- Oct 31, 2024
-
-
Dr Adam Thorn authored
-
Dr Adam Thorn authored
Looks like left over test code. See also efea1659 which sets the tenant ID to the Uni tenancy by default on installation.
-
Dr Adam Thorn authored
-
Dr Adam Thorn authored
-
Dr Adam Thorn authored
-
- Oct 21, 2024
-
-
Dr Adam Thorn authored
This is flagged as a security risk, but that's very much dependent upon the site config. We trust that if Entra claims a user has an email address of user@cam.ac.uk, they this is unquestionably true. (The warnings all concern cases where you can't necessarily trust this attribute) The use cases I have for doing this include: - being able to proactively set node ownership when doing a site import (we need user accounts to exist if they are to own content) - for content like staff pages we make use of the "can edit own content" permission. Although in principle we could implement a custom permission check (e.g. compare field_person_crsid to $current_user->getUsername() ) that feels like a bad strategy.
-
- Jul 23, 2024
-
-
Dr Adam Thorn authored
-
Dr Adam Thorn authored
-
Dr Adam Thorn authored
-
- Jun 26, 2024
-
-
Dr Adam Thorn authored
We need to use the 'initiate' route in openid_connect, and that requires us to sensibly and correctly set the iss query parameter. (..ish, bearing in mind openid_connect only checks the iss hostname rather than the full jwt value)
-
Dr Adam Thorn authored
-
Dr Adam Thorn authored
Fix for fdaeaeba
-
Dr Adam Thorn authored
-
Dr Adam Thorn authored
-
Dr Adam Thorn authored
This is to facilitate login via a direct link, per https://www.drupal.org/project/openid_connect/issues/3327273#comment-15158560 Domain was deduced from: curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=client_credentials&client_id={client_id}&client_secret={client_secret }&scope=https://graph.microsoft.com/.default" https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token then taking the returned access_token value and deecode at https://jwt.ms/ As noted in the code, even though I think we ought to specify the full returned proto://hostname/path for this settings, then openid_connect module parses the value of the iss query parameter and explicitly checks just the hostname, so that's what we set here.
-
- May 30, 2024
-
-
Dr Adam Thorn authored
This gets used as e.g. the text that users see on the login button. For that context, the fact the underlying authentication provider is Entra is neither useful nor helpful.
-
- May 15, 2024
-
-
Dr Adam Thorn authored
was missing the final "-" separator between groups
-
Dr Adam Thorn authored
-
Dr Adam Thorn authored
We set the initial plugin status to disabled when installing the module because it needs to have the client details configured first.
-
- May 14, 2024
-
-
Dr Adam Thorn authored
-
Dr Adam Thorn authored
-
Dr Adam Thorn authored
Secrets can include chars that are possibly awkward to handle if used literally in shell commands, so making PHP read file contents seems safer - and allows for improved error handling.
-
- May 10, 2024
-
-
Dr Adam Thorn authored
-
Dr Adam Thorn authored
-
Dr Adam Thorn authored
This ensures that regular users can log in via Entra and have Drupal accounts silently auto-created
-
Dr Adam Thorn authored
-
Dr Adam Thorn authored
-
Dr Adam Thorn authored
-
Dr Adam Thorn authored
-
Dr Adam Thorn authored
-
- May 09, 2024
-
-
Dr Adam Thorn authored
-
Dr Adam Thorn authored
-
Dr Adam Thorn authored
-
Dr Adam Thorn authored
-