Skip to content
Snippets Groups Projects
Commit 6e7e3ef5 authored by John Franklin's avatar John Franklin
Browse files

Fix PHPCS issues in schema and README.md

parent 755e9697
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
README.md
+ 39
37
View file @ 6e7e3ef5
# Login.gov & Drupal # Login.gov & Drupal
The login_gov module proivdes a plugin for The login_gov module proivdes a plugin for
[Open ID Connect](https://drupal.org/project/openid_connect) that integrates [Open ID Connect](https://drupal.org/project/openid_connect) that integrates
with the GSA's Login.gov Identity Provider service to provide single sign-on with the GSA's Login.gov Identity Provider service to provide single sign-on
(SSO) service to a Drupal website. (SSO) service to a Drupal website.
# Setting Up # Setting Up
For the sake of clarity, this README will refer to the module using the module's For the sake of clarity, this README will refer to the module using the module's
machine name "login_gov" and the GSA's service as "Login.gov". machine name "login_gov" and the GSA's service as "Login.gov".
Before starting, you'll need to set up an account in Login.gov's Before starting, you'll need to set up an account in Login.gov's
[Identty Sandbox](https://dashboard.int.identitysandbox.gov/). Anyone with an [Identty Sandbox](https://dashboard.int.identitysandbox.gov/). Anyone with an
active email ending in .gov or .mil can set up a sandbox account and test the active email ending in .gov or .mil can set up a sandbox account and test the
integration with Login.gov. Before you can go live with your application, the integration with Login.gov. Before you can go live with your application, the
agency will need to set up an IAA with Login.gov naming your site. See agency will need to set up an IAA with Login.gov naming your site. See
[Getting started with Login.gov](https://login.gov/partners/get-started/) for [Getting started with Login.gov](https://login.gov/partners/get-started/) for
more details. more details.
Many agencies set up a proxy identity provider (IdP) with names like Many agencies set up a proxy identity provider (IdP) with names like
sso.agency.gov or login.agency.gov so their IAA has only one named site, the sso.agency.gov or login.agency.gov so their IAA has only one named site, the
proxy IdP. The proxy often routes agency users to their internal PIV solution proxy IdP. The proxy often routes agency users to their internal PIV solution
and non-agency users to Login.gov. In these cases, your site will use their and non-agency users to Login.gov. In these cases, your site will use their
SAML or OpenID connector setup instead of this module. Check with your project's SAML or OpenID connector setup instead of this module. Check with your project's
COR or ISSO for guidance. COR or ISSO for guidance.
## Patches ## Patches
The module needs a patch to the 3.x version of OpenID Connect from The module needs a patch to the 3.x version of OpenID Connect from
[issue #3342661.](https://www.drupal.org/project/openid_connect/issues/3342661#comment-14927801) [issue #3342661.](https://www.drupal.org/project/openid_connect/issues/3342661#comment-14927801)
Adding the following to the "patches" section of `composer.json` will apply it: Adding the following to the "patches" section of `composer.json` will apply it:
```json ```json
"drupal/openid_connect": { "drupal/openid_connect": {
"d.o #3342661: Allow plugins to override the getUrlOptions() method": "https://www.drupal.org/files/issues/2023-02-17/openid_connect.url_options_alter.3342661-2.patch" "d.o #3342661: Allow plugins to override the getUrlOptions() method":
"https://www.drupal.org/files/issues/2023-02-17/openid_connect.url_options_alter.3342661-2.patch"
} }
``` ```
## Public/Private Keys ## Public/Private Keys
The login_gov module requires a private key to sign the JWT payloads sent to the The login_gov module requires a private key to sign the JWT payloads sent to the
Login.gov servers and a public cert that is uploaded to the application profile Login.gov servers and a public cert that is uploaded to the application profile
on Login.gov. Check out developers.login.gov for more details about on Login.gov. Check out developers.login.gov for more details about
[Setting up a Sandbox Account](https://developers.login.gov/oidc/getting-started/#set-up-a-sandbox-account). [Setting up a Sandbox Account](https://developers.login.gov/oidc/getting-started/#set-up-a-sandbox-account).
As noted in the "Setting up a Sandbox Account" linked above, you'll need to As noted in the "Setting up a Sandbox Account" linked above, you'll need to
create a new private key and public key/cert. The following OpenSSL command is create a new private key and public key/cert. The following OpenSSL command is
a quick way to create a 2048-bit RSA self-signed key pair valid for one year. a quick way to create a 2048-bit RSA self-signed key pair valid for one year.
```shell ```shell
openssl req -nodes -x509 -days 365 -newkey rsa:2048 -keyout private.pem -out public.crt openssl req -nodes -x509 -days 365 -newkey rsa:2048 \
-keyout private.pem -out public.crt
``` ```
Because you're uploading the public key directly to Login.gov, there is no need Because you're uploading the public key directly to Login.gov, there is no need
to get an SSL cert signed by a third-party provider. The cert will be linked to to get an SSL cert signed by a third-party provider. The cert will be linked to
your site and only your site. As with any SSL cert, keeping the private key your site and only your site. As with any SSL cert, keeping the private key
secure is critical to maintaining the security of your site. secure is critical to maintaining the security of your site.
