Merge pull request #1245 from cisagov/nmb/login-production

Configure a Login.gov production OIDC provider
2025-08-05 01:11:55 +02:00 · 2023-11-01 13:45:22 -05:00 · 2023-11-01 13:45:22 -05:00 · d6eccc8da5
commit d6eccc8da5
parent 0a6c7acd4d d57e48a090
3 changed files with 29 additions and 7 deletions
--- a/ops/manifests/manifest-stable.yaml
+++ b/ops/manifests/manifest-stable.yaml
@ -4,7 +4,7 @@ applications:
  buildpacks:
    - python_buildpack
  path: ../../src
-  instances: 1
+  instances: 2
  memory: 512M
  stack: cflinuxfs4
  timeout: 180
@ -23,6 +23,8 @@ applications:
    DJANGO_LOG_LEVEL: INFO
    # default public site location
    GETGOV_PUBLIC_SITE_URL: https://beta.get.gov
+    # Which OIDC provider to use
+    OIDC_ACTIVE_PROVIDER: login.gov production
  routes:
    - route: getgov-stable.app.cloud.gov
  services:
--- a/ops/manifests/manifest-staging.yaml
+++ b/ops/manifests/manifest-staging.yaml
@ -4,7 +4,7 @@ applications:
  buildpacks:
    - python_buildpack
  path: ../../src
-  instances: 1
+  instances: 2
  memory: 512M
  stack: cflinuxfs4
  timeout: 180
--- a/src/registrar/config/settings.py
+++ b/src/registrar/config/settings.py
@ -49,6 +49,7 @@ env_debug = env.bool("DJANGO_DEBUG", default=False)
 env_log_level = env.str("DJANGO_LOG_LEVEL", "DEBUG")
 env_base_url = env.str("DJANGO_BASE_URL")
 env_getgov_public_site_url = env.str("GETGOV_PUBLIC_SITE_URL", "")
+env_oidc_active_provider = env.str("OIDC_ACTIVE_PROVIDER", "identity sandbox")

 secret_login_key = b64decode(secret("DJANGO_SECRET_LOGIN_KEY", ""))
 secret_key = secret("DJANGO_SECRET_KEY")
@ -370,8 +371,7 @@ LOGGING = {
    # each handler has its choice of format
    "formatters": {
        "verbose": {
-            "format": "[%(asctime)s] %(levelname)s [%(name)s:%(lineno)s] "
-            "%(message)s",
+            "format": "[%(asctime)s] %(levelname)s [%(name)s:%(lineno)s] %(message)s",
            "datefmt": "%d/%b/%Y %H:%M:%S",
        },
        "simple": {
@ -482,11 +482,12 @@ OIDC_ALLOW_DYNAMIC_OP = False

 # which provider to use if multiple are available
 # (code does not currently support user selection)
-OIDC_ACTIVE_PROVIDER = "login.gov"
+# See above for the default value if the env variable is missing
+OIDC_ACTIVE_PROVIDER = env_oidc_active_provider


 OIDC_PROVIDERS = {
-    "login.gov": {
+    "identity sandbox": {
        "srv_discovery_url": "https://idp.int.identitysandbox.gov",
        "behaviour": {
            # the 'code' workflow requires direct connectivity from us to Login.gov
@ -502,7 +503,26 @@ OIDC_PROVIDERS = {
            "token_endpoint_auth_method": ["private_key_jwt"],
            "sp_private_key": secret_login_key,
        },
-    }
+    },
+    "login.gov production": {
+        "srv_discovery_url": "https://secure.login.gov",
+        "behaviour": {
+            # the 'code' workflow requires direct connectivity from us to Login.gov
+            "response_type": "code",
+            "scope": ["email", "profile:name", "phone"],
+            "user_info_request": ["email", "first_name", "last_name", "phone"],
+            "acr_value": "http://idmanagement.gov/ns/assurance/ial/2",
+        },
+        "client_registration": {
+            "client_id": (
+                "urn:gov:cisa:openidconnect.profiles:sp:sso:cisa:dotgov_registrar"
+            ),
+            "redirect_uris": [f"{env_base_url}/openid/callback/login/"],
+            "post_logout_redirect_uris": [f"{env_base_url}/openid/callback/logout/"],
+            "token_endpoint_auth_method": ["private_key_jwt"],
+            "sp_private_key": secret_login_key,
+        },
+    },
 }

 # endregion