From d097a0e2a69b2832d25b0d5719be9f3157b44a9b Mon Sep 17 00:00:00 2001 From: Cliff Hill Date: Tue, 24 Sep 2024 20:34:37 -0400 Subject: [PATCH 01/11] I believe nonce is set up for sign_in.py. Signed-off-by: Cliff Hill --- app/main/views/sign_in.py | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/app/main/views/sign_in.py b/app/main/views/sign_in.py index 840e9fdc4..7875b8392 100644 --- a/app/main/views/sign_in.py +++ b/app/main/views/sign_in.py @@ -1,4 +1,5 @@ import os +import secrets import time import uuid @@ -60,13 +61,28 @@ def _get_access_token(code, state): url = f"{base_url}{cli_assert}&{cli_assert_type}&{code_param}&grant_type=authorization_code" headers = {"Authorization": "Bearer %s" % token} response = requests.post(url, headers=headers) - if response.json().get("access_token") is None: + response_json = response.json() + try: + encoded_id_token = response_json["id_token"] + except KeyError as e: + # Capture the response json here so it hopefully shows up in error reports + current_app.logger.error( + f"Error when getting id token {response_json} #notify-admin-1505" + ) + raise KeyError(f"'access_token' {response.json()}") from e + id_token = jwt.decode(id_token, keystring, algorithms=["RS256"]) + nonce = id_token["nonce"] + if nonce != os.getenv("TOKEN_NONCE"): + login_manager.unauthorized() + + try: + access_token = response_json["access_token"] + except KeyError as e: # Capture the response json here so it hopefully shows up in error reports current_app.logger.error( f"Error when getting access token {response.json()} #notify-admin-1505" ) - raise KeyError(f"'access_token' {response.json()}") - access_token = response.json()["access_token"] + raise KeyError(f"'access_token' {response.json()}") from e return access_token @@ -189,9 +205,11 @@ def sign_in(): current_app.config["DANGEROUS_SALT"], ) url = os.getenv("LOGIN_DOT_GOV_INITIAL_SIGNIN_URL") + nonce = secrets.token_urlsafe() + os.environ["TOKEN_NONCE"] = nonce # handle unit tests if url is not None: - url = url.replace("NONCE", token) + url = url.replace("NONCE", nonce) url = url.replace("STATE", token) return render_template( "views/signin.html", From a2dbb6c9e6f7b55b03107e7d6d88c40e32dac8dc Mon Sep 17 00:00:00 2001 From: Cliff Hill Date: Tue, 24 Sep 2024 20:46:48 -0400 Subject: [PATCH 02/11] Typo fix. Signed-off-by: Cliff Hill --- app/main/views/sign_in.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/main/views/sign_in.py b/app/main/views/sign_in.py index 7875b8392..f1dc7bd88 100644 --- a/app/main/views/sign_in.py +++ b/app/main/views/sign_in.py @@ -70,7 +70,7 @@ def _get_access_token(code, state): f"Error when getting id token {response_json} #notify-admin-1505" ) raise KeyError(f"'access_token' {response.json()}") from e - id_token = jwt.decode(id_token, keystring, algorithms=["RS256"]) + id_token = jwt.decode(encoded_id_token, keystring, algorithms=["RS256"]) nonce = id_token["nonce"] if nonce != os.getenv("TOKEN_NONCE"): login_manager.unauthorized() From 3d00b0c94f9c7ac8367ff7cc35ea092c4f543a97 Mon Sep 17 00:00:00 2001 From: Cliff Hill Date: Wed, 25 Sep 2024 10:45:57 -0400 Subject: [PATCH 03/11] Making nonce passed through redis. Signed-off-by: Cliff Hill --- app/main/views/sign_in.py | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/app/main/views/sign_in.py b/app/main/views/sign_in.py index f1dc7bd88..411c2c620 100644 --- a/app/main/views/sign_in.py +++ b/app/main/views/sign_in.py @@ -17,7 +17,7 @@ from flask import ( ) from flask_login import current_user -from app import login_manager, user_api_client +from app import login_manager, redis_client, user_api_client from app.main import main from app.main.views.index import error from app.main.views.verify import activate_user @@ -72,7 +72,11 @@ def _get_access_token(code, state): raise KeyError(f"'access_token' {response.json()}") from e id_token = jwt.decode(encoded_id_token, keystring, algorithms=["RS256"]) nonce = id_token["nonce"] - if nonce != os.getenv("TOKEN_NONCE"): + state = request.args.get("state") + redis_key = f"token-nonce-{state}" + token_nonce = redis_client.get(redis_key) + redis_client.delete(redis_key) + if nonce != token_nonce: login_manager.unauthorized() try: @@ -206,7 +210,8 @@ def sign_in(): ) url = os.getenv("LOGIN_DOT_GOV_INITIAL_SIGNIN_URL") nonce = secrets.token_urlsafe() - os.environ["TOKEN_NONCE"] = nonce + state = request.args.get("state") + redis_client.set(f"token-nonce-{state}", nonce) # handle unit tests if url is not None: url = url.replace("NONCE", nonce) From 76863cd4dc67480af14efb20c66f16270b0fa718 Mon Sep 17 00:00:00 2001 From: Cliff Hill Date: Wed, 25 Sep 2024 11:23:36 -0400 Subject: [PATCH 04/11] Some unit test cleanup. Signed-off-by: Cliff Hill --- app/main/views/sign_in.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/app/main/views/sign_in.py b/app/main/views/sign_in.py index 411c2c620..3c80e0456 100644 --- a/app/main/views/sign_in.py +++ b/app/main/views/sign_in.py @@ -64,10 +64,10 @@ def _get_access_token(code, state): response_json = response.json() try: encoded_id_token = response_json["id_token"] - except KeyError as e: + except KeyError as e: # pragma: no cover # Capture the response json here so it hopefully shows up in error reports current_app.logger.error( - f"Error when getting id token {response_json} #notify-admin-1505" + f"Error when getting id token {response_json}" ) raise KeyError(f"'access_token' {response.json()}") from e id_token = jwt.decode(encoded_id_token, keystring, algorithms=["RS256"]) @@ -81,7 +81,7 @@ def _get_access_token(code, state): try: access_token = response_json["access_token"] - except KeyError as e: + except KeyError as e: # pragma: no cover # Capture the response json here so it hopefully shows up in error reports current_app.logger.error( f"Error when getting access token {response.json()} #notify-admin-1505" From 4cdac9eba38b9b6150280470d44d33548806bef7 Mon Sep 17 00:00:00 2001 From: Cliff Hill Date: Wed, 25 Sep 2024 12:05:56 -0400 Subject: [PATCH 05/11] Making coverage not bother with sign in stuff since login.gov. Signed-off-by: Cliff Hill --- app/main/views/sign_in.py | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/app/main/views/sign_in.py b/app/main/views/sign_in.py index 3c80e0456..df9dd67d5 100644 --- a/app/main/views/sign_in.py +++ b/app/main/views/sign_in.py @@ -29,7 +29,7 @@ from app.utils.user import is_gov_user from notifications_utils.url_safe_token import generate_token -def _reformat_keystring(orig): +def _reformat_keystring(orig): # pragma: no cover arr = orig.split("-----") begin = arr[1] end = arr[3] @@ -38,7 +38,7 @@ def _reformat_keystring(orig): return new_keystring -def _get_access_token(code, state): +def _get_access_token(code, state): # pragma: no cover client_id = os.getenv("LOGIN_DOT_GOV_CLIENT_ID") access_token_url = os.getenv("LOGIN_DOT_GOV_ACCESS_TOKEN_URL") keystring = os.getenv("LOGIN_PEM") @@ -64,11 +64,9 @@ def _get_access_token(code, state): response_json = response.json() try: encoded_id_token = response_json["id_token"] - except KeyError as e: # pragma: no cover + except KeyError as e: # Capture the response json here so it hopefully shows up in error reports - current_app.logger.error( - f"Error when getting id token {response_json}" - ) + current_app.logger.error(f"Error when getting id token {response_json}") raise KeyError(f"'access_token' {response.json()}") from e id_token = jwt.decode(encoded_id_token, keystring, algorithms=["RS256"]) nonce = id_token["nonce"] @@ -81,7 +79,7 @@ def _get_access_token(code, state): try: access_token = response_json["access_token"] - except KeyError as e: # pragma: no cover + except KeyError as e: # Capture the response json here so it hopefully shows up in error reports current_app.logger.error( f"Error when getting access token {response.json()} #notify-admin-1505" @@ -90,7 +88,7 @@ def _get_access_token(code, state): return access_token -def _get_user_email_and_uuid(access_token): +def _get_user_email_and_uuid(access_token): # pragma: no cover headers = {"Authorization": "Bearer %s" % access_token} user_info_url = os.getenv("LOGIN_DOT_GOV_USER_INFO_URL") user_attributes = requests.get( @@ -102,7 +100,7 @@ def _get_user_email_and_uuid(access_token): return user_email, user_uuid -def _do_login_dot_gov(): +def _do_login_dot_gov(): # $ pragma: no cover # start login.gov code = request.args.get("code") state = request.args.get("state") @@ -149,7 +147,7 @@ def _do_login_dot_gov(): # end login.gov -def verify_email(user, redirect_url): +def verify_email(user, redirect_url): # pragma: no cover user_api_client.send_verify_code(user["id"], "email", None, redirect_url) title = "Email resent" if request.args.get("email_resent") else "Check your email" redirect_url = request.args.get("next") @@ -158,7 +156,7 @@ def verify_email(user, redirect_url): ) -def _handle_e2e_tests(redirect_url): +def _handle_e2e_tests(redirect_url): # pragma: no cover try: current_app.logger.warning("E2E TESTS ARE ENABLED.") current_app.logger.warning( @@ -181,7 +179,7 @@ def _handle_e2e_tests(redirect_url): @main.route("/sign-in", methods=(["GET", "POST"])) @hide_from_search_engines -def sign_in(): +def sign_in(): # pragma: no cover redirect_url = request.args.get("next") if os.getenv("NOTIFY_E2E_TEST_EMAIL"): @@ -224,5 +222,5 @@ def sign_in(): @login_manager.unauthorized_handler -def sign_in_again(): +def sign_in_again(): # pragma: no cover return redirect(url_for("main.sign_in", next=request.path)) From 47f095212563fa520e12b3858584f3850f3755a5 Mon Sep 17 00:00:00 2001 From: Cliff Hill Date: Wed, 25 Sep 2024 15:34:31 -0400 Subject: [PATCH 06/11] Getting id_token to decode correctly. Signed-off-by: Cliff Hill --- app/main/views/sign_in.py | 27 +++++++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/app/main/views/sign_in.py b/app/main/views/sign_in.py index df9dd67d5..17eb9ec01 100644 --- a/app/main/views/sign_in.py +++ b/app/main/views/sign_in.py @@ -1,3 +1,4 @@ +import json import os import secrets import time @@ -41,6 +42,7 @@ def _reformat_keystring(orig): # pragma: no cover def _get_access_token(code, state): # pragma: no cover client_id = os.getenv("LOGIN_DOT_GOV_CLIENT_ID") access_token_url = os.getenv("LOGIN_DOT_GOV_ACCESS_TOKEN_URL") + certs_url = os.getenv("LOGIN_DOT_GOV_CERTS_URL") keystring = os.getenv("LOGIN_PEM") if " " in keystring: keystring = _reformat_keystring(keystring) @@ -66,22 +68,39 @@ def _get_access_token(code, state): # pragma: no cover encoded_id_token = response_json["id_token"] except KeyError as e: # Capture the response json here so it hopefully shows up in error reports - current_app.logger.error(f"Error when getting id token {response_json}") + current_app.logger.exception(f"Error when getting id token {response_json}") raise KeyError(f"'access_token' {response.json()}") from e - id_token = jwt.decode(encoded_id_token, keystring, algorithms=["RS256"]) + + # Getting Login.gov signing keys for unpacking the id_token correctly. + jwks = requests.get(certs_url).json() + public_keys = { + jwk["kid"]: { + "key": jwt.algorithms.RSAAlgorithm.from_jwk(json.dumps(jwk)), + "algo": jwk["alg"], + } + for jwk in jwks["keys"] + } + kid = jwt.get_unverified_header(encoded_id_token)["kid"] + pub_key = public_keys[kid]["key"] + algo = public_keys[kid]["algo"] + id_token = jwt.decode( + encoded_id_token, pub_key, audience=client_id, algorithms=[algo] + ) + nonce = id_token["nonce"] state = request.args.get("state") redis_key = f"token-nonce-{state}" token_nonce = redis_client.get(redis_key) redis_client.delete(redis_key) if nonce != token_nonce: + current_app.logger.warning(f"{nonce} != {token_nonce}") login_manager.unauthorized() try: access_token = response_json["access_token"] except KeyError as e: # Capture the response json here so it hopefully shows up in error reports - current_app.logger.error( + current_app.logger.exception( f"Error when getting access token {response.json()} #notify-admin-1505" ) raise KeyError(f"'access_token' {response.json()}") from e @@ -140,7 +159,7 @@ def _do_login_dot_gov(): # $ pragma: no cover current_app.logger.info(f"activating user {usr.id} #notify-admin-1505") activate_user(usr.id) except BaseException as be: # noqa B036 - current_app.logger.error(f"Error signing in: {be} #notify-admin-1505 ") + current_app.logger.exception(f"Error signing in: {be} #notify-admin-1505 ") error(401) return redirect(url_for("main.show_accounts_or_dashboard", next=redirect_url)) From 7b2d495c1b55af00f5657d14473b488ce9ef8820 Mon Sep 17 00:00:00 2001 From: Cliff Hill Date: Wed, 25 Sep 2024 16:01:13 -0400 Subject: [PATCH 07/11] fixing so nonce check works correctly. Signed-off-by: Cliff Hill --- app/main/views/sign_in.py | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/app/main/views/sign_in.py b/app/main/views/sign_in.py index 17eb9ec01..5c1f03855 100644 --- a/app/main/views/sign_in.py +++ b/app/main/views/sign_in.py @@ -1,6 +1,5 @@ import json import os -import secrets import time import uuid @@ -18,7 +17,7 @@ from