Merge branch '606-oauth-well-known-must-be-mounted-under' into 'master'

Resolve "[OAuth] .well-known must be mounted under /" Closes #606 See merge request !973

Merge branch '606-oauth-well-known-must-be-mounted-under' into 'master'
4c25042f · Nik | Klampfradler · d25cbc10 · 4177e2e2 · 4c25042f · 4c25042f
Commit 4c25042f authored 2 years ago by Nik | Klampfradler
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -205,6 +205,7 @@ Fixed
 * Due to a merge error, the once removed account menu in the sidenav appeared again.
 * Scheduled notifications were shown on dashboard before time.
 * Remove broken notifications menu item in favor of item next to account menu.
+* Serve OAuth discovery information under root of domain
 * [OAuth2] Resources which are protected with client credentials
  allowed access if no scopes were allowed (CVE-2022-29773).
 * The site logo could overlap with the menu for logos with an unexpected aspect ratio.

--- a/aleksis/core/settings.py
+++ b/aleksis/core/settings.py
@@ -390,6 +390,7 @@ OAUTH2_PROVIDER = {
    "SCOPES_BACKEND_CLASS": "aleksis.core.util.auth_helpers.AppScopes",
    "OAUTH2_VALIDATOR_CLASS": "aleksis.core.util.auth_helpers.CustomOAuth2Validator",
    "OIDC_ENABLED": True,
+    "OIDC_ISS_ENDPOINT": BASE_URL,
    "REFRESH_TOKEN_EXPIRE_SECONDS": _settings.get("oauth2.token_expiry", 86400),
    "PKCE_REQUIRED": False,
 }

--- a/aleksis/core/urls.py
+++ b/aleksis/core/urls.py
@@ -25,6 +25,12 @@ urlpatterns = [
    path("__icons__/", include("dj_iconify.urls")),
    path("graphql/", csrf_exempt(GraphQLView.as_view(graphiql=True)), name="graphql"),
    path("logo", views.LogoView.as_view(), name="logo"),
+    path(
+        ".well-known/openid-configuration/",
+        ConnectDiscoveryInfoView.as_view(),
+        name="oidc_configuration",
+    ),
+    path("oauth/", include("oauth2_provider.urls", namespace="oauth2_provider")),
    path(
        "django/",
        include(
@@ -160,11 +166,6 @@ urlpatterns = [
                path("search/", views.PermissionSearchView.as_view(), name="haystack_search"),
                path("maintenance-mode/", include("maintenance_mode.urls")),
                path("impersonate/", include("impersonate.urls")),
-                path(
-                    ".well-known/openid-configuration/",
-                    ConnectDiscoveryInfoView.as_view(),
-                    name="oidc_configuration",
-                ),
                path(
                    "oauth/applications/",
                    views.OAuth2ListView.as_view(),
@@ -195,7 +196,7 @@ urlpatterns = [
                    views.CustomAuthorizationView.as_view(),
                    name="oauth2_provider:authorize",
                ),
-                path("oauth/", include("oauth2_provider.urls", namespace="oauth2_provider")),
+
                path("__i18n__/", include("django.conf.urls.i18n")),
                path(
                    "ckeditor/upload/",