Adjusted OIDC system redirect URLs.

Each OIDC client configuraiton can now select which type of redirect URL to use, either /globus and /nh_globus (the old, original style) or /oidc and /nh_oidc (the new entrypoints). The default is to use the new style. Given that existing OIDC clients might still be configured with their acceptable redirect URLs to be only the old globus ones, make sure to set "use_globus_url" to 'true' in oidc.conf.erb to not break your OIDC config.
prioux · Feb 19, 2025 · 64e40ad · 64e40ad
1 parent 880ef63
commit 64e40ad
Show file tree

Hide file tree

Showing 7 changed files with 52 additions and 14 deletions.
diff --git a/BrainPortal/app/controllers/nh_sessions_controller.rb b/BrainPortal/app/controllers/nh_sessions_controller.rb
@@ -35,7 +35,7 @@ def new #:nodoc:
     # Array of enabled OIDC providers configurations
     @oidc_configs   = OidcConfig.all
     # Hash of OIDC uris with the OIDC name as key
-    @oidc_uris      = generate_oidc_login_uri(@oidc_configs, nh_globus_url)
+    @oidc_uris      = generate_oidc_login_uri(@oidc_configs, "nh_route_please")
   end
 
   # POST /nhsessions
@@ -148,7 +148,7 @@ def nh_oidc
     end
 
     # Query an OpenID provider; this returns all the info we need at the same time.
-    identity_struct = oidc_fetch_token(oidc, code, nh_globus_url) # nh_globus_url is generated from routes
+    identity_struct = oidc_fetch_token(oidc, code, oidc_redirect_url(oidc, "nh_route_please"))
     if !identity_struct
       cb_error "Could not fetch your identity information from #{oidc.name}"
     end
@@ -221,7 +221,7 @@ def nh_mandatory_oidc #:nodoc:
     # Array of enabled OIDC providers configurations
     @oidc_configs       = OidcConfig.all
     # Hash of OIDC uris with the OIDC name as key
-    @oidc_uris          = generate_oidc_login_uri(@oidc_configs, nh_globus_url)
+    @oidc_uris          = generate_oidc_login_uri(@oidc_configs, "nh_route_please")
 
     respond_to do |format|
       format.html

diff --git a/BrainPortal/app/controllers/nh_users_controller.rb b/BrainPortal/app/controllers/nh_users_controller.rb
@@ -43,7 +43,7 @@ def myaccount #:nodoc:
     # Array of enabled OIDC providers configurations
     @oidc_configs    = OidcConfig.all
     # Hash of OIDC uris with the OIDC name as key
-    @oidc_uris       = generate_oidc_login_uri(@oidc_configs, nh_globus_url)
+    @oidc_uris       = generate_oidc_login_uri(@oidc_configs, "nh_route_please")
     @orcid_canonical = orcid_canonize(@user.meta[:orcid])
     render :show
   end
@@ -61,7 +61,7 @@ def edit #:nodoc:
     # Array of enabled OIDC providers configurations
     @oidc_configs    = OidcConfig.all
     # Hash of OIDC uris with the OIDC name as key
-    @oidc_uris       = generate_oidc_login_uri(@oidc_configs, nh_globus_url)
+    @oidc_uris       = generate_oidc_login_uri(@oidc_configs, "nh_route_please")
   end
 
   def change_password #:nodoc:

diff --git a/BrainPortal/app/controllers/sessions_controller.rb b/BrainPortal/app/controllers/sessions_controller.rb
@@ -46,7 +46,7 @@ def new #:nodoc:
     # Array of enabled OIDC providers configurations
     @oidc_configs    = OidcConfig.all
     # Hash of OIDC uris with the OIDC name as key
-    @oidc_uris       = generate_oidc_login_uri(@oidc_configs, globus_url)
+    @oidc_uris       = generate_oidc_login_uri(@oidc_configs)
 
     respond_to do |format|
       format.html
@@ -62,7 +62,7 @@ def mandatory_oidc #:nodoc:
     # Array of enabled OIDC providers configurations
     @oidc_configs       = OidcConfig.all
     # Array of URIs to redirect to OIDC providers
-    @oidc_uris          = generate_oidc_login_uri(@oidc_configs, globus_url)
+    @oidc_uris          = generate_oidc_login_uri(@oidc_configs)
 
     respond_to do |format|
       format.html
@@ -81,7 +81,7 @@ def create #:nodoc:
       # Array of enabled OIDC providers configurations
       @oidc_configs   = OidcConfig.all
       # Hash of OIDC uris with the OIDC name as key
-      @oidc_uris      = generate_oidc_login_uri(@oidc_configs, globus_url)
+      @oidc_uris      = generate_oidc_login_uri(@oidc_configs)
 
       auth_failed()
       return
@@ -157,7 +157,7 @@ def oidc
     end
 
     # Query OpenID provider; this returns all the info we need at the same time.
-    identity_struct = oidc_fetch_token(oidc, code, globus_url) # globus_url is generated from routes
+    identity_struct = oidc_fetch_token(oidc, code, oidc_redirect_url(oidc))
     if !identity_struct
       cb_error "Could not fetch your identity information from #{oidc.name}"
     end