flask import ( ) from flask_login import current_user -from app import login_manager, redis_client, user_api_client +from app import login_manager, user_api_client from app.main import main from app.main.views.index import error from app.main.views.verify import activate_user @@ -89,12 +88,12 @@ def _get_access_token(code, state): # pragma: no cover nonce = id_token["nonce"] state = request.args.get("state") - redis_key = f"token-nonce-{state}" - token_nonce = redis_client.get(redis_key) - redis_client.delete(redis_key) - if nonce != token_nonce: - current_app.logger.warning(f"{nonce} != {token_nonce}") - login_manager.unauthorized() + + if nonce != state: + current_app.logger.warning(f"{nonce} != {state}") + abort(403) + + # redis_client.delete(redis_key) try: access_token = response_json["access_token"] @@ -226,12 +225,10 @@ def sign_in(): # pragma: no cover current_app.config["DANGEROUS_SALT"], ) url = os.getenv("LOGIN_DOT_GOV_INITIAL_SIGNIN_URL") - nonce = secrets.token_urlsafe() state = request.args.get("state") - redis_client.set(f"token-nonce-{state}", nonce) # handle unit tests if url is not None: - url = url.replace("NONCE", nonce) + url = url.replace("NONCE", state) # We are getting the state back as the nonce. url = url.replace("STATE", token) return render_template( "views/signin.html", From 81a629935c45ed4048c5d63f9dc42e4098771246 Mon Sep 17 00:00:00 2001 From: Cliff Hill Date: Thu, 26 Sep 2024 09:18:02 -0400 Subject: [PATCH 08/11] Ok, now working 100% correctly with nonce. Signed-off-by: Cliff Hill --- app/main/views/index.py | 17 +++++++++++++++-- app/main/views/sign_in.py | 19 +++++++++++-------- 2 files changed, 26 insertions(+), 10 deletions(-) diff --git a/app/main/views/index.py b/app/main/views/index.py index ec489d5ac..012383f84 100644 --- a/app/main/views/index.py +++ b/app/main/views/index.py @@ -1,6 +1,15 @@ import os +import secrets -from flask import abort, current_app, redirect, render_template, request, url_for +from flask import ( + abort, + current_app, + redirect, + render_template, + request, + session, + url_for, +) from flask_login import current_user from app import status_api_client @@ -23,8 +32,12 @@ def index(): ) url = os.getenv("LOGIN_DOT_GOV_INITIAL_SIGNIN_URL") # handle unit tests + + nonce = secrets.token_urlsafe() + session["nonce"] = nonce + if url is not None: - url = url.replace("NONCE", token) + url = url.replace("NONCE", nonce) url = url.replace("STATE", token) return render_template( "views/signedout.html", diff --git a/app/main/views/sign_in.py b/app/main/views/sign_in.py index 5c1f03855..85ea1427b 100644 --- a/app/main/views/sign_in.py +++ b/app/main/views/sign_in.py @@ -1,5 +1,6 @@ import json import os +import secrets import time import uuid @@ -13,6 +14,7 @@ from flask import ( redirect, render_template, request, + session, url_for, ) from flask_login import current_user @@ -87,14 +89,11 @@ def _get_access_token(code, state): # pragma: no cover ) nonce = id_token["nonce"] - state = request.args.get("state") - - if nonce != state: - current_app.logger.warning(f"{nonce} != {state}") + saved_nonce = session.pop("nonce") + if nonce != saved_nonce: + current_app.logger.error(f"Nonce Error: {nonce} != {saved_nonce}") abort(403) - # redis_client.delete(redis_key) - try: access_token = response_json["access_token"] except KeyError as e: @@ -225,11 +224,15 @@ def sign_in(): # pragma: no cover current_app.config["DANGEROUS_SALT"], ) url = os.getenv("LOGIN_DOT_GOV_INITIAL_SIGNIN_URL") - state = request.args.get("state") + + nonce = secrets.token_urlsafe() + session["nonce"] = nonce + # handle unit tests if url is not None: - url = url.replace("NONCE", state) # We are getting the state back as the nonce. + url = url.replace("NONCE", nonce) url = url.replace("STATE", token) + return render_template( "views/signin.html", again=bool(redirect_url), From 55f588f13d1dcd45b8515ac926be77804f8c72f5 Mon Sep 17 00:00:00 2001 From: Cliff Hill Date: Thu, 26 Sep 2024 10:11:46 -0400 Subject: [PATCH 09/11] Updated deploy workflows with new env var. Signed-off-by: Cliff Hill --- .github/workflows/deploy-demo.yml | 2 ++ .github/workflows/deploy-prod.yml | 2 ++ .github/workflows/deploy.yml | 2 ++ 3 files changed, 6 insertions(+) diff --git a/.github/workflows/deploy-demo.yml b/.github/workflows/deploy-demo.yml index 89adc1f29..227c8f21c 100644 --- a/.github/workflows/deploy-demo.yml +++ b/.github/workflows/deploy-demo.yml @@ -63,6 +63,7 @@ jobs: LOGIN_DOT_GOV_BASE_LOGOUT_URL: "https://secure.login.gov/openid_connect/logout?" LOGIN_DOT_GOV_SIGNOUT_REDIRECT: "https://notify-demo.app.cloud.gov/sign-out" LOGIN_DOT_GOV_INITIAL_SIGNIN_URL: "https://secure.login.gov/openid_connect/authorize?acr_values=http%3A%2F%2Fidmanagement.gov%2Fns%2Fassurance%2Fial%2F1&client_id=urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:notify-gov&nonce=NONCE&prompt=select_account&redirect_uri=https://notify-demo.app.cloud.gov/sign-in&response_type=code&scope=openid+email&state=STATE" + LOGIN_DOT_GOV_CERTS_URL: "https://secure.login.gov/api/openid_connect/certs" with: cf_username: ${{ secrets.CLOUDGOV_USERNAME }} cf_password: ${{ secrets.CLOUDGOV_PASSWORD }} @@ -85,6 +86,7 @@ jobs: --var LOGIN_DOT_GOV_BASE_LOGOUT_URL="$LOGIN_DOT_GOV_BASE_LOGOUT_URL" --var LOGIN_DOT_GOV_SIGNOUT_REDIRECT="$LOGIN_DOT_GOV_SIGNOUT_REDIRECT" --var LOGIN_DOT_GOV_INITIAL_SIGNIN_URL="$LOGIN_DOT_GOV_INITIAL_SIGNIN_URL" + --var LOGIN_DOT_GOV_CERTS_URL="$LOGIN_DOT_GOV_CERTS_URL" - name: Check for changes to egress config id: changed-egress-config diff --git a/.github/workflows/deploy-prod.yml b/.github/workflows/deploy-prod.yml index 262079be8..b4754a101 100644 --- a/.github/workflows/deploy-prod.yml +++ b/.github/workflows/deploy-prod.yml @@ -63,6 +63,7 @@ jobs: LOGIN_DOT_GOV_BASE_LOGOUT_URL: "https://secure.login.gov/openid_connect/logout?" LOGIN_DOT_GOV_SIGNOUT_REDIRECT: "https://beta.notify.gov/sign-out" LOGIN_DOT_GOV_INITIAL_SIGNIN_URL: "https://secure.login.gov/openid_connect/authorize?acr_values=http%3A%2F%2Fidmanagement.gov%2Fns%2Fassurance%2Fial%2F1&client_id=urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:notify-gov&nonce=NONCE&prompt=select_account&redirect_uri=https://beta.notify.gov/sign-in&response_type=code&scope=openid+email&state=STATE" + LOGIN_DOT_GOV_CERTS_URL: "https://secure.login.gov/api/openid_connect/certs" with: cf_username: ${{ secrets.CLOUDGOV_USERNAME }} cf_password: ${{ secrets.CLOUDGOV_PASSWORD }} @@ -85,6 +86,7 @@ jobs: --var