From e92b6235e3820cece7f3c84a0dae03d25d45c4db Mon Sep 17 00:00:00 2001
From: Michael Wedl <michael@syslifters.com>
Date: Wed, 15 Jan 2025 10:35:53 +0100
Subject: [PATCH 1/4] Rename Azure AD to Entry ID

---
 api/src/reportcreator_api/conf/settings.py       |  2 +-
 docs/docs/setup/configuration.md                 |  2 +-
 ...zure-active-directory.md => oidc-entra-id.md} | 16 ++++++++--------
 docs/docs/users/oidc-setup.md                    |  2 +-
 docs/mkdocs.yml                                  |  5 +++--
 5 files changed, 14 insertions(+), 13 deletions(-)
 rename docs/docs/users/{oidc-azure-active-directory.md => oidc-entra-id.md} (86%)

diff --git a/api/src/reportcreator_api/conf/settings.py b/api/src/reportcreator_api/conf/settings.py
index fde21f362..0c37a0342 100644
--- a/api/src/reportcreator_api/conf/settings.py
+++ b/api/src/reportcreator_api/conf/settings.py
@@ -269,7 +269,7 @@ def remove_empty_items(lst=None):
 if OIDC_AZURE_CLIENT_ID and OIDC_AZURE_CLIENT_SECRET and OIDC_AZURE_TENANT_ID:
     AUTHLIB_OAUTH_CLIENTS |= {
         'azure': {
-            'label': 'Azure AD',
+            'label': 'Microsoft Entra ID',
             'client_id': OIDC_AZURE_CLIENT_ID,
             'client_secret': OIDC_AZURE_CLIENT_SECRET,
             'server_metadata_url': f'https://login.microsoftonline.com/{OIDC_AZURE_TENANT_ID}/v2.0/.well-known/openid-configuration',
diff --git a/docs/docs/setup/configuration.md b/docs/docs/setup/configuration.md
index bfc21ed0b..b3c171b1b 100644
--- a/docs/docs/setup/configuration.md
+++ b/docs/docs/setup/configuration.md
@@ -103,7 +103,7 @@ Make sure all users have SSO identities configured before enabling this option.
 LOCAL_USER_AUTH_ENABLED=false
 ```
 
-Configuration of the default authentication provider when multiple authentication providers are enabled (e.g. OIDC via Azure AD and username/password).
+Configuration of the default authentication provider when multiple authentication providers are enabled (e.g. OIDC via Microsoft Entra ID and username/password).
 This setting will redirect users to the default authentication provider, skipping the selection. Other authentication providers can still be used if login via the default provider fails.
 
 Possible values: `azure`, `google`, `remoteuser`, `local` (username/password authentication)
diff --git a/docs/docs/users/oidc-azure-active-directory.md b/docs/docs/users/oidc-entra-id.md
similarity index 86%
rename from docs/docs/users/oidc-azure-active-directory.md
rename to docs/docs/users/oidc-entra-id.md
index 0764e0a70..d863958ff 100644
--- a/docs/docs/users/oidc-azure-active-directory.md
+++ b/docs/docs/users/oidc-entra-id.md
@@ -1,10 +1,10 @@
 ---
-title: Azure Active Directory OIDC Configuration
+title: Microsoft Entra ID OIDC Configuration
 ---
-# Azure Active Directory OIDC Configuration
+# Microsoft Entra ID OIDC Configuration
 <span style="color:red;">:octicons-heart-fill-24: Pro only</span>
 
-## Configuration in Azure AD
+## Configuration in Microsoft Entra ID
 1. Open [Microsoft Entra Admin Center](https://entra.microsoft.com){ target=_blank }
 2. Select Applications -> App registrations -> New registration
 3. In following menu: 
@@ -30,7 +30,7 @@ You should now have the following values:
 
 * Client ID
 * Client secret
-* Azure tendant ID
+* Entra tendant ID
 
 
 ## Cloud Setup
@@ -45,12 +45,12 @@ You are lucky. Just send the values from the previous steps to us and we'll take
 The values from the previous steps need to be passed as environment variables to the SysReptor docker container.
 You can add them to `<sysreptor-repository>/deploy/app.env`:
 ```env
-OIDC_AZURE_TENANT_ID=<azure tenant id>
-OIDC_AZURE_CLIENT_ID=<azure client id>
-OIDC_AZURE_CLIENT_SECRET=<azure client secret>
+OIDC_AZURE_TENANT_ID=<entra tenant id>
+OIDC_AZURE_CLIENT_ID=<entra client id>
+OIDC_AZURE_CLIENT_SECRET=<entra client secret>
 ```
 
-The OIDC client needs to be able to establish a network connection to Azure AD.
+The OIDC client needs to be able to establish a network connection to Microsoft Entra ID.
 Make sure to not block outgoing traffic.
