Fix OIDC Loop and seed rauthy dev setup closes #510

moritz commented

2026-06-01 20:21:33 +02:00

Owner

Description of the implemented changes

The changes were:

Bugfixing
New Feature
Breaking Change
Refactoring

Automate the local Rauthy dev setup so the mv OIDC client is recreated automatically after docker compose down -v or on a fresh machine, and fix two real bugs in the OIDC logout flow: the user was getting silently re-logged-in after clicking Logout (no RP-initiated logout at the IdP), and the sign-out confirmation page failed several WCAG checks (missing landmarks, missing h1, unreadable button due to a missing Tailwind class).

What has been changed?

Rauthy bootstrap: new rauthy-bootstrap/clients.json defines the mv client with a fixed dev secret; docker-compose.yml mounts
it at /app/bootstrap and sets BOOTSTRAP_DIR. The same secret is preset in .env.example as OIDC_CLIENT_SECRET. Bootstrap re-runs
whenever the Rauthy DB is empty (after volume wipe / fresh setup).
README: replaced the 6-step manual Rauthy client setup with a short note explaining the auto-seed behavior.
RP-initiated logout: new Mv.Oidc.Discovery module fetches .well-known/openid-configuration once per base URL and caches end_session_endpoint in :persistent_term. AuthController.sign_out/2 now redirects to that endpoint after clearing the local session, so
the IdP (Authentik / Rauthy) clears its own session and shows its native logout-confirmation UI. Falls back to /sign-in?oidc_failed=1
if discovery fails, and to the existing return_to redirect when OIDC is not configured.
Accessible sign-out page: new MvWeb.SignOutLive replaces AshAuthentication.Phoenix.SignOutLive. Uses Layouts.public_page (which provides the <main> landmark), renders a proper <h1>, and uses DaisyUI's btn btn-primary for the submit button (the library de
fault referenced bg-blue-500 which is not in the project's compiled Tailwind output, producing white text on near-white background).
i18n: new German translations for "Sign out" → "Abmelden" and "Are you sure you want to sign out?" → "Möchtest du dich wirklich abmelden?".
Tests: three new controller tests cover the sign-out branches (discovery success / discovery failure / missing endpoint field).

Definition of Done

Code Quality

No new technical depths
Linting passed
Documentation is added were needed

Accessibility

New elements are properly defined with html-tags
Colour contrast follows WCAG criteria
Aria labels are added when needed
Everything is accessible by keyboard
Tab-Order is comprehensible
All interactive elements have a visible focus

Testing

Tests for new code are written
All tests pass
axe-core dev tools show no critical or major issues

Additional Notes

Production rollout note: the IdP needs to expose end_session_endpoint via its OIDC discovery document. Authentik and Rauthy both
do this by default — no extra config in either side is required (specifically no post_logout_redirect_uri needs to be registered, because we deliberately don't pass one; the IdP shows its own logout-confirmation UI instead).
Dev secret: the Rauthy bootstrap secret in rauthy-bootstrap/clients.json is intentionally a static, obviously-non-production string. It is only valid against the local dev Rauthy and must never be reused in any other environment.
First-time dev migration: existing developers need to run docker compose down -v && just run once so Rauthy re-seeds the mv client (the OIDC_CLIENT_SECRET they currently have in .env won't match anymore).
The "sign-out confirmation page exists in dev but not in our Authentik test deployment" inconsistency turned out to be a library-version mismatch — AshAuthentication.Phoenix.SignOutLive was only added in ash_authentication_phoenix 2.16. Once the test deployment is updated, the behavior unifies.

## Description of the implemented changes The changes were: - [x] Bugfixing - [x] New Feature - [ ] Breaking Change - [ ] Refactoring Automate the local Rauthy dev setup so the `mv` OIDC client is recreated automatically after `docker compose down -v` or on a fresh machine, and fix two real bugs in the OIDC logout flow: the user was getting silently re-logged-in after clicking Logout (no RP-initiated logout at the IdP), and the sign-out confirmation page failed several WCAG checks (missing landmarks, missing h1, unreadable button due to a missing Tailwind class). ## What has been changed? - **Rauthy bootstrap**: new `rauthy-bootstrap/clients.json` defines the `mv` client with a fixed dev secret; `docker-compose.yml` mounts it at `/app/bootstrap` and sets `BOOTSTRAP_DIR`. The same secret is preset in `.env.example` as `OIDC_CLIENT_SECRET`. Bootstrap re-runs whenever the Rauthy DB is empty (after volume wipe / fresh setup). - **README**: replaced the 6-step manual Rauthy client setup with a short note explaining the auto-seed behavior. - **RP-initiated logout**: new `Mv.Oidc.Discovery` module fetches `.well-known/openid-configuration` once per base URL and caches `end_session_endpoint` in `:persistent_term`. `AuthController.sign_out/2` now redirects to that endpoint after clearing the local session, so the IdP (Authentik / Rauthy) clears its own session and shows its native logout-confirmation UI. Falls back to `/sign-in?oidc_failed=1` if discovery fails, and to the existing `return_to` redirect when OIDC is not configured. - **Accessible sign-out page**: new `MvWeb.SignOutLive` replaces `AshAuthentication.Phoenix.SignOutLive`. Uses `Layouts.public_page` (which provides the `<main>` landmark), renders a proper `<h1>`, and uses DaisyUI's `btn btn-primary` for the submit button (the library de fault referenced `bg-blue-500` which is not in the project's compiled Tailwind output, producing white text on near-white background). - **i18n**: new German translations for "Sign out" → "Abmelden" and "Are you sure you want to sign out?" → "Möchtest du dich wirklich abmelden?". - **Tests**: three new controller tests cover the sign-out branches (discovery success / discovery failure / missing endpoint field). ## Definition of Done ### Code Quality - [x] No new technical depths - [x] Linting passed - [x] Documentation is added were needed ### Accessibility - [x] New elements are properly defined with html-tags - [x] Colour contrast follows WCAG criteria - [x] Aria labels are added when needed - [x] Everything is accessible by keyboard - [x] Tab-Order is comprehensible - [x] All interactive elements have a visible focus ### Testing - [x] Tests for new code are written - [x] All tests pass - [x] axe-core dev tools show no critical or major issues ## Additional Notes - **Production rollout note**: the IdP needs to expose `end_session_endpoint` via its OIDC discovery document. Authentik and Rauthy both do this by default — no extra config in either side is required (specifically no `post_logout_redirect_uri` needs to be registered, because we deliberately don't pass one; the IdP shows its own logout-confirmation UI instead). - **Dev secret**: the Rauthy bootstrap secret in `rauthy-bootstrap/clients.json` is intentionally a static, obviously-non-production string. It is only valid against the local dev Rauthy and must never be reused in any other environment. - **First-time dev migration**: existing developers need to run `docker compose down -v && just run` once so Rauthy re-seeds the `mv` client (the `OIDC_CLIENT_SECRET` they currently have in `.env` won't match anymore). - The "sign-out confirmation page exists in dev but not in our Authentik test deployment" inconsistency turned out to be a library-version mismatch — `AshAuthentication.Phoenix.SignOutLive` was only added in `ash_authentication_phoenix` 2.16. Once the test deployment is updated, the behavior unifies.

moritz added 3 commits 2026-06-01 20:21:33 +02:00