Merge pull request #1245 from cisagov/nmb/login-production

Configure a Login.gov production OIDC provider
cisagov · Nov 1, 2023 · d6eccc8 · d6eccc8
2 parents 0a6c7ac + d57e48a
commit d6eccc8
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 7 deletions.
diff --git a/ops/manifests/manifest-stable.yaml b/ops/manifests/manifest-stable.yaml
@@ -4,7 +4,7 @@ applications:
   buildpacks:
     - python_buildpack
   path: ../../src
-  instances: 1
+  instances: 2
   memory: 512M
   stack: cflinuxfs4
   timeout: 180
@@ -23,6 +23,8 @@ applications:
     DJANGO_LOG_LEVEL: INFO
     # default public site location
     GETGOV_PUBLIC_SITE_URL: https://beta.get.gov
+    # Which OIDC provider to use
+    OIDC_ACTIVE_PROVIDER: login.gov production
   routes:
     - route: getgov-stable.app.cloud.gov
   services:

diff --git a/ops/manifests/manifest-staging.yaml b/ops/manifests/manifest-staging.yaml
@@ -4,7 +4,7 @@ applications:
   buildpacks:
     - python_buildpack
   path: ../../src
-  instances: 1
+  instances: 2
   memory: 512M
   stack: cflinuxfs4
   timeout: 180

diff --git a/src/registrar/config/settings.py b/src/registrar/config/settings.py
@@ -49,6 +49,7 @@
 env_log_level = env.str("DJANGO_LOG_LEVEL", "DEBUG")
 env_base_url = env.str("DJANGO_BASE_URL")
 env_getgov_public_site_url = env.str("GETGOV_PUBLIC_SITE_URL", "")
+env_oidc_active_provider = env.str("OIDC_ACTIVE_PROVIDER", "identity sandbox")
 
 secret_login_key = b64decode(secret("DJANGO_SECRET_LOGIN_KEY", ""))
 secret_key = secret("DJANGO_SECRET_KEY")
@@ -370,8 +371,7 @@
     # each handler has its choice of format
     "formatters": {
         "verbose": {
-            "format": "[%(asctime)s] %(levelname)s [%(name)s:%(lineno)s] "
-            "%(message)s",
+            "format": "[%(asctime)s] %(levelname)s [%(name)s:%(lineno)s] %(message)s",
             "datefmt": "%d/%b/%Y %H:%M:%S",
         },
         "simple": {
@@ -482,11 +482,12 @@
 
 # which provider to use if multiple are available
 # (code does not currently support user selection)
-OIDC_ACTIVE_PROVIDER = "login.gov"
+# See above for the default value if the env variable is missing
+OIDC_ACTIVE_PROVIDER = env_oidc_active_provider
 
 
 OIDC_PROVIDERS = {
-    "login.gov": {
+    "identity sandbox": {
         "srv_discovery_url": "https://idp.int.identitysandbox.gov",
         "behaviour": {
             # the 'code' workflow requires direct connectivity from us to Login.gov
@@ -502,7 +503,26 @@
             "token_endpoint_auth_method": ["private_key_jwt"],
             "sp_private_key": secret_login_key,
         },
-    }
+    },
+    "login.gov production": {
+        "srv_discovery_url": "https://secure.login.gov",
+        "behaviour": {
+            # the 'code' workflow requires direct connectivity from us to Login.gov
+            "response_type": "code",
+            "scope": ["email", "profile:name", "phone"],
+            "user_info_request": ["email", "first_name", "last_name", "phone"],
+            "acr_value": "http://idmanagement.gov/ns/assurance/ial/2",
+        },
+        "client_registration": {
+            "client_id": (
+                "urn:gov:cisa:openidconnect.profiles:sp:sso:cisa:dotgov_registrar"
+            ),
+            "redirect_uris": [f"{env_base_url}/openid/callback/login/"],
+            "post_logout_redirect_uris": [f"{env_base_url}/openid/callback/logout/"],
+            "token_endpoint_auth_method": ["private_key_jwt"],
+            "sp_private_key": secret_login_key,
+        },
+    },
 }
 
 # endregion