You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Support business bceid login in FAM, use TEST-BUSINESSBCEID for local and dev environment, as we don't have any DEV business bceid for testing and playing around. To keep consistency we use TEST-IDIR for local and dev environment as well, so the same logout chain could work for both. Update the backend local cognito user id to use "test-idir", update backend test to use "test-idir" as well
Update the profile to display more information
Admin management endpoint get_admin_user_access doesn't need to check access group in the token, delegated admin won't have any access in the token. That API will return the access for the login user. Created a new router guard method to return requester data without check the access role in the token
@MCatherine1994 I didn't understand your comment "Note: Our logout chain in local and dev connects with the dev environment, so the logout for test business bceid will only log the user out from Cognito but still have the sitemider session. " - why wouldn't local/dev logout chain be configured for the test business BCeID environment? Is that because the dev keycloak instance is only pointing at dev BCeID, not test?
@MCatherine1994 I didn't understand your comment "Note: Our logout chain in local and dev connects with the dev environment, so the logout for test business bceid will only log the user out from Cognito but still have the sitemider session. " - why wouldn't local/dev logout chain be configured for the test business BCeID environment? Is that because the dev keycloak instance is only pointing at dev BCeID, not test?
Hi Basil, that's just because for our local/dev environment, we suppose to use DEV-IDIR and DEV-BUSINESS-BCEID, and they work with the same DEV logout chain. But because we don't have dev bceid for testing, I setup to use DEV-IDIR and TEST-BUSINESS-BCEID for local/dev environment. So DEV-IDIR needs dev logout chain, but TEST-BUSINESS-BCEID needs test logout chain.
The Amplify just configured with one redirect logout url doesn't support both in the current code. And I feel it's fine so I didn't change the Amplify config. Because for TEST env, IDIR and BCEID will both connect with TEST, and same for PROD. So the issue is only in DEV.
Now I'm thinking maybe we can just use TEST-IDIR and TEST-BUSINESS-BCEID for local and dev, and config the test logout chain, so logout can work properly for both. And use DEV orTEST IDIR won't impact the login behaviour?
@MCatherine1994 I didn't understand your comment "Note: Our logout chain in local and dev connects with the dev environment, so the logout for test business bceid will only log the user out from Cognito but still have the sitemider session. " - why wouldn't local/dev logout chain be configured for the test business BCeID environment? Is that because the dev keycloak instance is only pointing at dev BCeID, not test?
Hi Basil, that's just because for our local/dev environment, we suppose to use DEV-IDIR and DEV-BUSINESS-BCEID, and they work with the same DEV logout chain. But because we don't have dev bceid for testing, I setup to use DEV-IDIR and TEST-BUSINESS-BCEID for local/dev environment. So DEV-IDIR needs dev logout chain, but TEST-BUSINESS-BCEID needs test logout chain. The Amplify just configured with one redirect logout url doesn't support both in the current code. And I feel it's fine so I didn't change the Amplify config. Because for TEST env, IDIR and BCEID will both connect with TEST, and same for PROD. So the issue is only in DEV. Now I'm thinking maybe we can just use TEST-IDIR and TEST-BUSINESS-BCEID for local and dev, and config the test logout chain, so logout can work properly for both. And use DEV orTEST IDIR won't impact the login behaviour?
This makes sense, just as long as this is documented somewhere in the dev configuration.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
refs: #1179
get_admin_user_accessdoesn't need to check access group in the token, delegated admin won't have any access in the token. That API will return the access for the login user. Created a new router guard method to return requester data without check the access role in the token