Support Single Sign-on with OpenID Connect

[matthew-white]

Creating an issue to track work on SSO:

• Release criteria
• Backend PR
• Frontend PR
• central PR

[ktuite]

Adventures trying SSO in dev (july 25)

• checked out backend branch
• checked out frontend branch

Note: would be nice to be rebased with master soon to get newer database migrations

Ran on the backend:
make dev-oidc
make fake-oidc-server

Ran on the frontend:
npm run dev and go to the usual http://localhost:8989/

Note: At first, things didn't quite run properly and I wasn't sure why. I got hung up on this issue for a while: On my mac, something is already running on port 5000 so i changed it to another port in Profile and main.nginx.conf. Then everything ran great.

Appreciated that the fake oidc server gave me useful tips when in entered bad credentials.

[matthew-white]

The three PRs above are merged, and the QA team is now taking a look at this issue, so I'm going to go ahead and close. There are still some related to-dos that I've filed as separate issues: getodk/central-backend#976, getodk/central-backend#971, #477.

[dbemke]

Logging out on Chrome feels a bit tricky. There a few scenarios that theoretically go along with "do not centralize log out” release criteria but make it difficult to "really log out” and switch a user afterwards.

Steps to reproduce:

1. Log in to staging on Chrome (this logs in also the browser to the account).
2. Log out of staging.
3. Click continue – the user is logged in without having to choose a user or enter a password

One thing that is not present after logging out is the ability to choose an account to which I want to log in to (e.g. the second time I want to log in to a different account). So to change the user I need to find the account that I’m currently logged in the browser (it’s possible to make it that it’s not the one visible in the header) and log out of staging and then the option to choose a user appears while logging in.
What’s more the same steps are reproducible in the incognito mode (Chrome and Firefox) – after logging out the user is not asked to enter the password.

[dbemke]

@alxndrsn @matthew-white @ktuite As mentioned above there are some issues with logging out and we're about to start regression testing so are these cases ok and they'll be fixed separately?
To give some more examples:
Logging out doesn't work also while being a guest in the browser. After logging out and clicking continue the user is still logged in.
I checked the same steps with logging to my email (gmail) and the password isn't kept after logging out if the user is a guest in the browser.

Steps to reproduce:

1. Open Chrome, at the top right click Profile
2. Click Guest.
3. Go to staging.getodk.cloud
4. Log in to an account.
5. Log out form staging.
6. Click continue

After clicking continue the user is logged in without being asked to enter the password.

[dbemke]

I checked on Windows edge (on a virtual machine) where I don't allow saving password etc. and after logging out clicking continue also logs in the user without asking for the password.

[srujner]

Following the Slack conversation, we are closing this pull request as tested with success.
If after further discussions, changes are needed, they will be created in the new Pull Request.

[dbemke]

Tested with success!