From 484b5a49ce0dc7c27a0a25dffe6d7e21e7100b93 Mon Sep 17 00:00:00 2001
From: Andrew Dryga <andrew@dryga.com>
Date: Fri, 24 Nov 2023 09:01:10 -0600
Subject: [PATCH] Fix OIDC form and redirect urls (#2695)

Closes #2674
---
 .../settings/identity_providers/components.ex | 36 +++++++++++++++++++
 .../openid_connect/components.ex              | 12 +++----
 .../openid_connect/connect.ex                 | 16 +++++++++
 3 files changed, 58 insertions(+), 6 deletions(-)

diff --git a/elixir/apps/web/lib/web/live/settings/identity_providers/components.ex b/elixir/apps/web/lib/web/live/settings/identity_providers/components.ex
index 168152b53..ce99043da 100644
--- a/elixir/apps/web/lib/web/live/settings/identity_providers/components.ex
+++ b/elixir/apps/web/lib/web/live/settings/identity_providers/components.ex
@@ -41,6 +41,7 @@ defmodule Web.Settings.IdentityProviders.Components do
   def status(
         %{
           provider: %{
+            adapter: :google_workspace,
             disabled_at: disabled_at,
             adapter_state: %{"status" => "pending_access_token"}
           }
@@ -72,6 +73,41 @@ defmodule Web.Settings.IdentityProviders.Components do
     """
   end
 
+  def status(
+        %{
+          provider: %{
+            adapter: :openid_connect,
+            disabled_at: disabled_at,
+            adapter_state: %{"status" => "pending_access_token"}
+          }
+        } = assigns
+      )
+      when not is_nil(disabled_at) do
+    ~H"""
+    <div class="flex items-center">
+      <span class="w-3 h-3 bg-red-500 rounded-full"></span>
+      <span class="ml-3">
+        Provisioning
+        <span :if={@provider.adapter_state["status"]}>
+          <.link navigate={
+            ~p"/#{@provider.account_id}/settings/identity_providers/openid_connect/#{@provider}/redirect"
+          }>
+            <button class={~w[
+          text-white bg-primary-600 rounded
+          font-medium text-sm
+          px-2 py-1 text-center
+          hover:bg-primary-700
+          focus:ring-4 focus:outline-none focus:ring-primary-300
+          dark:bg-primary-600 dark:hover:bg-primary-700 dark:focus:ring-primary-800
+          active:text-white/80
+        ]}>connect IdP</button>
+          </.link>
+        </span>
+      </span>
+    </div>
+    """
+  end
+
   def status(%{provider: %{disabled_at: disabled_at}} = assigns) when not is_nil(disabled_at) do
     ~H"""
     <div class="flex items-center">
diff --git a/elixir/apps/web/lib/web/live/settings/identity_providers/openid_connect/components.ex b/elixir/apps/web/lib/web/live/settings/identity_providers/openid_connect/components.ex
index 491dbffa0..4105a23b3 100644
--- a/elixir/apps/web/lib/web/live/settings/identity_providers/openid_connect/components.ex
+++ b/elixir/apps/web/lib/web/live/settings/identity_providers/openid_connect/components.ex
@@ -7,9 +7,9 @@ defmodule Web.Settings.IdentityProviders.OpenIDConnect.Components do
       <.form for={@form} phx-change={:change} phx-submit={:submit}>
         <div class="mb-4">
           <h2 class="mb-4 text-xl font-bold text-gray-900 dark:text-white">
-            Step 1. Create OAuth app
+            Step 1. Create OAuth app in your identity provider
           </h2>
-          Please make sure that following scopes are added to the OAuth application has following access scopes: <.code_block
+          Please make sure that following scopes are added to the OAuth application: <.code_block
             :for={scope <- [:openid, :email, :profile]}
             id={"scope-#{scope}"}
             class="w-full mb-4 whitespace-nowrap rounded"
@@ -20,7 +20,7 @@ defmodule Web.Settings.IdentityProviders.OpenIDConnect.Components do
                 sign_in: url(~p"/#{@account.id}/sign_in/providers/#{@id}/handle_callback"),
                 connect:
                   url(
-                    ~p"/#{@account.id}/settings/identity_providers/google_workspace/#{@id}/handle_callback"
+                    ~p"/#{@account.id}/settings/identity_providers/openid_connect/#{@id}/handle_callback"
                   )
               ]
             }
@@ -83,7 +83,7 @@ defmodule Web.Settings.IdentityProviders.OpenIDConnect.Components do
                   label="Client ID"
                   autocomplete="off"
                   field={adapter_config_form[:client_id]}
-                  placeholder="Client ID from your IDP"
+                  placeholder="Client ID from your IdP"
                   required
                 />
               </div>
@@ -93,7 +93,7 @@ defmodule Web.Settings.IdentityProviders.OpenIDConnect.Components do
                   label="Client secret"
                   autocomplete="off"
                   field={adapter_config_form[:client_secret]}
-                  placeholder="Client Secret from your IDP"
+                  placeholder="Client Secret from your IdP"
                   required
                 />
               </div>
@@ -102,7 +102,7 @@ defmodule Web.Settings.IdentityProviders.OpenIDConnect.Components do
                 <.input
                   label="Discovery URL"
                   field={adapter_config_form[:discovery_document_uri]}
-                  placeholder=".well-known URL for your IDP"
+                  placeholder=".well-known URL for your IdP"
                   required
                 />
               </div>
diff --git a/elixir/apps/web/lib/web/live/settings/identity_providers/openid_connect/connect.ex b/elixir/apps/web/lib/web/live/settings/identity_providers/openid_connect/connect.ex
index f245b4fbe..20a44e391 100644
--- a/elixir/apps/web/lib/web/live/settings/identity_providers/openid_connect/connect.ex
+++ b/elixir/apps/web/lib/web/live/settings/identity_providers/openid_connect/connect.ex
@@ -86,4 +86,20 @@ defmodule Web.Settings.IdentityProviders.OpenIDConnect.Connect do
         |> redirect(to: ~p"/#{account}/settings/identity_providers/openid_connect/#{provider_id}")
     end
   end
+
+  def handle_idp_callback(conn, %{
+        "provider_id" => provider_id,
+        "state" => state,
+        "error" => error,
+        "error_description" => error_description
+      }) do
+    account = conn.assigns.account
+
+    with {:ok, _code_verifier, conn} <-
+           Web.AuthController.verify_state_and_fetch_verifier(conn, provider_id, state) do
+      conn
+      |> put_flash(:error, "Your IdP returned an error (" <> error <> "): " <> error_description)
+      |> redirect(to: ~p"/#{account}/settings/identity_providers/openid_connect/#{provider_id}")
+    end
+  end
 end