Migrate pertinent parts of mozilla-django-oidc into api repo

[lbeaufort]

Business Reason

As a developer, we currently maintain a customized fork of the mozilla OIDC package which can poses maintenance challenges with syncing with upstream changes and managing versions used within the fecfile-web-api repository. In addition, the FECFile Online API only uses a subset of the code in the OIDC fork further complicating maintenance.

Task: To pull the parts of the OIDC code that is used by the FECFile Online API into the fecfile-web-api repository. The migrated code will need to be credited to the original authors and repository. The migrated code should be isolated in its own code space within the fecfile-web-api code base so that it can be easily identified and integrated into the main API application.

Dev notes

https://mozilla-django-oidc.readthedocs.io/en/stable/installation.html?highlight=create_user#changing-how-django-users-are-created

https://mozilla-django-oidc.readthedocs.io/en/stable/installation.html#connecting-oidc-user-identities-to-django-users

• Please update the cryptography version in the api requirements.txt. The current value had to match the version in the Mozilla package to avoid conflicts.

Deploy notes:

On deploy to each environment, in the login dot gov dashboard edit the following “redirect URIs” and change /api/v1/auth/logout-redirect to /api/v1/oidc/logout-redirect and /oidc/callback/ to /api/v1/oidc/callback (note the trailing slash removal)

• DEV
• [] STAGE
• [] PROD

QA Notes

Ticket passes if users are able to log into DEV using Login.gov

DEV Notes

null

Design

null

See full ticket and images here: FECFILE-1396

[lbeaufort]

Since we're overriding the OIDC_USERNAME_ALGO with a plain username creation function

fecfile-web-api/django-backend/fecfiler/settings/base.py

Line 188 in a0f7d8f

OIDC_USERNAME_ALGO = "fecfiler.authentication.views.generate_username"

, we don't need to override creation but we need a plan for updating email when it changes - keep it in the fork?

[lbeaufort]

I've got a PR in progress for simplifying the Mozilla repo, I got a bit stuck on how generic to keep it. If the use case is only a django/login.gov I might pull out PKCE since that's only recommended for mobile apps. WIP PR: fecgov/mozilla-django-oidc#9

[exalate-issue-sync]

Aurelia Khorsand commented: Combined with [https://fecgov.atlassian.net/browse/FECFILE-161|https://fecgov.atlassian.net/browse/FECFILE-161|smart-link] (#892). Text from other ticket as follows:

We need to be able to redeploy to the production space. If we make changes to the main branch of the mozilla package (like this: [https://github.com/fecgov/mozilla-django-oidc/commit/bd411b4a09167eb8f9b300f61ed0220cb62697cf|https://github.com/fecgov/mozilla-django-oidc/commit/bd411b4a09167eb8f9b300f61ed0220cb62697cf|smart-link] ) the API main branch will be behind and will cause builds to fail until it catches up. Example: [https://app.circleci.com/pipelines/github/fecgov/fecfile-web-api/3497/workflows/5de88b39-7a68-4640-af9c-302cf7a0571b/jobs/10942|https://app.circleci.com/pipelines/github/fecgov/fecfile-web-api/3497/workflows/5de88b39-7a68-4640-af9c-302cf7a0571b/jobs/10942]

We need to be able to check dependencies on both project, with some flexibility on backwards compatibility. We might need to manage releases for mozilla package.

[exalate-issue-sync]

Sasha Dresden commented: I started a [branch|https://github.com/fecgov/fecfile-web-api/tree/feature/1396] for this where I took our version of the mozilla-oidc package and pulled it into the fecfile-api repo and was able to successfully deploy out to dev. However, as I’m a little less familiar with what needs to be pruned, after talking with Matt, we’re going to have David focus on this when he gets back.