From f13beed1c4f113c262093bd73a2b345dd64e5aeb Mon Sep 17 00:00:00 2001 From: Sienna Meridian Satterwhite Date: Tue, 3 Mar 2026 11:31:28 +0000 Subject: [PATCH] fix(lasuite): fix OIDC config for People login - Switch all user-facing app OAuth2 clients to client_secret_post (mozilla-django-oidc sends credentials in POST body by default) - Set LOGIN_REDIRECT_URL=/ so Django redirects to frontend after login - Add local overlay patch to disable OIDC SSL verification (mkcert CA not trusted inside pods; production uses real certs) --- base/lasuite/oidc-clients.yaml | 14 +++++++------- base/lasuite/people-values.yaml | 2 ++ overlays/local/kustomization.yaml | 6 ++++++ overlays/local/patch-oidc-verify-ssl.yaml | 7 +++++++ 4 files changed, 22 insertions(+), 7 deletions(-) create mode 100644 overlays/local/patch-oidc-verify-ssl.yaml diff --git a/base/lasuite/oidc-clients.yaml b/base/lasuite/oidc-clients.yaml index da78d9c..c106230 100644 --- a/base/lasuite/oidc-clients.yaml +++ b/base/lasuite/oidc-clients.yaml @@ -20,7 +20,7 @@ spec: scope: openid email profile redirectUris: - https://docs.DOMAIN_SUFFIX/oidc/callback/ - tokenEndpointAuthMethod: client_secret_basic + tokenEndpointAuthMethod: client_secret_post secretName: oidc-docs skipConsent: true --- @@ -40,7 +40,7 @@ spec: scope: openid email profile redirectUris: - https://drive.DOMAIN_SUFFIX/oidc/callback/ - tokenEndpointAuthMethod: client_secret_basic + tokenEndpointAuthMethod: client_secret_post secretName: oidc-drive skipConsent: true --- @@ -60,7 +60,7 @@ spec: scope: openid email profile redirectUris: - https://meet.DOMAIN_SUFFIX/oidc/callback/ - tokenEndpointAuthMethod: client_secret_basic + tokenEndpointAuthMethod: client_secret_post secretName: oidc-meet skipConsent: true --- @@ -80,7 +80,7 @@ spec: scope: openid email profile redirectUris: - https://chat.DOMAIN_SUFFIX/oidc/callback/ - tokenEndpointAuthMethod: client_secret_basic + tokenEndpointAuthMethod: client_secret_post secretName: oidc-conversations skipConsent: true --- @@ -100,7 +100,7 @@ spec: scope: openid email profile redirectUris: - https://mail.DOMAIN_SUFFIX/oidc/callback/ - tokenEndpointAuthMethod: client_secret_basic + tokenEndpointAuthMethod: client_secret_post secretName: oidc-messages skipConsent: true --- @@ -120,7 +120,7 @@ spec: scope: openid email profile redirectUris: - https://people.DOMAIN_SUFFIX/api/v1.0/callback/ - tokenEndpointAuthMethod: client_secret_basic + tokenEndpointAuthMethod: client_secret_post secretName: oidc-people skipConsent: true --- @@ -140,7 +140,7 @@ spec: scope: openid email profile redirectUris: - https://find.DOMAIN_SUFFIX/oidc/callback/ - tokenEndpointAuthMethod: client_secret_basic + tokenEndpointAuthMethod: client_secret_post secretName: oidc-find skipConsent: true --- diff --git a/base/lasuite/people-values.yaml b/base/lasuite/people-values.yaml index 316442c..c525981 100644 --- a/base/lasuite/people-values.yaml +++ b/base/lasuite/people-values.yaml @@ -125,6 +125,8 @@ backend: ALLOWED_HOSTS: people.DOMAIN_SUFFIX DJANGO_ALLOWED_HOSTS: people.DOMAIN_SUFFIX DJANGO_CSRF_TRUSTED_ORIGINS: https://people.DOMAIN_SUFFIX + # Redirect to frontend SPA root after successful OIDC login. + LOGIN_REDIRECT_URL: / # celeryWorker and celeryBeat intentionally have no envVars here. # The desk chart template automatically injects backend.envVars into all diff --git a/overlays/local/kustomization.yaml b/overlays/local/kustomization.yaml index 4b6cbc9..3f6cc75 100644 --- a/overlays/local/kustomization.yaml +++ b/overlays/local/kustomization.yaml @@ -37,6 +37,12 @@ images: newName: src.DOMAIN_SUFFIX/studio/people-frontend patches: + # Disable SSL verification for OIDC server-side calls — mkcert CA not trusted in pods + - path: patch-oidc-verify-ssl.yaml + target: + kind: ConfigMap + name: lasuite-oidc-provider + # Add hostPort for TURN relay range on Lima VM - path: values-pingora.yaml target: diff --git a/overlays/local/patch-oidc-verify-ssl.yaml b/overlays/local/patch-oidc-verify-ssl.yaml new file mode 100644 index 0000000..3f51c1d --- /dev/null +++ b/overlays/local/patch-oidc-verify-ssl.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: lasuite-oidc-provider + namespace: lasuite +data: + OIDC_VERIFY_SSL: "false"