fix(lasuite): fix OIDC config for People login

- Switch all user-facing app OAuth2 clients to client_secret_post (mozilla-django-oidc sends credentials in POST body by default) - Set LOGIN_REDIRECT_URL=/ so Django redirects to frontend after login - Add local overlay patch to disable OIDC SSL verification (mkcert CA not trusted inside pods; production uses real certs)
2026-03-03 11:31:28 +00:00
parent b19e553f54
commit f13beed1c4
4 changed files with 22 additions and 7 deletions
--- a/base/lasuite/oidc-clients.yaml
+++ b/base/lasuite/oidc-clients.yaml
@@ -20,7 +20,7 @@ spec:
  scope: openid email profile
  redirectUris:
    - https://docs.DOMAIN_SUFFIX/oidc/callback/
-  tokenEndpointAuthMethod: client_secret_basic
+  tokenEndpointAuthMethod: client_secret_post
  secretName: oidc-docs
  skipConsent: true
 ---
@@ -40,7 +40,7 @@ spec:
  scope: openid email profile
  redirectUris:
    - https://drive.DOMAIN_SUFFIX/oidc/callback/
-  tokenEndpointAuthMethod: client_secret_basic
+  tokenEndpointAuthMethod: client_secret_post
  secretName: oidc-drive
  skipConsent: true
 ---
@@ -60,7 +60,7 @@ spec:
  scope: openid email profile
  redirectUris:
    - https://meet.DOMAIN_SUFFIX/oidc/callback/
-  tokenEndpointAuthMethod: client_secret_basic
+  tokenEndpointAuthMethod: client_secret_post
  secretName: oidc-meet
  skipConsent: true
 ---
@@ -80,7 +80,7 @@ spec:
  scope: openid email profile
  redirectUris:
    - https://chat.DOMAIN_SUFFIX/oidc/callback/
-  tokenEndpointAuthMethod: client_secret_basic
+  tokenEndpointAuthMethod: client_secret_post
  secretName: oidc-conversations
  skipConsent: true
 ---
@@ -100,7 +100,7 @@ spec:
  scope: openid email profile
  redirectUris:
    - https://mail.DOMAIN_SUFFIX/oidc/callback/
-  tokenEndpointAuthMethod: client_secret_basic
+  tokenEndpointAuthMethod: client_secret_post
  secretName: oidc-messages
  skipConsent: true
 ---
@@ -120,7 +120,7 @@ spec:
  scope: openid email profile
  redirectUris:
    - https://people.DOMAIN_SUFFIX/api/v1.0/callback/
-  tokenEndpointAuthMethod: client_secret_basic
+  tokenEndpointAuthMethod: client_secret_post
  secretName: oidc-people
  skipConsent: true
 ---
@@ -140,7 +140,7 @@ spec:
  scope: openid email profile
  redirectUris:
    - https://find.DOMAIN_SUFFIX/oidc/callback/
-  tokenEndpointAuthMethod: client_secret_basic
+  tokenEndpointAuthMethod: client_secret_post
  secretName: oidc-find
  skipConsent: true
 ---
--- a/base/lasuite/people-values.yaml
+++ b/base/lasuite/people-values.yaml
@@ -125,6 +125,8 @@ backend:
    ALLOWED_HOSTS:             people.DOMAIN_SUFFIX
    DJANGO_ALLOWED_HOSTS:      people.DOMAIN_SUFFIX
    DJANGO_CSRF_TRUSTED_ORIGINS: https://people.DOMAIN_SUFFIX
    # Redirect to frontend SPA root after successful OIDC login.
    LOGIN_REDIRECT_URL:        /
 # celeryWorker and celeryBeat intentionally have no envVars here.
 # The desk chart template automatically injects backend.envVars into all
--- a/overlays/local/kustomization.yaml
+++ b/overlays/local/kustomization.yaml
@@ -37,6 +37,12 @@ images:
    newName: src.DOMAIN_SUFFIX/studio/people-frontend
 patches:
  # Disable SSL verification for OIDC server-side calls — mkcert CA not trusted in pods
  - path: patch-oidc-verify-ssl.yaml
    target:
      kind: ConfigMap
      name: lasuite-oidc-provider
  # Add hostPort for TURN relay range on Lima VM
  - path: values-pingora.yaml
    target:
--- a/overlays/local/patch-oidc-verify-ssl.yaml
+++ b/overlays/local/patch-oidc-verify-ssl.yaml
@@ -0,0 +1,7 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: lasuite-oidc-provider
  namespace: lasuite
 data:
  OIDC_VERIFY_SSL: "false"