoCommerce/.github/.github/workflows/[email protected].6
+    uses: VirtoCommerce/.github/.github/workflows/[email protected].10
     with:
       fullKey: ${{ needs.build.outputs.packageFullKey }}
       changeLog: '${{ needs.get-metadata.outputs.changeLog }}'

.github/workflows/publish-nugets.yml

@@ -1,5 +1,5 @@
-# v3.800.6
-# https://virtocommerce.atlassian.net/browse/VCST-915
+# v3.800.10
+# https://virtocommerce.atlassian.net/browse/VCST-1738
 name: Publish nuget
 
 on:
@@ -13,12 +13,12 @@ on:
 
 jobs:
   test:
-    uses: VirtoCommerce/.github/.github/workflows/[email protected].6    
+    uses: VirtoCommerce/.github/.github/workflows/[email protected].10    
     secrets:
       sonarToken: ${{ secrets.SONAR_TOKEN }}
 
   build:
-    uses: VirtoCommerce/.github/.github/workflows/[email protected].6    
+    uses: VirtoCommerce/.github/.github/workflows/[email protected].10    
     with:
       uploadPackage: 'true'
       uploadDocker: 'false'
@@ -29,7 +29,7 @@ jobs:
   publish-nuget:
     needs:
       [build, test]
-    uses: VirtoCommerce/.github/.github/workflows/[email protected].6    
+    uses: VirtoCommerce/.github/.github/workflows/[email protected].10    
     with:
       fullKey: ${{ needs.build.outputs.packageFullKey }}
       forceGithub: false

.github/workflows/release.yml

@@ -1,12 +1,12 @@
-# v3.800.6
-# https://virtocommerce.atlassian.net/browse/VCST-915
+# v3.800.10
+# https://virtocommerce.atlassian.net/browse/VCST-1738
 name: Release
 
 on:
   workflow_dispatch:
 
 jobs:
   release:
-    uses: VirtoCommerce/.github/.github/workflows/[email protected].6    
+    uses: VirtoCommerce/.github/.github/workflows/[email protected].10    
     secrets:
       envPAT: ${{ secrets.REPO_TOKEN }}

README.md

@@ -11,49 +11,114 @@ OpenID Connect is an identity module on top of the OAuth 2.0 protocol, allowing
 ## Configuration
 The module configuration for OpenID Connect (OIDC) authentication is defined in the appsettings.json file under the `oidc` section. This configuration enables the application to authenticate users using the OIDC protocol. Below are the parameters and their descriptions:
 
-* Enabled: A boolean value indicating whether OIDC authentication is enabled. Set to true to enable.
-* AuthenticationType: Specifies the type of authentication. For OIDC, this should be set to "oidc".
-* Authority: The URL of the OIDC provider. This is the base address of the identity provider, e.g., https://localhost:5001.
-* AuthenticationCaption: A user-friendly name for the authentication method, e.g., "OpenID Connect".
-* ApplicationId: The unique identifier for the application registered with the OIDC provider.
-* ClientId: The client identifier issued to the application by the OIDC provider.
-* ClientSecret: The client secret issued to the application by the OIDC provider. This should be kept confidential.
-* DefaultUserType: Specifies the default user type upon successful authentication, e.g., "Manager".
-* ResponseMode: Defines how the authorization response is returned. Common values are "query" or "fragment".
-* ResponseType: Specifies the type of response expected from the OIDC provider. For example, "code" for authorization code flow.
-* RequireHttpsMetadata: A boolean value indicating whether HTTPS metadata is required. Set to false for development environments.
-* SaveTokens: A boolean value indicating whether to save the tokens received from the OIDC provider.
-* UseTokenLifetime: A boolean value indicating whether to use the token’s lifetime as provided by the OIDC provider.
-* Scope: An array of strings specifying the scopes requested from the OIDC provider, e.g., ["profile", "email"].
-* GetClaimsFromUserInfoEndpoint: A boolean value indicating whether to retrieve additional claims from the user info endpoint.
-* CallbackPath: The path to which the OIDC provider will redirect after authentication, by default "/signin-openid-connect"
+* `Enabled`: A boolean value indicating whether OIDC authentication is enabled. Set to `true` to enable. Default value is `false`.
+* `AuthenticationType`: Specifies the unique name of the authentication method. Default value is `"oidc"`.
+* `AuthenticationCaption`: A user-friendly name for the authentication method. Default value is `"OpenID Connect"`.
+* `AllowCreateNewUser`: A boolean value indicating whether a new user should be created upon successful authentication. Default value is `true`.
+* `DefaultUserType`: Specifies the user type of a new user. Default value is `"Manager"`.
+* `DefaultUserRoles`: Specifies the list of user roles of a new user. Default value is `[]`.
+* `UserNameClaimType`: Specifies the claim type used to retrieve the username. Default value is `"name"`.
+* `EmailClaimType`: Specifies the claim type used to retrieve the email address. Default value is `"email"`.
+* `HasLoginForm`: A boolean value indicating whether to display a dedicated login form or not. Default value is `true`.
+* `Priority`: An integer value specifying the sorting order of the authentication method. Default value is `1`.
+* `LogoUrl`: URL of the logo for the OpenId Connect authentication provider.
+* `Authority`: The URL of the OIDC provider. This is the base address of the identity provider, e.g., https://localhost:5001.
+* `ClientId`: The client identifier issued to the application by the OIDC provider.
+* `ClientSecret`: The client secret issued to the application by the OIDC provider. This should be kept confidential.
+* `Scope`: An array of strings specifying the scopes requested from the OIDC provider. Default value is `["openid", "profile", "email"]`.
+* `ResponseMode`: Defines how the authorization response is returned. Default value is `"form_post"`.
+* `ResponseType`: Specifies the type of response expected from the OIDC provider. Default value is `"id_token"`.
+* `GetClaimsFromUserInfoEndpoint`: A boolean value indicating whether to retrieve additional claims from the user info endpoint.
+* `CallbackPath`: The path to which the OIDC provider will redirect after authentication. Default value is `"/signin-oidc"`.
+* `SignedOutCallbackPath`: The path to which the OIDC provider will redirect after signing out. Default value is `"/signout-callback-oidc"`.
 
