From b05c337efe668ef18c9b3698dd275d58e2b6da63 Mon Sep 17 00:00:00 2001
From: Neil Martinsen-Burrell <neil.martinsen-burrell@gsa.gov>
Date: Wed, 1 Nov 2023 10:57:28 -0500
Subject: [PATCH] Configure a Login.gov production OIDC provider

---
 ops/manifests/manifest-stable.yaml |  2 ++
 src/registrar/config/settings.py   | 22 ++++++++++++++++++++--
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/ops/manifests/manifest-stable.yaml b/ops/manifests/manifest-stable.yaml
index 6295fa63b..a47652326 100644
--- a/ops/manifests/manifest-stable.yaml
+++ b/ops/manifests/manifest-stable.yaml
@@ -23,6 +23,8 @@ applications:
     DJANGO_LOG_LEVEL: INFO
     # default public site location
     GETGOV_PUBLIC_SITE_URL: https://beta.get.gov
+    # Which OIDC provider to use
+    OIDC_ACTIVE_PROVIDER: login.gov production
   routes:
     - route: getgov-stable.app.cloud.gov
   services:
diff --git a/src/registrar/config/settings.py b/src/registrar/config/settings.py
index 3e5734dcc..fd3642d72 100644
--- a/src/registrar/config/settings.py
+++ b/src/registrar/config/settings.py
@@ -49,6 +49,7 @@ env_debug = env.bool("DJANGO_DEBUG", default=False)
 env_log_level = env.str("DJANGO_LOG_LEVEL", "DEBUG")
 env_base_url = env.str("DJANGO_BASE_URL")
 env_getgov_public_site_url = env.str("GETGOV_PUBLIC_SITE_URL", "")
+env_oidc_active_provider = env.str("OIDC_ACTIVE_PROVIDER", "identity sandbox")
 
 secret_login_key = b64decode(secret("DJANGO_SECRET_LOGIN_KEY", ""))
 secret_key = secret("DJANGO_SECRET_KEY")
@@ -482,11 +483,12 @@ OIDC_ALLOW_DYNAMIC_OP = False
 
 # which provider to use if multiple are available
 # (code does not currently support user selection)
-OIDC_ACTIVE_PROVIDER = "login.gov"
+# See above for the default value if the env variable is missing
+OIDC_ACTIVE_PROVIDER = env_oidc_active_provider
 
 
 OIDC_PROVIDERS = {
-    "login.gov": {
+    "identity sandbox": {
         "srv_discovery_url": "https://idp.int.identitysandbox.gov",
         "behaviour": {
             # the 'code' workflow requires direct connectivity from us to Login.gov
@@ -502,6 +504,22 @@ OIDC_PROVIDERS = {
             "token_endpoint_auth_method": ["private_key_jwt"],
             "sp_private_key": secret_login_key,
         },
+    "login.gov production": {
+        "srv_discovery_url": "https://secure.login.gov",
+        "behaviour": {
+            # the 'code' workflow requires direct connectivity from us to Login.gov
+            "response_type": "code",
+            "scope": ["email", "profile:name", "phone"],
+            "user_info_request": ["email", "first_name", "last_name", "phone"],
+            "acr_value": "http://idmanagement.gov/ns/assurance/ial/2",
+        },
+        "client_registration": {
+            "client_id": "urn:gov:cisa:openidconnect.profiles:sp:sso:cisa:dotgov_registrar",
+            "redirect_uris": [f"{env_base_url}/openid/callback/login/"],
+            "post_logout_redirect_uris": [f"{env_base_url}/openid/callback/logout/"],
+            "token_endpoint_auth_method": ["private_key_jwt"],
+            "sp_private_key": secret_login_key,
+        },
     }
 }