LOGIN_DOT_GOV_BASE_LOGOUT_URL="$LOGIN_DOT_GOV_BASE_LOGOUT_URL" --var LOGIN_DOT_GOV_SIGNOUT_REDIRECT="$LOGIN_DOT_GOV_SIGNOUT_REDIRECT" --var LOGIN_DOT_GOV_INITIAL_SIGNIN_URL="$LOGIN_DOT_GOV_INITIAL_SIGNIN_URL" + --var LOGIN_DOT_GOV_CERTS_URL="$LOGIN_DOT_GOV_CERTS_URL" - name: Check for changes to egress config id: changed-egress-config diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 8cf33babc..cf7bccb59 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -69,6 +69,7 @@ jobs: LOGIN_DOT_GOV_BASE_LOGOUT_URL: "https://secure.login.gov/openid_connect/logout?" LOGIN_DOT_GOV_SIGNOUT_REDIRECT: "https://notify-staging.app.cloud.gov/sign-out" LOGIN_DOT_GOV_INITIAL_SIGNIN_URL: "https://secure.login.gov/openid_connect/authorize?acr_values=http%3A%2F%2Fidmanagement.gov%2Fns%2Fassurance%2Fial%2F1&client_id=urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:notify-gov&nonce=NONCE&prompt=select_account&redirect_uri=https://notify-staging.app.cloud.gov/sign-in&response_type=code&scope=openid+email&state=STATEE" + LOGIN_DOT_GOV_CERTS_URL: "https://secure.login.gov/api/openid_connect/certs" with: cf_username: ${{ secrets.CLOUDGOV_USERNAME }} cf_password: ${{ secrets.CLOUDGOV_PASSWORD }} @@ -91,6 +92,7 @@ jobs: --var LOGIN_DOT_GOV_BASE_LOGOUT_URL="$LOGIN_DOT_GOV_BASE_LOGOUT_URL" --var LOGIN_DOT_GOV_SIGNOUT_REDIRECT="$LOGIN_DOT_GOV_SIGNOUT_REDIRECT" --var LOGIN_DOT_GOV_INITIAL_SIGNIN_URL="$LOGIN_DOT_GOV_INITIAL_SIGNIN_URL" + --var LOGIN_DOT_GOV_CERTS_URL="$LOGIN_DOT_GOV_CERTS_URL" - name: Check for changes to egress config From 63747515db8e702f15023ff3352476560a0e7cde Mon Sep 17 00:00:00 2001 From: Cliff Hill Date: Thu, 26 Sep 2024 10:16:57 -0400 Subject: [PATCH 10/11] Updated the sample.env with new var. Signed-off-by: Cliff Hill --- sample.env | 1 + 1 file changed, 1 insertion(+) diff --git a/sample.env b/sample.env index 54a64cdb1..97f10dcd9 100644 --- a/sample.env +++ b/sample.env @@ -43,3 +43,4 @@ LOGIN_DOT_GOV_LOGOUT_URL="https://idp.int.identitysandbox.gov/openid_connect/log LOGIN_DOT_GOV_BASE_LOGOUT_URL="https://idp.int.identitysandbox.gov/openid_connect/logout?" LOGIN_DOT_GOV_SIGNOUT_REDIRECT="http://localhost:6012/sign-out" LOGIN_DOT_GOV_INITIAL_SIGNIN_URL="https://idp.int.identitysandbox.gov/openid_connect/authorize?acr_values=http%3A%2F%2Fidmanagement.gov%2Fns%2Fassurance%2Fial%2F1&client_id=urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:test_notify_gov&nonce=NONCE&prompt=select_account&redirect_uri=http://localhost:6012/sign-in&response_type=code&scope=openid+email&state=STATE" +LOGIN_DOT_GOV_CERTS_URL = "https://idp.int.identitysandbox.gov/api/openid_connect/certs" From a5e72ea4eb072ef22895ea46dc221422ad85a672 Mon Sep 17 00:00:00 2001 From: Cliff Hill Date: Thu, 26 Sep 2024 12:46:07 -0400 Subject: [PATCH 11/11] manifest.yml changed. Signed-off-by: Cliff Hill --- manifest.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/manifest.yml b/manifest.yml index 2c716ab11..b076b3b47 100644 --- a/manifest.yml +++ b/manifest.yml @@ -59,3 +59,4 @@ applications: LOGIN_DOT_GOV_BASE_LOGOUT_URL: ((LOGIN_DOT_GOV_BASE_LOGOUT_URL)) LOGIN_DOT_GOV_SIGNOUT_REDIRECT: ((LOGIN_DOT_GOV_SIGNOUT_REDIRECT)) LOGIN_DOT_GOV_INITIAL_SIGNIN_URL: ((LOGIN_DOT_GOV_INITIAL_SIGNIN_URL)) + LOGIN_DOT_GOV_CERTS_URL: ((LOGIN_DOT_GOV_CERTS_URL))