waiverdb: Fix redirect_uri for new flask-oidc versions

For details, see the changelog for flask-oidc: https://github.com/fedora-infra/flask-oidc/blob/develop/docs/changelog.md The entry for 2.0.0 says: > The callback route (aka "redirect URL") is not configurable with > `OIDC_CALLBACK_ROUTE` anymore. It is always `/authorize`, The option `OIDC_CALLBACK_ROUTE` is available again in version 2.0.3, but we can override the whole redirect URL with `OIDC_OVERWRITE_REDIRECT_URI` (since 2.1.0).
2023-11-14 13:52:06 +01:00 · 2023-11-14 13:52:06 +01:00 · 672074fc4a
commit 672074fc4a
parent a7318cbc27
3 changed files with 5 additions and 1 deletions
--- a/inventory/group_vars/waiverdb
+++ b/inventory/group_vars/waiverdb
@ -7,3 +7,6 @@ fedmsg_certs:
      - logger.log
      - waiverdb.waiver.new
    service: waiverdb
+
+waiverdb_oidc_overwrite_redirect_uri:
+  https://waiverdb{{ env_suffix }}.fedoraproject.org/oidc_callback
--- a/roles/openshift-apps/waiverdb/templates/secret.yml
+++ b/roles/openshift-apps/waiverdb/templates/secret.yml
@ -15,7 +15,7 @@ stringData:
  client_secrets.json: |-
    {"web": {
      "issuer": "https://id{{ env_suffix }}.fedoraproject.org/openidc/",
-      "redirect_uris": ["https://waiverdb{{ env_suffix }}.fedoraproject.org/oidc_callback"],
+      "redirect_uris": ["{{ waiverdb_oidc_overwrite_redirect_uri }}"],
      "token_uri": "https://id{{ env_suffix }}.fedoraproject.org/openidc/Token",
      "auth_uri": "https://id{{ env_suffix }}.fedoraproject.org/openidc/Authorization",
 {% if env == 'staging' %}
--- a/roles/openshift-apps/waiverdb/templates/settings.py
+++ b/roles/openshift-apps/waiverdb/templates/settings.py
@ -15,6 +15,7 @@ MESSAGE_BUS_PUBLISH = True
 AUTH_METHOD = 'OIDC'
 OIDC_CLIENT_SECRETS = '/etc/secret/client_secrets.json'
 OIDC_USERNAME_FIELD = 'sub'
+OIDC_OVERWRITE_REDIRECT_URI = '{{ waiverdb_oidc_overwrite_redirect_uri }}'
 PREFERRED_URL_SCHEME='https'
 SUPERUSERS = ['bodhi@service']
 PORT = 8080