getodk · matthew-white · Sep 1, 2023 · Aug 9, 2023 · Aug 9, 2023 · Aug 10, 2023
diff --git a/.env.template b/.env.template
@@ -29,6 +29,12 @@ HTTPS_PORT=443
 # EMAIL_USER=
 # EMAIL_PASSWORD=
 
+# Optional: configure Single Sign-on with OpenID Connect
+# OIDC_ENABLED=
+# OIDC_DISCOVERY_URL=
+# OIDC_CLIENT_ID=
+# OIDC_CLIENT_SECRET=
+
 # Optional: configure error reporting
 # SENTRY_ORG_SUBDOMAIN=
 # SENTRY_KEY=

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -64,6 +64,10 @@ services:
       - EMAIL_IGNORE_TLS=${EMAIL_IGNORE_TLS:-true}
       - EMAIL_USER=${EMAIL_USER:-''}
       - EMAIL_PASSWORD=${EMAIL_PASSWORD:-''}
+      - OIDC_ENABLED=${OIDC_ENABLED:-false}
+      - OIDC_DISCOVERY_URL=${OIDC_DISCOVERY_URL:-''}
+      - OIDC_CLIENT_ID=${OIDC_CLIENT_ID:-''}
+      - OIDC_CLIENT_SECRET=${OIDC_CLIENT_SECRET:-''}
       - SENTRY_ORG_SUBDOMAIN=${SENTRY_ORG_SUBDOMAIN:-o130137}
       - SENTRY_KEY=${SENTRY_KEY:-3cf75f54983e473da6bd07daddf0d2ee}
       - SENTRY_PROJECT=${SENTRY_PROJECT:-1298632}
@@ -74,6 +78,8 @@ services:
   nginx:
     build:
       context: .
+      args:
+        - OIDC_ENABLED=${OIDC_ENABLED:-false}
       dockerfile: nginx.dockerfile
     depends_on:
       - service

diff --git a/files/prebuild/build-frontend.sh b/files/prebuild/build-frontend.sh
@@ -1,4 +1,4 @@
 #!/bin/bash -eu
 cd client
 npm clean-install --no-audit --fund=false --update-notifier=false
-npm run build
+VUE_APP_OIDC_ENABLED="$OIDC_ENABLED" npm run build
diff --git a/files/service/config.json.template b/files/service/config.json.template
@@ -33,6 +33,12 @@
       "domain": "${BASE_URL}",
       "sysadminAccount": "${SYSADMIN_EMAIL}"
     },
+    "oidc": {
+      "enabled": ${OIDC_ENABLED},
+      "discoveryUrl": "${OIDC_DISCOVERY_URL}",
+      "clientId": "${OIDC_CLIENT_ID}",
+      "clientSecret": "${OIDC_CLIENT_SECRET}"
+    },
     "external": {
       "sentry": {
         "orgSubdomain": "${SENTRY_ORG_SUBDOMAIN}",

diff --git a/files/service/scripts/start-odk.sh b/files/service/scripts/start-odk.sh
@@ -4,7 +4,7 @@ echo "generating local service configuration.."
 
 ENKETO_API_KEY=$(cat /etc/secrets/enketo-api-key) \
 BASE_URL=$( [ "${HTTPS_PORT}" = 443 ] && echo https://"${DOMAIN}" || echo https://"${DOMAIN}":"${HTTPS_PORT}" ) \
-envsubst '$DOMAIN $BASE_URL $SYSADMIN_EMAIL $ENKETO_API_KEY $DB_HOST $DB_USER $DB_PASSWORD $DB_NAME $DB_SSL $EMAIL_FROM $EMAIL_HOST $EMAIL_PORT $EMAIL_SECURE $EMAIL_IGNORE_TLS $EMAIL_USER $EMAIL_PASSWORD $SENTRY_ORG_SUBDOMAIN $SENTRY_KEY $SENTRY_PROJECT' \
+envsubst '$DOMAIN $BASE_URL $SYSADMIN_EMAIL $ENKETO_API_KEY $DB_HOST $DB_USER $DB_PASSWORD $DB_NAME $DB_SSL $EMAIL_FROM $EMAIL_HOST $EMAIL_PORT $EMAIL_SECURE $EMAIL_IGNORE_TLS $EMAIL_USER $EMAIL_PASSWORD $OIDC_ENABLED $OIDC_DISCOVERY_URL $OIDC_CLIENT_ID $OIDC_CLIENT_SECRET $SENTRY_ORG_SUBDOMAIN $SENTRY_KEY $SENTRY_PROJECT' \
     < /usr/share/odk/config.json.template \
     > /usr/odk/config/local.json
 

diff --git a/nginx.dockerfile b/nginx.dockerfile
@@ -1,8 +1,9 @@
+ARG OIDC_ENABLED
 FROM node:18.17 as intermediate
 
 COPY ./ ./
 RUN files/prebuild/write-version.sh
-RUN files/prebuild/build-frontend.sh
+RUN OIDC_ENABLED="$OIDC_ENABLED" files/prebuild/build-frontend.sh
 
 # when upgrading, look for upstream changes to redirector.conf
 # also, confirm setup-odk.sh strips out HTTP-01 ACME challenge location