 
 Restart the docker container by going to `sysreptor/deploy` and:
diff --git a/docs/docs/users/oidc-setup.md b/docs/docs/users/oidc-setup.md
index 23f9d432c..c65538106 100644
--- a/docs/docs/users/oidc-setup.md
+++ b/docs/docs/users/oidc-setup.md
@@ -2,7 +2,7 @@
 <span style="color:red;">:octicons-heart-fill-24: Pro only</span>
 
 1. Configure your Identity Provider (IDP) and add configuration details to your `app.env`
-    * [Azure Active Directory](../users/oidc-azure-active-directory.md)
+    * [Microsoft Entra ID](../users/oidc-entra-id.md)
     * [Google Workplace/Google Identity](../users/oidc-google.md)
     * [Keycloak](../users/oidc-keycloak.md)
     * [Generic OIDC setup](../users/oidc-generic.md)
diff --git a/docs/mkdocs.yml b/docs/mkdocs.yml
index be4f81c7d..bd012de09 100755
--- a/docs/mkdocs.yml
+++ b/docs/mkdocs.yml
@@ -40,7 +40,7 @@ nav:
       - Single Sign-On:
           - SSO Setup: users/oidc-setup.md
           - Keycloak: users/oidc-keycloak.md
-          - Azure AD: users/oidc-azure-active-directory.md
+          - Microsoft Entra ID: users/oidc-azure-active-directory.md
           - Google: users/oidc-google.md
           - Generic: users/oidc-generic.md
       - Forgot Password: users/forgot-password.md
@@ -139,7 +139,8 @@ plugins:
         "setup/user-permissions.md": "users/user-permissions.md"
         "setup/oidc-setup.md": "users/oidc-setup.md"
         "setup/oidc-keycloak.md": "users/oidc-keycloak.md"
-        "setup/oidc-azure-active-directory.md": "users/oidc-azure-active-directory.md"
+        "setup/oidc-azure-active-directory.md": "users/oidc-entra-id.md"
+        "users/oidc-azure-active-directory.md": "users/oidc-entra-id.md"
         "setup/oidc-google.md": "users/oidc-google.md"
         "setup/oidc-generic.md": "users/oidc-generic.md"
         "setup/proxy.md": "setup/configuration.md"

From 15902b56979164287de0ba5ceda8e3e9504c98d2 Mon Sep 17 00:00:00 2001
From: Michael Wedl <michael@syslifters.com>
Date: Wed, 15 Jan 2025 10:42:28 +0100
Subject: [PATCH 2/4] Do not auto-login after logout

---
 packages/frontend/src/pages/login/index.vue     | 17 +++++++++--------
 .../nuxt-base-layer/src/composables/auth.ts     |  2 +-
 2 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/packages/frontend/src/pages/login/index.vue b/packages/frontend/src/pages/login/index.vue
index 6814f798f..84981b443 100644
--- a/packages/frontend/src/pages/login/index.vue
+++ b/packages/frontend/src/pages/login/index.vue
@@ -26,14 +26,15 @@ const auth = useAuth();
 const apiSettings = useApiSettings();
 
 useLazyAsyncData(async () => {
-  // Do not auto-login after logout
-  if (!route.query?.logout) {
-    const authProviders = apiSettings.settings!.auth_providers;
-    let defaultAuthProvider = authProviders.find(p => p.id === apiSettings.settings!.default_auth_provider);
-    if (!defaultAuthProvider && authProviders.length === 1) {
-      defaultAuthProvider = authProviders[0];
-    }
-    if (defaultAuthProvider) {
+  const authProviders = apiSettings.settings!.auth_providers;
+  let defaultAuthProvider = authProviders.find(p => p.id === apiSettings.settings!.default_auth_provider);
+  if (!defaultAuthProvider && authProviders.length === 1) {
+    defaultAuthProvider = authProviders[0];
+  }
+
+  if (defaultAuthProvider) {
+    // Do not auto-login after logout
+    if (!route.query?.logout || (authProviders.length === 1 && defaultAuthProvider.type === AuthProviderType.LOCAL)) {
       await auth.authProviderLoginBegin(defaultAuthProvider);
     }
   }
diff --git a/packages/nuxt-base-layer/src/composables/auth.ts b/packages/nuxt-base-layer/src/composables/auth.ts
index 4040179b1..5d935351a 100644
--- a/packages/nuxt-base-layer/src/composables/auth.ts
+++ b/packages/nuxt-base-layer/src/composables/auth.ts
@@ -95,7 +95,7 @@ export function useAuth() {
     } catch {
       // Ignore errors
     }
-    await navigateTo('/login/');
+    await navigateTo('/login/?logout=true');
     store.user = null;
   }
 

From 0de34dc109b9c2bd9eb7910c8a0c1296f4a12a4f Mon Sep 17 00:00:00 2001
From: Michael Wedl <michael@syslifters.com>
Date: Wed, 15 Jan 2025 12:44:47 +0100
Subject: [PATCH 3/4] Use preferred_username as login_hint

---
 api/src/reportcreator_api/users/views.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/api/src/reportcreator_api/users/views.py b/api/src/reportcreator_api/users/views.py
index b0d7f8bfe..3e837b0b2 100644
--- a/api/src/reportcreator_api/users/views.py
+++ b/api/src/reportcreator_api/users/views.py
@@ -463,7 +463,7 @@ def login_oidc_complete(self, request, oidc_provider, *args, **kwargs):
             can_reauth = (timezone.now() - timezone.make_aware(datetime.fromtimestamp(auth_time))) < timedelta(minutes=1)
         res = self.perform_login(request, identity.user, can_reauth=can_reauth)
         request.session['authentication_info'] |= {
-            f'oidc_{oidc_provider}_login_hint': token['userinfo'].get('login_hint'),
+            f'oidc_{oidc_provider}_login_hint': token['userinfo'].get('preferred_username') or token['userinfo'].get('login_hint'),
         }
         return res
 

From 9b375deaf42d4102e9d201cd3c995a7781680755 Mon Sep 17 00:00:00 2001
From: Michael Wedl <michael@syslifters.com>
Date: Wed, 15 Jan 2025 13:13:57 +0100
Subject: [PATCH 4/4] Update changelog

---
 CHANGELOG.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e4b044602..589747154 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Changelog
 
+## Upcoming
+* Do not automatically log in (e.g. via OIDC) after logout
+* OIDC: use preferred_username as login_hint for re-authentication
+
+
 ## v2025.4 - 2025-01-14
 * Plugin projectnumber: Add manage.py command to reset projectnumber
 * Add plugin: renderfindings - Render single finding to PDF