studio/sbbb
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(lasuite): fix OIDC config for People login

Browse Source 
- Switch all user-facing app OAuth2 clients to client_secret_post
  (mozilla-django-oidc sends credentials in POST body by default)
- Set LOGIN_REDIRECT_URL=/ so Django redirects to frontend after login
- Add local overlay patch to disable OIDC SSL verification
  (mkcert CA not trusted inside pods; production uses real certs)
This commit is contained in:
Sienna Meridian Satterwhite
2026-03-03 11:31:28 +00:00
parent b19e553f54
commit f13beed1c4
4 changed files with 22 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
base/lasuite/oidc-clients.yaml
View File

@@ -20,7 +20,7 @@ spec:
scope: openid email profile
redirectUris:
- https://docs.DOMAIN_SUFFIX/oidc/callback/
tokenEndpointAuthMethod: client_secret_basic
tokenEndpointAuthMethod: client_secret_post
secretName: oidc-docs
skipConsent: true
---
@@ -40,7 +40,7 @@ spec:
scope: openid email profile
redirectUris:
- https://drive.DOMAIN_SUFFIX/oidc/callback/
tokenEndpointAuthMethod: client_secret_basic
tokenEndpointAuthMethod: client_secret_post
secretName: oidc-drive
skipConsent: true
---
@@ -60,7 +60,7 @@ spec:
scope: openid email profile
redirectUris:
- https://meet.DOMAIN_SUFFIX/oidc/callback/
tokenEndpointAuthMethod: client_secret_basic
tokenEndpointAuthMethod: client_secret_post
secretName: oidc-meet
skipConsent: true
---
@@ -80,7 +80,7 @@ spec:
scope: openid email profile
redirectUris:
- https://chat.DOMAIN_SUFFIX/oidc/callback/
tokenEndpointAuthMethod: client_secret_basic
tokenEndpointAuthMethod: client_secret_post
secretName: oidc-conversations
skipConsent: true
---
@@ -100,7 +100,7 @@ spec:
scope: openid email profile
redirectUris:
- https://mail.DOMAIN_SUFFIX/oidc/callback/
tokenEndpointAuthMethod: client_secret_basic
tokenEndpointAuthMethod: client_secret_post
secretName: oidc-messages
skipConsent: true
---
@@ -120,7 +120,7 @@ spec:
scope: openid email profile
redirectUris:
- https://people.DOMAIN_SUFFIX/api/v1.0/callback/
tokenEndpointAuthMethod: client_secret_basic
tokenEndpointAuthMethod: client_secret_post
secretName: oidc-people
skipConsent: true
---
@@ -140,7 +140,7 @@ spec:
scope: openid email profile
redirectUris:
- https://find.DOMAIN_SUFFIX/oidc/callback/
tokenEndpointAuthMethod: client_secret_basic
tokenEndpointAuthMethod: client_secret_post
secretName: oidc-find
skipConsent: true
---

2
base/lasuite/people-values.yaml
View File

@@ -125,6 +125,8 @@ backend:
ALLOWED_HOSTS: people.DOMAIN_SUFFIX
DJANGO_ALLOWED_HOSTS: people.DOMAIN_SUFFIX
DJANGO_CSRF_TRUSTED_ORIGINS: https://people.DOMAIN_SUFFIX
# Redirect to frontend SPA root after successful OIDC login.
LOGIN_REDIRECT_URL: /
# celeryWorker and celeryBeat intentionally have no envVars here.
# The desk chart template automatically injects backend.envVars into all