Attempt to configure oauth properly

Dockerfile

@@ -3,10 +3,9 @@ FROM ghcr.io/front-matter/invenio-rdm-starter:v12.0.18.0
 RUN /opt/invenio/.venv/bin/python -m ensurepip
 RUN /opt/invenio/.venv/bin/python -m pip install --upgrade pip
 RUN /opt/invenio/.venv/bin/python -m pip install invenio-theme-iform==2025.6.3
-RUN /opt/invenio/.venv/bin/python -m pip uninstall -y pip
+RUN apt update -y && apt upgrade -y
-RUN invenio collect
-RUN apt update -y
-RUN apt upgrade -y
 RUN apt install -y npm
+RUN invenio collect --verbose
 RUN invenio webpack buildall
-RUN apt remove -y npm
+# RUN apt remove -y npm && apt autoremove -y
+RUN ls -la /opt/invenio/var/instance/static/ || echo "Static directory not found"

docker-compose.yaml

@@ -12,7 +12,7 @@ services:
         volumes:
             - caddy_data:/data
             - ./caddy/${COMPOSE_PROFILES}:/etc/caddy
-            - site_data:/var/www:ro
+            - static_files:/var/www/static:ro
         restart: unless-stopped
         labels:
             - "io.containers.autoupdate=registry"
@@ -24,9 +24,9 @@ services:
         volumes:
             - uploaded_data:/opt/invenio/var/instance/data
             - archived_data:/opt/invenio/var/instance/archive
-            - site_data:/opt/invenio/var/instance/
+            - static_files:/opt/invenio/var/instance/static
-            # - ./invenio_assets:/opt/invenio/var/instance/static/custom_assets # Add static assets for theming
+            - ./invenio_assets:/opt/invenio/var/instance/static/custom_assets
-            # - ./invenio.cfg:/opt/invenio/var/instance/invenio.cfg # Override the config with our custom one
+            - ./invenio.cfg:/opt/invenio/var/instance/invenio.cfg
         environment:
             - INVENIO_THEME_LOGO
             - INVENIO_THEME_FRONTPAGE_TITLE
@@ -60,7 +60,11 @@ services:
             - INVENIO_MAIL_SUPPRESS_SEND
             - INVENIO_SECURITY_EMAIL_SENDER
             - INVENIO_ACCOUNTS_LOCAL_LOGIN_ENABLED
-            - INVENIO_GITHUB_APP_CREDENTIALS
+            - INVENIO_OAUTHCLIENT_REMOTE_APPS
+            - INVENIO_ORCID_APP_CREDENTIALS_CONSUMER_KEY=${INVENIO_ORCID_CLIENT_ID}
+            - INVENIO_ORCID_APP_CREDENTIALS_CONSUMER_SECRET=${INVENIO_ORCID_SECRET}
+            - INVENIO_GITHUB_APP_CREDENTIALS_CONSUMER_KEY=${INVENIO_GITHUB_CLIENT_ID}
+            - INVENIO_GITHUB_APP_CREDENTIALS_CONSUMER_SECRET=${INVENIO_GITHUB_SECRET}
             - INVENIO_OAISERVER_ID_PREFIX
             - INVENIO_FILES_REST_STORAGE_FACTORY
             - INVENIO_S3_ENDPOINT_URL
@@ -84,7 +88,6 @@ services:
                 condition: service_started
     worker:
         command: "celery -A invenio_app.celery worker --beat --events --loglevel=WARNING"
-        # command: "sh"
         build:
             context: .
         networks:
@@ -173,10 +176,8 @@ services:
         ports:
             - "9200:9200"
             - "9600:9600"
-
-    # Test SAML for development
     oauth2-proxy:
-        image: quay.io/oauth2-proxy/oauth2-proxy:latest
+        image: quay.io/oauth2-proxy/oauth2-proxy:latest-alpine
         profiles:
             - development
         ports:
@@ -184,24 +185,34 @@ services:
         environment:
             - OAUTH2_PROXY_PROVIDER=oidc
             - OAUTH2_PROXY_OIDC_ISSUER_URL=http://saml-idp:8080/simplesaml/saml2/idp
-            - OAUTH2_PROXY_CLIENT_ID=your-client-id
+            - OAUTH2_PROXY_CLIENT_ID=test-client
-            - OAUTH2_PROXY_CLIENT_SECRET=your-client-secret
+            - OAUTH2_PROXY_CLIENT_SECRET=test-secret
-            - OAUTH2_PROXY_COOKIE_SECRET=${OAUTH2_PROXY_COOKIE_SECRET}
+            - OAUTH2_PROXY_COOKIE_SECRET
             - OAUTH2_PROXY_EMAIL_DOMAINS=*
             - OAUTH2_PROXY_UPSTREAM=http://caddy:80
             - OAUTH2_PROXY_HTTP_ADDRESS=0.0.0.0:4180
             - OAUTH2_PROXY_REDIRECT_URL=http://localhost:4180/oauth2/callback
+            - OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=false
+            - OAUTH2_PROXY_INSECURE_OIDC_ALLOW_UNVERIFIED_EMAIL=true
+            - OAUTH2_PROXY_PASS_ACCESS_TOKEN=true
+            - OAUTH2_PROXY_PASS_USER_HEADERS=true
+            - OAUTH2_PROXY_SET_XAUTHREQUEST=true
+            - OAUTH2_PROXY_SKIP_AUTH_REGEX=^/health$
         depends_on:
-            - saml-idp
+            mock-oauth2:
-            - caddy
+                condition: service_healthy
+            caddy:
+                condition: service_started
         networks:
             - invenio-network
+
+    # Mock OAuth2 server for development
     saml-idp:
         image: kristophjunge/test-saml-idp:latest
         profiles:
             - development
         ports:
-            - "8080:8080"
+            - "8090:8080"
         environment:
             - SIMPLESAMLPHP_SP_ENTITY_ID=http://localhost:4180
             - SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE=http://localhost:4180/oauth2/callback
@@ -217,7 +228,7 @@ volumes:
     app_data:
     uploaded_data:
     archived_data:
-    site_data:
+    static_files:
     postgres_data:
     opensearch_data:
     valkey_data:

env/invenio.env

@@ -70,3 +70,11 @@ INVENIO_SEARCH_INDEX_PREFIX=invenio-rdm-
 # Logging
 INVENIO_LOGGING_CONSOLE_LEVEL=WARNING
 
+# OAuth Client Settings
+INVENIO_OAUTHCLIENT_AUTO_REDIRECT_TO_EXTERNAL_LOGIN=false
+INVENIO_ACCOUNTS_LOGIN_VIEW_FUNCTION=auto_redirect_login
+
+# Theme Configuration for I-Form
+INVENIO_THEME_IFORM_PRODUCTION=false
+INVENIO_THEME_IFORM_CONTACT_FORM=true
+INVENIO_THEME_IFORM_SUPPORT_EMAIL=support@i-form.ie

invenio.cfg

@@ -64,6 +64,8 @@ from invenio_records_permissions.generators import (
     IfConfig,
     SystemProcess,
 )
+from invenio_oauthclient.contrib.orcid import ORCIDOAuthSettingsHelper
+from invenio_oauthclient.views.client import auto_redirect_login
 
 
 def _(x):  # needed to avoid start time failure with lazy strings
@@ -561,39 +563,42 @@ COMMUNITIES_ADMINISTRATION_DISABLED = False
 # -------------------
 # See https://github.com/inveniosoftware/invenio-oauthclient/blob/master/invenio_oauthclient/config.py
 
-# from invenio_oauthclient.contrib.orcid import ORCIDOAuthSettingsHelper
+# ORCID OAuth Configuration
-# from invenio_github.oauth.remote_app import github_app as github_remote_app
+_orcid_app = ORCIDOAuthSettingsHelper(
-#
+    title="ORCID",
-# _orcid_app = ORCIDOAuthSettingsHelper(
+    description="ORCID - Connecting Research and Researchers.",
-#     title="ORCID",
+    base_url="https://pub.orcid.org/",
-#     description="ORCID - Connecting Research and Researchers.",
+    access_token_url="https://orcid.org/oauth/token",
-#     base_url="https://pub.orcid.org/",
+    authorize_url="https://orcid.org/oauth/authorize#show_login",
-#     access_token_url="https://orcid.org/oauth/token",
+)
-#     authorize_url="https://orcid.org/oauth/authorize#show_login",
+
-# )
+# OAuth Remote Apps Configuration
-#
+OAUTHCLIENT_REMOTE_APPS = {
-# OAUTHCLIENT_REMOTE_APPS = {
+    "orcid": _orcid_app.remote_app,
-#     "orcid": _orcid_app.remote_app,
+}
-#     "github": github_remote_app,
+
-# }
+# OAuth App Credentials (set via environment variables)
-#
-# # Set via env variable
 # ORCID_APP_CREDENTIALS = {
-#     "consumer_key": "CHANGE ME",
+#     "consumer_key": "",  # Set via INVENIO_ORCID_APP_CREDENTIALS_CONSUMER_KEY
-#     "consumer_secret": "CHANGE ME",
+#     "consumer_secret": "",  # Set via INVENIO_ORCID_APP_CREDENTIALS_CONSUMER_SECRET
 # }
+
 # GITHUB_APP_CREDENTIALS = {
 #     "consumer_key": "CHANGE ME",
 #     "consumer_secret": "CHANGE",
 # }
-#
+
-# from invenio_oauthclient.views.client import auto_redirect_login
+ACCOUNTS_LOGIN_VIEW_FUNCTION = (
-# ACCOUNTS_LOGIN_VIEW_FUNCTION = auto_redirect_login  # autoredirect to external login if enabled
+    auto_redirect_login  # autoredirect to external login if enabled
-# OAUTHCLIENT_AUTO_REDIRECT_TO_EXTERNAL_LOGIN = False  # autoredirect to external login
+)
-#
+OAUTHCLIENT_AUTO_REDIRECT_TO_EXTERNAL_LOGIN = False  # autoredirect to external login
-# # Invenio-UserProfiles
+
-# # --------------------
+# Invenio-UserProfiles
-# USERPROFILES_READ_ONLY = False  # allow users to change profile info (name, email, etc...)
+# --------------------
+USERPROFILES_READ_ONLY = (
+    False  # allow users to change profile info (name, email, etc...)
+)
+USERPROFILES_EXTEND_SECURITY_FORMS = True
 
 # OAI-PMH
 # =======