diff --git a/README.md b/README.md index 620bdb4..ad68753 100644 --- a/README.md +++ b/README.md @@ -126,6 +126,43 @@ Ignore if we get error message ccd-network already exists while running above co > [!CAUTION] > Some users of zsh 'Oh My Zsh' experienced issues. > Try switching to bash by : `chsh -s /bin/bash` + + **Important environment notes:** + - `OIDC_ISSUER` must be derived from a real access token for the target environment. Do not guess it from the public OIDC discovery URL. + - `CCD_CALLBACK_ALLOWED_HOSTS` is the comma-separated allow-list of HTTPS callback target hosts CCD services may call. + - `CCD_CALLBACK_ALLOWED_HTTP_HOSTS` is the comma-separated allow-list of HTTP callback target hosts CCD services may call. + - `CCD_CALLBACK_ALLOW_PRIVATE_HOSTS` controls whether callbacks to private or local hostnames are allowed for local development. + + **How to derive `OIDC_ISSUER`:** + - Do not guess the issuer from the public discovery URL alone. + - Decode only the JWT payload from a real access token for the target environment and inspect the `iss` claim. + - Do not store or document full bearer tokens. Record only the derived issuer value. + + Example: + ```bash + TOKEN='eyJ...' + PAYLOAD=$(printf '%s' "$TOKEN" | cut -d '.' -f2) + python3 - <<'PY' "$PAYLOAD" + import base64, json, sys + payload = sys.argv[1] + payload += '=' * (-len(payload) % 4) + print(json.loads(base64.urlsafe_b64decode(payload))["iss"]) + PY + ``` + - JWTs are `header.payload.signature`. + - The second segment is base64url-encoded JSON. + - This decodes the payload only. It does not verify the signature. + The following services in `ccd-docker` compose set both `IDAM_OIDC_URL` and `OIDC_ISSUER`: + + | Service | + | --- | + | `ccd-data-store-api` | + | `ccd-definition-store-api` | + | `cpo-case-payment-orders-api` | + | `ts-translation-service` | + | `ccd-case-document-am-api` | + + `VERIFY_OIDC_ISSUER=true` is not set in this repo's compose YAML. Use it only in service repos that include a live issuer verifier, where it enables a pre-check that fetches a real test token and fails fast if its `iss` claim does not exactly match `OIDC_ISSUER`. To persist the environment variables in Linux/Mac run the following script to add the script into your ~/.bash_profile. @@ -835,6 +872,10 @@ Here are the important variables exposed in the compose files: | USER_PROFILE_S2S_AUTHORISED_SERVICES | List of micro-services authorised to call this service, comma-separated, as registered in `service-auth-provider-api` | | DATA_STORE_TOKEN_SECRET | Secret for generation of internal event tokens | | APPINSIGHTS_INSTRUMENTATIONKEY | Secret for Microsoft Insights logging, can be a dummy string in local | +| OIDC_ISSUER | Enforced JWT issuer value used by services that validate IDAM access tokens. This must match the token `iss` claim for the target environment and should be derived from a real token, not guessed from the public discovery URL. | +| CCD_CALLBACK_ALLOWED_HOSTS | Comma-separated allow-list of callback target hosts that CCD services may call over HTTPS. Local defaults include `localhost`, `127.0.0.1`, and `host.docker.internal`. | +| CCD_CALLBACK_ALLOWED_HTTP_HOSTS | Comma-separated allow-list of callback target hosts that CCD services may call over HTTP. Use this only when local callback endpoints are intentionally served over plain HTTP. | +| CCD_CALLBACK_ALLOW_PRIVATE_HOSTS | Controls whether callback targets on private or local hostnames are allowed. This supports local development callbacks to host services outside the Docker network. | | STORAGEACCOUNT_PRIMARY_CONNECTION_STRING | (If dm-store is enabled) Secret for Azure Blob Storage. It is pointing to dockerized Azure Blob Storage emulator. | | STORAGE_CONTAINER_DOCUMENT_CONTAINER_NAME | (If dm-store is enabled) Container name for Azure Blob Storage | | AM_DB | Access