Cian-H/iform-invenio
1
0
Fork 0
mirror of https://github.com/Cian-H/iform-invenio.git synced 2025-12-22 20:41:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

Attempt to configure oauth properly

Browse Source
This commit is contained in:
Cian Hughes
2025-06-04 12:36:16 +01:00
parent b442cad439
commit d4169ac797
4 changed files with 71 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
Dockerfile
View File

@@ -3,10 +3,9 @@ FROM ghcr.io/front-matter/invenio-rdm-starter:v12.0.18.0
RUN /opt/invenio/.venv/bin/python -m ensurepip
RUN /opt/invenio/.venv/bin/python -m pip install --upgrade pip
RUN /opt/invenio/.venv/bin/python -m pip install invenio-theme-iform==2025.6.3
RUN /opt/invenio/.venv/bin/python -m pip uninstall -y pip
RUN invenio collect
RUN apt update -y
RUN apt upgrade -y
RUN apt update -y && apt upgrade -y
RUN apt install -y npm
RUN invenio collect --verbose
RUN invenio webpack buildall
RUN apt remove -y npm
# RUN apt remove -y npm && apt autoremove -y
RUN ls -la /opt/invenio/var/instance/static/ || echo "Static directory not found"

43
docker-compose.yaml
View File

@@ -12,7 +12,7 @@ services:
volumes:
- caddy_data:/data
- ./caddy/${COMPOSE_PROFILES}:/etc/caddy
- site_data:/var/www:ro
- static_files:/var/www/static:ro
restart: unless-stopped
labels:
- "io.containers.autoupdate=registry"
@@ -24,9 +24,9 @@ services:
volumes:
- uploaded_data:/opt/invenio/var/instance/data
- archived_data:/opt/invenio/var/instance/archive
- site_data:/opt/invenio/var/instance/
# - ./invenio_assets:/opt/invenio/var/instance/static/custom_assets # Add static assets for theming
# - ./invenio.cfg:/opt/invenio/var/instance/invenio.cfg # Override the config with our custom one
- static_files:/opt/invenio/var/instance/static
- ./invenio_assets:/opt/invenio/var/instance/static/custom_assets
- ./invenio.cfg:/opt/invenio/var/instance/invenio.cfg
environment:
- INVENIO_THEME_LOGO
- INVENIO_THEME_FRONTPAGE_TITLE
@@ -60,7 +60,11 @@ services:
- INVENIO_MAIL_SUPPRESS_SEND
- INVENIO_SECURITY_EMAIL_SENDER
- INVENIO_ACCOUNTS_LOCAL_LOGIN_ENABLED
- INVENIO_GITHUB_APP_CREDENTIALS
- INVENIO_OAUTHCLIENT_REMOTE_APPS
- INVENIO_ORCID_APP_CREDENTIALS_CONSUMER_KEY=${INVENIO_ORCID_CLIENT_ID}
- INVENIO_ORCID_APP_CREDENTIALS_CONSUMER_SECRET=${INVENIO_ORCID_SECRET}
- INVENIO_GITHUB_APP_CREDENTIALS_CONSUMER_KEY=${INVENIO_GITHUB_CLIENT_ID}
- INVENIO_GITHUB_APP_CREDENTIALS_CONSUMER_SECRET=${INVENIO_GITHUB_SECRET}
- INVENIO_OAISERVER_ID_PREFIX
- INVENIO_FILES_REST_STORAGE_FACTORY
- INVENIO_S3_ENDPOINT_URL
@@ -84,7 +88,6 @@ services:
condition: service_started
worker:
command: "celery -A invenio_app.celery worker --beat --events --loglevel=WARNING"
# command: "sh"
build:
context: .
networks:
@@ -173,10 +176,8 @@ services:
ports:
- "9200:9200"
- "9600:9600"
# Test SAML for development
oauth2-proxy:
image: quay.io/oauth2-proxy/oauth2-proxy:latest
image: quay.io/oauth2-proxy/oauth2-proxy:latest-alpine
profiles:
- development
ports:
@@ -184,24 +185,34 @@ services:
environment:
- OAUTH2_PROXY_PROVIDER=oidc
- OAUTH2_PROXY_OIDC_ISSUER_URL=http://saml-idp:8080/simplesaml/saml2/idp
- OAUTH2_PROXY_CLIENT_ID=your-client-id
- OAUTH2_PROXY_CLIENT_SECRET=your-client-secret
- OAUTH2_PROXY_COOKIE_SECRET=${OAUTH2_PROXY_COOKIE_SECRET}
- OAUTH2_PROXY_CLIENT_ID=test-client
- OAUTH2_PROXY_CLIENT_SECRET=test-secret
- OAUTH2_PROXY_COOKIE_SECRET
- OAUTH2_PROXY_EMAIL_DOMAINS=*
- OAUTH2_PROXY_UPSTREAM=http://caddy:80
- OAUTH2_PROXY_HTTP_ADDRESS=0.0.0.0:4180
- OAUTH2_PROXY_REDIRECT_URL=http://localhost:4180/oauth2/callback
- OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=false
- OAUTH2_PROXY_INSECURE_OIDC_ALLOW_UNVERIFIED_EMAIL=true
- OAUTH2_PROXY_PASS_ACCESS_TOKEN=true
- OAUTH2_PROXY_PASS_USER_HEADERS=true
- OAUTH2_PROXY_SET_XAUTHREQUEST=true
- OAUTH2_PROXY_SKIP_AUTH_REGEX=^/health$
depends_on:
- saml-idp
- caddy
mock-oauth2:
condition: service_healthy
caddy:
condition: service_started
networks:
- invenio-network
# Mock OAuth2 server for development
saml-idp:
image: kristophjunge/test-saml-idp:latest
profiles:
- development
ports:
- "8080:8080"
- "8090:8080"
environment:
- SIMPLESAMLPHP_SP_ENTITY_ID=http://localhost:4180
- SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE=http://localhost:4180/oauth2/callback
@@ -217,7 +228,7 @@ volumes:
app_data:
uploaded_data:
archived_data:
site_data:
static_files:
postgres_data:
opensearch_data:
valkey_data:

8
env/invenio.env vendored
View File

@@ -70,3 +70,11 @@ INVENIO_SEARCH_INDEX_PREFIX=invenio-rdm-
# Logging
INVENIO_LOGGING_CONSOLE_LEVEL=WARNING
# OAuth Client Settings
INVENIO_OAUTHCLIENT_AUTO_REDIRECT_TO_EXTERNAL_LOGIN=false
INVENIO_ACCOUNTS_LOGIN_VIEW_FUNCTION=auto_redirect_login
# Theme Configuration for I-Form
INVENIO_THEME_IFORM_PRODUCTION=false
INVENIO_THEME_IFORM_CONTACT_FORM=true
INVENIO_THEME_IFORM_SUPPORT_EMAIL=support@i-form.ie

59
invenio.cfg
View File

@@ -64,6 +64,8 @@ from invenio_records_permissions.generators import (
IfConfig,
SystemProcess,
)
from invenio_oauthclient.contrib.orcid import ORCIDOAuthSettingsHelper
from invenio_oauthclient.views.client import auto_redirect_login
def _(x): # needed to avoid start time failure with lazy strings
@@ -561,39 +563,42 @@ COMMUNITIES_ADMINISTRATION_DISABLED = False
# -------------------
# See https://github.com/inveniosoftware/invenio-oauthclient/blob/master/invenio_oauthclient/config.py
# from invenio_oauthclient.contrib.orcid import ORCIDOAuthSettingsHelper
# from invenio_github.oauth.remote_app import github_app as github_remote_app
#
# _orcid_app = ORCIDOAuthSettingsHelper(
# title="ORCID",
# description="ORCID - Connecting Research and Researchers.",
# base_url="https://pub.orcid.org/",
# access_token_url="https://orcid.org/oauth/token",
# authorize_url="https://orcid.org/oauth/authorize#show_login",
# )
#
# OAUTHCLIENT_REMOTE_APPS = {
# "orcid": _orcid_app.remote_app,
# "github": github_remote_app,
# }
#
# # Set via env variable
# ORCID OAuth Configuration
_orcid_app = ORCIDOAuthSettingsHelper(
title="ORCID",
description="ORCID - Connecting Research and Researchers.",
base_url="https://pub.orcid.org/",
access_token_url="https://orcid.org/oauth/token",
authorize_url="https://orcid.org/oauth/authorize#show_login",
)
# OAuth Remote Apps Configuration
OAUTHCLIENT_REMOTE_APPS = {
"orcid": _orcid_app.remote_app,
}
# OAuth App Credentials (set via environment variables)
# ORCID_APP_CREDENTIALS = {
# "consumer_key": "CHANGE ME",
# "consumer_secret": "CHANGE ME",
# "consumer_key": "", # Set via INVENIO_ORCID_APP_CREDENTIALS_CONSUMER_KEY
# "consumer_secret": "", # Set via INVENIO_ORCID_APP_CREDENTIALS_CONSUMER_SECRET
# }
# GITHUB_APP_CREDENTIALS = {
# "consumer_key": "CHANGE ME",
# "consumer_secret": "CHANGE",
# }
#
# from invenio_oauthclient.views.client import auto_redirect_login
# ACCOUNTS_LOGIN_VIEW_FUNCTION = auto_redirect_login # autoredirect to external login if enabled
# OAUTHCLIENT_AUTO_REDIRECT_TO_EXTERNAL_LOGIN = False # autoredirect to external login
#
# # Invenio-UserProfiles
# # --------------------
# USERPROFILES_READ_ONLY = False # allow users to change profile info (name, email, etc...)
ACCOUNTS_LOGIN_VIEW_FUNCTION = (
auto_redirect_login # autoredirect to external login if enabled
)
OAUTHCLIENT_AUTO_REDIRECT_TO_EXTERNAL_LOGIN = False # autoredirect to external login
# Invenio-UserProfiles
# --------------------
USERPROFILES_READ_ONLY = (
False # allow users to change profile info (name, email, etc...)
)
USERPROFILES_EXTEND_SECURITY_FORMS = True
# OAI-PMH
# =======