OIDC PR#2 --- organization login using OIDC

[ihsaan-ullah]

@ mention of reviewers

@cjh1

A brief description of the purpose of the changes contained in this PR.

Now codabench admin can register organizations for OIDC authentication. Users can then use those organizations to login with their organization credentials

Issues this PR resolves

• [New Feature] OIDC #1298 -> organization authentication

How to test

To test this PR, you need OIDC server.

OIDC_Server setup

1. Unzip this OIDC_Server django app OIDC_Server.zip
2. go to this directory

cd OIDC_Server

3. build the docker image from the Dockerfile

docker build -t oidc .

Codabench

1. Add the following to docker compose yaml file

  #-----------------------------------------------
  #   OIDC Server
  #-----------------------------------------------
  oidc:
    image: oidc
    command: bash -c "cd /app/ && python manage.py runserver 0.0.0.0:9100"  
    ports:
      - 9100:9100
    stdin_open: true
    tty: true
    logging:
      options:
        max-size: "20k"
        max-file: "10"

2. Start codabench server

docker-compose up -d

OIDC client

1. Open this URL in your browser

http://0.0.0.0:9100/

2. Login using these credentials

username: ihsan
password: Ihsan123

3. Open admin interface

http://0.0.0.0:9100/admin/

3. Create a client by adding the following details

• Name: Paris-Saclay
• Response types: code(Authentication Code Flow)
• Redirect URIs: http://localhost/oidc/complete/1/

Once you click save, you will be able to get client ID and client Secret

Codabench

1. Open admin interface

http://localhost/admin/

2. Create a new Auth Organization in Auth_organizations

Input the following information (use the client id and client secret from previous step)

3. Now open login page:

http://localhost/accounts/login/

You will see Login with Pari-Saclay button. Accept terms and conditions and click the button to authenticate with Paris-Saclay server.

4. Reset password
   reset your password and then login using both OIDC login and regular login

Checklist

• Code review by me
• Hand tested by me
• I'm proud of my work
• Code review by reviewer
• Hand tested by reviewer
• CircleCi tests are passing
• Ready to merge

[ihsaan-ullah]

@Didayolo, @bbearce this is now ready for review

[bbearce]

I have it all setup but it's not quite working. Review:

• cloned PR OIDC2
• Migrated DB and collected static
• Built OIDC_Server "oidc" image from the OIDC_Server.zip file
• Added necessary docker-compose code to docker-compose.yaml for oidc section
• Logged into: http://localhost:9100/admin
  • Added Paris-Saclay Client (savaed and retrieved the clientID and clientSecret
• Logged intno Django and made new Auth_organization
  • Named Paris-Saclay and used clientID\clientSecret from oidc container DB records
  • Added urls:
    • http://0.0.0.0:9001/oidc/authorize (also tried http://localhost:9001/oidc/authorize)
    • http://0.0.0.0:9100/token (also tried http://localhost:9100/token)
    • http://0.0.0.0:9100/userinfo (also tried http://0.0.0.0:9100/userinfo)
    • http://localhost/oidc/complete/1/ (also tried http://localhost/oidc/complete/1/)

[bbearce]

I have it all setup but it's not quite working. Review:

• cloned PR OIDC2
• Migrated DB and collected static
• Built OIDC_Server "oidc" image from the OIDC_Server.zip file
• Added necessary docker-compose code to docker-compose.yaml for oidc section
• Logged into: http://localhost:9100/admin
  • Added Paris-Saclay Client (savaed and retrieved the clientID and clientSecret
• Logged intno Django and made new Auth_organization
  • Named Paris-Saclay and used clientID\clientSecret from oidc container DB records
  • Added urls:
    • http://0.0.0.0:9001/oidc/authorize (also tried http://localhost:9001/oidc/authorize)
    • http://0.0.0.0:9100/token (also tried http://localhost:9100/token)
    • http://0.0.0.0:9100/userinfo (also tried http://0.0.0.0:9100/userinfo)
    • http://localhost/oidc/complete/1/ (also tried http://localhost/oidc/complete/1/)

[ihsaan-ullah]

Sorry, my mistake

URLs should be :

• http://0.0.0.0:9100/authorize
• http://oidc:9100/token
• http://oidc:9100/userinfo
• http://localhost/oidc/complete/1/

[bbearce]

Sorry, my mistake

URLs should be :

• http://0.0.0.0:9100/authorize
• http://oidc:9100/token
• http://oidc:9100/userinfo
• http://localhost/oidc/complete/1/

These worked:

• Now that it works, I should review the code at a minimum to double check it.
• Also, I have mostly tested it works from my end and now I need to "understand it"

[ihsaan-ullah]

The terms and condtiions check seems problematic (when you have more than one organization). Besides this I think all should be ok. Please put review comments anywhere you want me to explain something in the code.

Please note that the OIDC_Server app is not part of the feature. All the links and details you have got from that app will be provided by the organization that wants to enable this feature.

[ihsaan-ullah]

Now you should see only one checkbox for all the organization buttons

@bbearce you may want to do a final test