Management database name | diff --git a/compose/backend.yml b/compose/backend.yml index 0f75630..3a43e81 100644 --- a/compose/backend.yml +++ b/compose/backend.yml @@ -37,6 +37,8 @@ services: DEFINITION_STORE_S2S_AUTHORISED_SERVICES: ccd_data,ccd_gw,ccd_admin,aac_manage_case_assignment,ccd_case_disposer USER_PROFILE_HOST: http://ccd-user-profile-api:4453 IDAM_USER_URL: "${IDAM_INTERNAL_API_BASE_URL:-http://idam:5000}" + IDAM_OIDC_URL: "${IDAM_INTERNAL_API_BASE_URL:-http://idam:5000}" + OIDC_ISSUER: ${OIDC_ISSUER:-http://idam:5000/o} IDAM_S2S_URL: "${IDAM_S2S_URL:-http://service-auth-provider-api:8080}" REFORM_SERVICE_NAME: ccd-definition-store-api REFORM_TEAM: ccd @@ -83,6 +85,7 @@ services: IDAM_USER_URL: "${IDAM_INTERNAL_API_BASE_URL:-http://idam:5000}" # For backward compatibility with older images IDAM_API_BASE_URL: "${IDAM_INTERNAL_API_BASE_URL:-http://idam:5000}" IDAM_OIDC_URL: "${IDAM_INTERNAL_API_BASE_URL:-http://idam:5000}" + OIDC_ISSUER: ${OIDC_ISSUER:-http://idam:5000/o} IDAM_S2S_URL: "${IDAM_S2S_URL:-http://service-auth-provider-api:8080}" IDAM_OAUTH2_DATA_STORE_CLIENT_SECRET: idam_data_store_client_secret REFORM_SERVICE_NAME: ccd-data-store-api @@ -101,6 +104,11 @@ services: MIGRATIONS_ENDPOINT_ENABLED: "${MIGRATIONS_ENDPOINT_ENABLED:-true}" REFERENCE_DATA_API_URL: "${REFERENCE_DATA_API_URL:-http://ccd-test-stubs-service:5555}" ROLE_ASSIGNMENT_URL: "${ROLE_ASSIGNMENT_URL:-http://am-role-assignment-service:4096}" + TEST_STUB_SERVICE_BASE_URL: "http://host.docker.internal:5555" + BEFTA_TEST_STUB_SERVICE_BASE_URL: "http://localhost:5555" + CCD_CALLBACK_ALLOWED_HOSTS: "localhost,127.0.0.1,host.docker.internal" + CCD_CALLBACK_ALLOWED_HTTP_HOSTS: "localhost,127.0.0.1,host.docker.internal" + CCD_CALLBACK_ALLOW_PRIVATE_HOSTS: "localhost,127.0.0.1,host.docker.internal" ### other env vars can be added here as needed ############# # ENABLE_CASE_GROUP_ACCESS_FILTERING: "true" # DATA_STORE_TX_TIMEOUT_DEFAULT: 120 # in seconds diff --git a/compose/case-document-am.yml b/compose/case-document-am.yml index bb3dd27..fcc7eda 100644 --- a/compose/case-document-am.yml +++ b/compose/case-document-am.yml @@ -8,6 +8,7 @@ services: CASE_DOCUMENT_S2S_AUTHORISED_SERVICES: ccd_case_document_am_api,ccd_gw,xui_webapp,ccd_data,bulk_scan_processor,bulk_scan_orchestrator IDAM_API_URL: "${IDAM_INTERNAL_API_BASE_URL:-http://idam:5000}" IDAM_OIDC_URL: "${IDAM_INTERNAL_API_BASE_URL:-http://idam:5000}" + OIDC_ISSUER: ${OIDC_ISSUER:-http://idam:5000/o} S2S_URL: http://service-auth-provider-api:8080 DM_STORE_BASE_URL: http://dm-store:8080 CCD_DATA_STORE_API_BASE_URL: http://ccd-data-store-api:4452 diff --git a/compose/case-payment-orders.yml b/compose/case-payment-orders.yml index 42db9dc..af0f002 100644 --- a/compose/case-payment-orders.yml +++ b/compose/case-payment-orders.yml @@ -12,6 +12,7 @@ services: CPO_S2S_AUTHORISED_SERVICES: xui_webapp,payment_app IDAM_API_URL: "${IDAM_INTERNAL_API_BASE_URL:-http://idam:5000}" IDAM_OIDC_URL: "${IDAM_INTERNAL_API_BASE_URL:-http://idam:5000}" + OIDC_ISSUER: ${OIDC_ISSUER:-http://idam:5000/o} S2S_URL: http://service-auth-provider-api:8080 # override default 'xui_webapp' permissions with values that support the FTA tests S2S_AUTHORIZATIONS_XUI_ID: xui_webapp diff --git a/compose/ts-translation-service.yml b/compose/ts-translation-service.yml index 740eceb..e05968d 100644 --- a/compose/ts-translation-service.yml +++ b/compose/ts-translation-service.yml @@ -17,6 +17,7 @@ services: TS_TRANSLATION_SERVICE_DB_PASSWORD: ${DB_PASSWORD} IDAM_API_URL: "${IDAM_INTERNAL_API_BASE_URL:-http://idam:5000}" IDAM_OIDC_URL: "${IDAM_INTERNAL_API_BASE_URL:-http://idam:5000}" + OIDC_ISSUER: ${OIDC_ISSUER:-http://idam:5000/o} TS_TRANSLATION_SERVICE_S2S_AUTHORISED_SERVICES: xui_webapp,ccd_admin,ccd_definition S2S_URL: http://service-auth-provider-api:8080 REFORM_SERVICE_NAME: ts-translation-service