## Installing the Private Key ## Installing the Private Key
The login_gov module uses the [Key](https://drupal.org/project/key) and the The login_gov module uses the [Key](https://drupal.org/project/key) and the
[Key Asymmetric](https://drupal.org/project/key_asymmetric) modules to manage [Key Asymmetric](https://drupal.org/project/key_asymmetric) modules to manage
the private key. the private key.
After installing, go to `admin/config/system/keys` , click "+ Add Key", give it After installing, go to `admin/config/system/keys` , click "+ Add Key", give it
a name, and use the Key Type "Private key". Under "Provider settings", choose a name, and use the Key Type "Private key". Under "Provider settings", choose
how you will deploy the private key in your environments. Discuss with your how you will deploy the private key in your environments. Discuss with your
hosting provider, ops team and/or security team how to deploy it best. hosting provider, ops team and/or security team how to deploy it best.
* Using "Configuration" stores it in the Drupal database and would be exported * Using "Configuration" stores it in the Drupal database and would be exported
by `drush cex`, which risks the private secret finding its way to your project's by `drush cex`, which risks the private secret finding its way to your project's
git repository. git repository.
...@@ -76,7 +78,7 @@ git repository. ...@@ -76,7 +78,7 @@ git repository.
to upload it outside of the "docroot". to upload it outside of the "docroot".
* Using "Environment" means the site will read it out of the web server's or PHP * Using "Environment" means the site will read it out of the web server's or PHP
container's environment variables. Depending on your hosting provider, this is container's environment variables. Depending on your hosting provider, this is
often uploaded through the hosting provider's management portal. often uploaded through the hosting provider's management portal.
## Setting up the Client ## Setting up the Client
...@@ -89,7 +91,7 @@ Connect config section: `admin/config/people/openid-connect`. ...@@ -89,7 +91,7 @@ Connect config section: `admin/config/people/openid-connect`.
* Client ID - This value is provided by Login.gov. In your application's config * Client ID - This value is provided by Login.gov. In your application's config
page, they called it "Issuer." page, they called it "Issuer."
* Sandbox Mode - Check this if you're running in a Login.gov developer sandbox * Sandbox Mode - Check this if you're running in a Login.gov developer sandbox
and uncheck it for a production application. and uncheck it for a production application.
* Authentication Assurance Level - Check all that your application will accept. * Authentication Assurance Level - Check all that your application will accept.
...@@ -99,8 +101,8 @@ and what fields are available to your site. More details are on the ...@@ -99,8 +101,8 @@ and what fields are available to your site. More details are on the
documentation. documentation.
* Verified Within - How recently should someone have verified or reverified * Verified Within - How recently should someone have verified or reverified
their identiy with Login.gov. See the their identiy with Login.gov. See the
[OpenID Authorization](https://developers.login.gov/oidc/authorization/) section [OpenID Authorization](https://developers.login.gov/oidc/authorization/) section
on developers.login.gov for more details. on developers.login.gov for more details.
* User Fields - what fields to request from Login.gov. The users will be told * User Fields - what fields to request from Login.gov. The users will be told
...@@ -109,19 +111,19 @@ your site changes what is requested. ...@@ -109,19 +111,19 @@ your site changes what is requested.
* Force Reauthorization - If a user has already authenticated to Login.gov, they * Force Reauthorization - If a user has already authenticated to Login.gov, they
will not need to re-authenticate when they try to log into your site. Enabling will not need to re-authenticate when they try to log into your site. Enabling
this feature will require them to re-authenticate every time. **NOTE: Enabling this feature will require them to re-authenticate every time. **NOTE: Enabling
this requires permission from Login.gov.** this requires permission from Login.gov.**
* Key from Key - Choose the key you set up during "Installing the Private Key" * Key from Key - Choose the key you set up during "Installing the Private Key"
above. above.
* Redirect URL - Login.gov will only accept requests with the redirect URL set * Redirect URL - Login.gov will only accept requests with the redirect URL set
to a known value. In your application's settings on Login.gov, there is a field to a known value. In your application's settings on Login.gov, there is a field
to note all the valid URLs. Ensure this URL is in the list of known valid to note all the valid URLs. Ensure this URL is in the list of known valid
Rediect URLs. Rediect URLs.
# Disclaimers # Disclaimers
This module was written by [John Franklin](https://www.drupal.org/user/683430) This module was written by [John Franklin](https://www.drupal.org/user/683430)
at Bixal Solutions and is not maintained nor affiliated with GSA, the Login.gov at Bixal Solutions and is not maintained nor affiliated with GSA, the Login.gov
service, nor any federal agency. service, nor any federal agency.
\ No newline at end of file
config/schema/login_gov.schema.yml
+ 0
1
View file @ 6e7e3ef5
...@@ -33,4 +33,3 @@ openid_connect.client.plugin.login_gov: ...@@ -33,4 +33,3 @@ openid_connect.client.plugin.login_gov:
key_private_key: key_private_key:
type: string type: string
label: 'Key ID from Key Module' label: 'Key ID from Key Module'
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment