From d4169ac797767f8223384f36f285d5ecefec8f0c Mon Sep 17 00:00:00 2001 From: Cian Hughes Date: Wed, 4 Jun 2025 12:36:16 +0100 Subject: [PATCH] Attempt to configure oauth properly --- Dockerfile | 9 +++---- docker-compose.yaml | 43 +++++++++++++++++++++------------ env/invenio.env | 8 ++++++ invenio.cfg | 59 ++++++++++++++++++++++++--------------------- 4 files changed, 71 insertions(+), 48 deletions(-) diff --git a/Dockerfile b/Dockerfile index eefa92a..3d7399c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,10 +3,9 @@ FROM ghcr.io/front-matter/invenio-rdm-starter:v12.0.18.0 RUN /opt/invenio/.venv/bin/python -m ensurepip RUN /opt/invenio/.venv/bin/python -m pip install --upgrade pip RUN /opt/invenio/.venv/bin/python -m pip install invenio-theme-iform==2025.6.3 -RUN /opt/invenio/.venv/bin/python -m pip uninstall -y pip -RUN invenio collect -RUN apt update -y -RUN apt upgrade -y +RUN apt update -y && apt upgrade -y RUN apt install -y npm +RUN invenio collect --verbose RUN invenio webpack buildall -RUN apt remove -y npm +# RUN apt remove -y npm && apt autoremove -y +RUN ls -la /opt/invenio/var/instance/static/ || echo "Static directory not found" diff --git a/docker-compose.yaml b/docker-compose.yaml index 2e7373e..f8386b0 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -12,7 +12,7 @@ services: volumes: - caddy_data:/data - ./caddy/${COMPOSE_PROFILES}:/etc/caddy - - site_data:/var/www:ro + - static_files:/var/www/static:ro restart: unless-stopped labels: - "io.containers.autoupdate=registry" @@ -24,9 +24,9 @@ services: volumes: - uploaded_data:/opt/invenio/var/instance/data - archived_data:/opt/invenio/var/instance/archive - - site_data:/opt/invenio/var/instance/ - # - ./invenio_assets:/opt/invenio/var/instance/static/custom_assets # Add static assets for theming - # - ./invenio.cfg:/opt/invenio/var/instance/invenio.cfg # Override the config with our custom one + - static_files:/opt/invenio/var/instance/static + - ./invenio_assets:/opt/invenio/var/instance/static/custom_assets + - ./invenio.cfg:/opt/invenio/var/instance/invenio.cfg environment: - INVENIO_THEME_LOGO - INVENIO_THEME_FRONTPAGE_TITLE @@ -60,7 +60,11 @@ services: - INVENIO_MAIL_SUPPRESS_SEND - INVENIO_SECURITY_EMAIL_SENDER - INVENIO_ACCOUNTS_LOCAL_LOGIN_ENABLED - - INVENIO_GITHUB_APP_CREDENTIALS + - INVENIO_OAUTHCLIENT_REMOTE_APPS + - INVENIO_ORCID_APP_CREDENTIALS_CONSUMER_KEY=${INVENIO_ORCID_CLIENT_ID} + - INVENIO_ORCID_APP_CREDENTIALS_CONSUMER_SECRET=${INVENIO_ORCID_SECRET} + - INVENIO_GITHUB_APP_CREDENTIALS_CONSUMER_KEY=${INVENIO_GITHUB_CLIENT_ID} + - INVENIO_GITHUB_APP_CREDENTIALS_CONSUMER_SECRET=${INVENIO_GITHUB_SECRET} - INVENIO_OAISERVER_ID_PREFIX - INVENIO_FILES_REST_STORAGE_FACTORY - INVENIO_S3_ENDPOINT_URL @@ -84,7 +88,6 @@ services: condition: service_started worker: command: "celery -A invenio_app.celery worker --beat --events --loglevel=WARNING" - # command: "sh" build: context: . networks: @@ -173,10 +176,8 @@ services: ports: - "9200:9200" - "9600:9600" - - # Test SAML for development oauth2-proxy: - image: quay.io/oauth2-proxy/oauth2-proxy:latest + image: quay.io/oauth2-proxy/oauth2-proxy:latest-alpine profiles: - development ports: @@ -184,24 +185,34 @@ services: environment: - OAUTH2_PROXY_PROVIDER=oidc - OAUTH2_PROXY_OIDC_ISSUER_URL=http://saml-idp:8080/simplesaml/saml2/idp - - OAUTH2_PROXY_CLIENT_ID=your-client-id - - OAUTH2_PROXY_CLIENT_SECRET=your-client-secret - - OAUTH2_PROXY_COOKIE_SECRET=${OAUTH2_PROXY_COOKIE_SECRET} + - OAUTH2_PROXY_CLIENT_ID=test-client + - OAUTH2_PROXY_CLIENT_SECRET=test-secret + - OAUTH2_PROXY_COOKIE_SECRET - OAUTH2_PROXY_EMAIL_DOMAINS=* - OAUTH2_PROXY_UPSTREAM=http://caddy:80 - OAUTH2_PROXY_HTTP_ADDRESS=0.0.0.0:4180 - OAUTH2_PROXY_REDIRECT_URL=http://localhost:4180/oauth2/callback + - OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=false + - OAUTH2_PROXY_INSECURE_OIDC_ALLOW_UNVERIFIED_EMAIL=true + - OAUTH2_PROXY_PASS_ACCESS_TOKEN=true + - OAUTH2_PROXY_PASS_USER_HEADERS=true + - OAUTH2_PROXY_SET_XAUTHREQUEST=true + - OAUTH2_PROXY_SKIP_AUTH_REGEX=^/health$ depends_on: - - saml-idp - - caddy + mock-oauth2: + condition: service_healthy + caddy: + condition: service_started networks: - invenio-network + + # Mock OAuth2 server for development saml-idp: image: kristophjunge/test-saml-idp:latest profiles: - development ports: - - "8080:8080" + - "8090:8080" environment: - SIMPLESAMLPHP_SP_ENTITY_ID=http://localhost:4180 - SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE=http://localhost:4180/oauth2/callback @@ -217,7 +228,7 @@ volumes: app_data: uploaded_data: archived_data: - site_data: + static_files: postgres_data: opensearch_data: valkey_data: diff --git a/env/invenio.env b/env/invenio.env index f8dd925..d0fe07a 100644 --- a/env/invenio.env +++ b/env/invenio.env @@ -70,3 +70,11 @@ INVENIO_SEARCH_INDEX_PREFIX=invenio-rdm- # Logging INVENIO_LOGGING_CONSOLE_LEVEL=WARNING +# OAuth Client Settings +INVENIO_OAUTHCLIENT_AUTO_REDIRECT_TO_EXTERNAL_LOGIN=false +INVENIO_ACCOUNTS_LOGIN_VIEW_FUNCTION=auto_redirect_login + +# Theme Configuration for I-Form +INVENIO_THEME_IFORM_PRODUCTION=false +INVENIO_THEME_IFORM_CONTACT_FORM=true +INVENIO_THEME_IFORM_SUPPORT_EMAIL=support@i-form.ie diff --git a/invenio.cfg b/invenio.cfg index 4c96a73..7750c44 100644 --- a/invenio.cfg +++ b/invenio.cfg @@ -64,6 +64,8 @@ from invenio_records_permissions.generators import ( IfConfig, SystemProcess, ) +from invenio_oauthclient.contrib.orcid import ORCIDOAuthSettingsHelper +from invenio_oauthclient.views.client import auto_redirect_login def _(x): # needed to avoid start time failure with lazy strings @@ -561,39 +563,42 @@ COMMUNITIES_ADMINISTRATION_DISABLED = False # ------------------- # See https://github.com/inveniosoftware/invenio-oauthclient/blob/master/invenio_oauthclient/config.py -# from invenio_oauthclient.contrib.orcid import ORCIDOAuthSettingsHelper -# from invenio_github.oauth.remote_app import github_app as github_remote_app -# -# _orcid_app = ORCIDOAuthSettingsHelper( -# title="ORCID", -# description="ORCID - Connecting Research and Researchers.", -# base_url="https://pub.orcid.org/", -# access_token_url="https://orcid.org/oauth/token", -# authorize_url="https://orcid.org/oauth/authorize#show_login", -# ) -# -# OAUTHCLIENT_REMOTE_APPS = { -# "orcid": _orcid_app.remote_app, -# "github": github_remote_app, -# } -# -# # Set via env variable +# ORCID OAuth Configuration +_orcid_app = ORCIDOAuthSettingsHelper( + title="ORCID", + description="ORCID - Connecting Research and Researchers.", + base_url="https://pub.orcid.org/", + access_token_url="https://orcid.org/oauth/token", + authorize_url="https://orcid.org/oauth/authorize#show_login", +) + +# OAuth Remote Apps Configuration +OAUTHCLIENT_REMOTE_APPS = { + "orcid": _orcid_app.remote_app, +} + +# OAuth App Credentials (set via environment variables) # ORCID_APP_CREDENTIALS = { -# "consumer_key": "CHANGE ME", -# "consumer_secret": "CHANGE ME", +# "consumer_key": "", # Set via INVENIO_ORCID_APP_CREDENTIALS_CONSUMER_KEY +# "consumer_secret": "", # Set via INVENIO_ORCID_APP_CREDENTIALS_CONSUMER_SECRET # } + # GITHUB_APP_CREDENTIALS = { # "consumer_key": "CHANGE ME", # "consumer_secret": "CHANGE", # } -# -# from invenio_oauthclient.views.client import auto_redirect_login -# ACCOUNTS_LOGIN_VIEW_FUNCTION = auto_redirect_login # autoredirect to external login if enabled -# OAUTHCLIENT_AUTO_REDIRECT_TO_EXTERNAL_LOGIN = False # autoredirect to external login -# -# # Invenio-UserProfiles -# # -------------------- -# USERPROFILES_READ_ONLY = False # allow users to change profile info (name, email, etc...) + +ACCOUNTS_LOGIN_VIEW_FUNCTION = ( + auto_redirect_login # autoredirect to external login if enabled +) +OAUTHCLIENT_AUTO_REDIRECT_TO_EXTERNAL_LOGIN = False # autoredirect to external login + +# Invenio-UserProfiles +# -------------------- +USERPROFILES_READ_ONLY = ( + False # allow users to change profile info (name, email, etc...) +) +USERPROFILES_EXTEND_SECURITY_FORMS = True # OAI-PMH # =======