OpenID login

[janno42]

see e-valuation/EvaP#1366 for reference

[jeriox]

Set up locally with the HPI OpenID provider, works flawlessly.

[jeriox]

as this posts to the plain login route, the user is shown the openid login screen instead of a form with errors after entering wrong user credentials

[Bartzi]

yes, I can confirm that problem.

[janno42]

i can think of only one use case where this might be a problem: when the admin user wants to login on production and provides wrong credentials. all other users will use open id on production, and in development open id will be deactivated.
so i don't think we need to add additional code for this.

[Bartzi]

you might be right, but this is still some kind of a bug and it should be handled correctly. That means that even an admin user should see the login form and the system should tell him that has been a problem logging him in, because username and password did not match

[janno42]

if anyone wants to look into this in the next days - feel welcome. it would require some logic to know which login was used and errors then need to be handled accordingly.
as this pr is blocking our much needed production update and i currently don't want to invest more time into the project than absolutely necessary, i won't implement it myself.

[janno42]

see #721 for this issue

[Bartzi]

Works quite well ❤️
Please have a look at my comments and please, also add oidc to the forbidden URL list in settings.py.
It would also make sense to add some tests that test the following:

1. If OpenID login is not enabled. The user should see the local login page and be able to log in through that page.
2. If OpenID login is available. The user should be able to login via OpenID (only add this test if it is possible to somehow mock the OpenID procedure.
3. If OpenID login is available and the user wants to login using a local user, he should see the local login page and if he makes a mistake during login, he should still the page, but with an error message instead of the openID login page.

[Bartzi]

yes, I can confirm that problem.

[janno42]

about the tests:

1. the local login form is tested in user_management.tests.UsecaseTests
2. mocking the openid login is not in scope for this pr. if someone feels like this is really needed, we have to open an issue for that :)
3. see the discussion in user_management/templates/login.html

[Bartzi]

Yes, right 😅 the local login is already tested.
But it would make sense to check that changing the openid setting actually changes the behaviour of the page the way it is intended to be. This is just one small test 😉.
I think you are right about the OpenID mocking, please open a new issue for that.

the remaining issue now lives in #721