diff --git a/BrainPortal/app/controllers/users_controller.rb b/BrainPortal/app/controllers/users_controller.rb
@@ -94,7 +94,7 @@ def show #:nodoc:
     # Array of enabled OIDC providers configurations
     @oidc_configs = OidcConfig.all
     # Hash of OIDC uris with the OIDC name as key
-    @oidc_uris    = generate_oidc_login_uri(@oidc_configs, globus_url)
+    @oidc_uris    = generate_oidc_login_uri(@oidc_configs)
 
     respond_to do |format|
       format.html # show.html.erb

diff --git a/BrainPortal/config/oidc.yml.erb.template b/BrainPortal/config/oidc.yml.erb.template
@@ -50,6 +50,10 @@ Keycloak:
   identity_provider_key:              "sub"
   identity_provider_display_name_key: "aud"
   identity_preferred_username_key:    "preferred_username"
+  # This value is optional. The redirect URLs configured with your provider must match the setting.
+  # If set to false (default), the redirects used are /oidc or /nh_oidc
+  # If set to true, the redirects used are /globus and /nh_globus
+  use_globus_url:                     false
   # These two are optional. Adjust to provide users a link to your actual ID provider!
   help_label:                         "" # "Keycloak"
   help_uri:                           "" # "https://www.keycloak.org/"
@@ -67,6 +71,10 @@ Globus:
   identity_provider_key:              "identity_provider"
   identity_provider_display_name_key: "identity_provider_display_name"
   identity_preferred_username_key:    "username"
+  # This value is optional. The redirect URLs configured with your provider must match the setting.
+  # if false (default), the redirects to use are /oidc or /nh_oidc
+  # if true, the redirects to use are /globus and /nh_globus
+  use_globus_url:                     true # use /globus and /nh_globus (if you really want, instead of /oidc)
   # Optional
   help_label:                         "" # "Globus"
   help_uri:                           "" # "https://testglobus.example.com/"

diff --git a/BrainPortal/lib/globus_helpers.rb b/BrainPortal/lib/globus_helpers.rb
@@ -28,15 +28,43 @@ module GlobusHelpers
 
   Revision_info=CbrainFileRevision[__FILE__] #:nodoc:
 
+  # So we have this mess of four possible redirect URLs:
+  #
+  #   /globus
+  #   /nh_globus
+  #   /oidc
+  #   /nh_oidc
+  #
+  # Originally, we used the 'globus' versions.
+  # The nh versions render the NH interface pages.
+  #
+  # In the future, we'll use the 'oidc' URLs only, which are the
+  # true API entry points. 'globus' is now just an alias.
+  #
+  # But if external identity providers are already configured
+  # with "globus" in their URL, we still want them to work.
+  # So the Oidc config class contains a option select explicitly
+  # for 'globus' instead of the default 'oidc'. And if +nh_mode+ is set,
+  # we use the 'nh_' routes version of each.
+  def oidc_redirect_url(oidc, nh_mode=false)
+    if oidc.use_globus_url.present? #old convention is globus
+      return globus_url if ! nh_mode
+      return nh_globus_url
+    end
+    # New convention is oidc
+    return oidc_url if ! nh_mode
+    return nh_oidc_url
+  end
+
   # Create a URL for a login button, with the redirect URL
   # to call back to.
-  def oidc_login_uri(oidc, redirect_url)
+  def oidc_login_uri(oidc, nh_mode=false)
     # Create the URI to authenticate with OIDC
     oidc_params = {
             :client_id     => oidc.client_id,
             :response_type => 'code',
             :scope         => oidc.scope,
-            :redirect_uri  => redirect_url,  # generated from Rails routes
+            :redirect_uri  => oidc_redirect_url(oidc, nh_mode),  # generated from Rails routes
             :state         => oidc_current_state(oidc), # method is below
     }
 
@@ -216,9 +244,9 @@ def unlink_oidc_identity(oidc, user)
   # Returns a hash table with keys being the names of the OidcConfigs
   # and values being the login URL that includes the redirect callback URL.
   # This is used by the interface to generate login buttons.
-  def generate_oidc_login_uri(oidc_providers, redirect_url)
+  def generate_oidc_login_uri(oidc_providers, nh_mode=false)
     oidc_providers.map do |oidc|
-      [ oidc.name, oidc_login_uri(oidc, redirect_url) ]
+      [ oidc.name, oidc_login_uri(oidc, nh_mode) ]
     end.to_h
   end
 

diff --git a/BrainPortal/lib/oidc_config.rb b/BrainPortal/lib/oidc_config.rb
@@ -37,6 +37,7 @@ class OidcConfig
                 :client_id, # client_secrets are kept in the class
                 :scope,
                 :identity_provider_key, :identity_provider_display_name_key, :identity_preferred_username_key,
+                :use_globus_url,
                 :help_label, :help_uri
 
   REQUIRED_KEYS = %w(
@@ -90,6 +91,7 @@ def self.load_from_file(path=Rails.root + "config/oidc.yml.erb")
       oidc.identity_provider_key              = config[:identity_provider_key]
       oidc.identity_provider_display_name_key = config[:identity_provider_display_name_key]
       oidc.identity_preferred_username_key    = config[:identity_preferred_username_key]
+      oidc.use_globus_url                     = config[:use_globus_url].present?
       oidc.help_label                         = config[:help_label]
       oidc.help_uri                           = config[:help_uri]