-> Note: If you other external sign-in providers installed (Microsoft Entra ID or Google SSO) you need to make sure to use unique callback paths for each provider.
+The list of other parameters can be found in the [OpenIdConnectOptions](https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.builder.openidconnectoptions?view=aspnetcore-1.1&viewFallbackFrom=aspnetcore-8.0) documentation.
 
+> [!IMPORTANT] 
+> If you have other external sign-in providers installed (Microsoft Entra ID or Google SSO) you need to make sure to use unique authentication types and callback paths for each provider.
+
+> [!NOTE]
+> The module was designed and tested with this version of the platform [VCST-1415: Platform as authorization server](https://github.com/VirtoCommerce/vc-platform/pull/2809)
+
+### Example settings for Virto Commerce
 ```json
   "oidc": {
     "Enabled": true,
-    "AuthenticationType": "oidc",
+    "AuthenticationType": "virto",
+    "AuthenticationCaption": "Virto Commerce",
     "Authority": "https://localhost:5001",
-    "AuthenticationCaption": "OpenID Connect",
-    "ApplicationId": "cf4cb5a0-17c8-4cde-91fd-f23f0891ae20",
-    "ClientId": "cf4cb5a0-17c8-4cde-91fd-f23f0891ae20",
-    "ClientSecret": "ad724695-ca42-4271-a9ba-636a2d50f7ec",
-    "DefaultUserType": "Manager",
-    "ResponseMode" : "query",
-    "ResponseType" : "code",
-    "RequireHttpsMetadata" : false,
-    "SaveTokens" : true,
-    "UseTokenLifetime" : true,
-    "Scope" : ["profile", "email"],
-    "GetClaimsFromUserInfoEndpoint" : true,
-    "CallbackPath": "/signin-openid-connect"
+    "ClientId": "your-client-id",
+    "ClientSecret": "your-client-secret",
+    "ResponseMode": "query",
+    "ResponseType": "code",
+    "GetClaimsFromUserInfoEndpoint": true
+  }
+```
+
+### Example settings for Google
+```json
+  "oidc": {
+    "Enabled": true,
+    "AuthenticationType": "google",
+    "AuthenticationCaption": "Google",
+    "Authority": "https://accounts.google.com",
+    "ClientId": "your-client-id",
+    "ClientSecret": "your-client-secret",
+    "UserNameClaimType": "email"
   }
 ```
 
-## Known limitation
-1. The module was designed and tested with this version of the platform [VCST-1415: Platform as authorization server](https://github.com/VirtoCommerce/vc-platform/pull/2809)
-2. Supports ResponseMode query only.
+### Example settings for Microsoft
+```json
+  "oidc": {
+    "Enabled": true,
+    "AuthenticationType": "microsoft",
+    "AuthenticationCaption": "Microsoft",
+    "Authority": "https://login.microsoftonline.com/your-tenant-id/v2.0",
+    "ClientId": "your-application-id",
+    "UserNameClaimType": "preferred_username"
+  }
+```
+
+### Example settings for multiple configurations
+```json
+  "oidc": [
+    {
+      "Enabled": true,
+      "AuthenticationType": "virto",
+      "AuthenticationCaption": "Virto Commerce",
+      "Authority": "https://localhost:5001",
+      "ClientId": "your-client-id",
+      "ClientSecret": "your-client-secret",
+      "ResponseMode": "query",
+      "ResponseType": "code",
+      "GetClaimsFromUserInfoEndpoint": true,
+      "CallbackPath": "/signin-virto",
+      "SignedOutCallbackPath": "/signout-virto"
+    },
+    {
+      "Enabled": true,
+      "AuthenticationType": "google",
+      "AuthenticationCaption": "Google",
+      "Authority": "https://accounts.google.com",
+      "ClientId": "your-client-id",
+      "ClientSecret": "your-client-secret",
+      "UserNameClaimType": "email",
+      "CallbackPath": "/signin-google",
+      "SignedOutCallbackPath": "/signout-google"
+    },
+    {
+      "Enabled": true,
+      "AuthenticationType": "microsoft",
+      "AuthenticationCaption": "Microsoft",
+      "Authority": "https://login.microsoftonline.com/your-tenant-id/v2.0",
+      "ClientId": "your-application-id",
+      "UserNameClaimType": "preferred_username",
+      "CallbackPath": "/signin-microsoft",
+      "SignedOutCallbackPath": "/signout-microsoft"
+    }
+  ]
+```
 
 ## License
 Copyright (c) Virto Solutions LTD.  All rights reserved.