Skip to content

DPC-5159 multi csp user POC#2896

Merged
MEspositoE14s merged 63 commits into
jd/dpc-5127-multiple-oidcfrom
jd/dpc-5159-multi-csp-user
May 5, 2026
Merged

DPC-5159 multi csp user POC#2896
MEspositoE14s merged 63 commits into
jd/dpc-5127-multiple-oidcfrom
jd/dpc-5159-multi-csp-user

Conversation

@jdettmannnava
Copy link
Copy Markdown
Contributor

@jdettmannnava jdettmannnava commented Feb 2, 2026
edited
Loading

Not for merge.

🎫 Ticket

https://jira.cms.gov/browse/DPC-5159

🛠 Changes

  • New model with migration: IdpUid to store foreign keys for CSPs
  • Updated login flow to use IdpUid
  • Updated user-creation flow in invitations controller to use IdpUid

ℹ️ Context

We need to support the ability of each user to log in to the portal with multiple CSPs.
Note: because of the way we fake the CPI API Gateway, most Authrorized Officials share the same PacId. Therefore, unlike in production, where each user will have their own PacId, we cannot bind multiple CSPs to the same user by PacId in local, dev, test, and sandbox environments. That is why we use the email address to deduplicate all users in the lower environments. We do want to test this flow, which is why we also bind AOs on PacId while running automated tests.

🧪 Validation

Updated Manual tests.
Logged in as same user using multiple IdPs.

@jdettmannnava jdettmannnava changed the base branch from main to jd/dpc-5127-multiple-oidc February 2, 2026 21:46
@jdettmannnava jdettmannnava changed the base branch from jd/dpc-5127-multiple-oidc to main February 2, 2026 21:48
@jdettmannnava jdettmannnava changed the base branch from main to jd/dpc-5127-multiple-oidc February 2, 2026 21:48
@jdettmannnava jdettmannnava marked this pull request as ready for review February 3, 2026 20:45
@jdettmannnava jdettmannnava requested a review from a team as a code owner February 3, 2026 20:45
MEspositoE14s
MEspositoE14s approved these changes Feb 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@MEspositoE14s MEspositoE14s left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM as far as I understand the way this is supposed to work 👍

ashley-weaver
ashley-weaver approved these changes Feb 5, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@ashley-weaver ashley-weaver left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense to me

@Jose-verdance
Copy link
Copy Markdown
Contributor

Jose-verdance commented Feb 5, 2026

Hi @jdettmannnava, this changes look good. I see that you mentioned being able to successfully log in with multiple idps. I have your branch running locally and was wondering how I can also do this? I just see the option for login.gov.

image

@jdettmannnava
Copy link
Copy Markdown
Contributor Author

jdettmannnava commented Feb 5, 2026
edited
Loading

Hi @jdettmannnava, this changes look good. I see that you mentioned being able to successfully log in with multiple idps. I have your branch running locally and was wondering how I can also do this? I just see the option for login.gov.

@Jose-verdance
Well, it isn't technically multiple idps. I just changed the name of the provider in omniauth.rb and views/users/sessions/new.html.erb openid_connect and tested it that way.

@MEspositoE14s MEspositoE14s merged commit 74dd2cf into jd/dpc-5127-multiple-oidc May 5, 2026
12 checks passed
@MEspositoE14s MEspositoE14s deleted the jd/dpc-5159-multi-csp-user branch May 5, 2026 17:06
@MEspositoE14s MEspositoE14s mentioned this pull request May 5, 2026
Merged
MEspositoE14s added a commit that referenced this pull request May 12, 2026
@MEspositoE14s @jdettmannnava @Jose-verdance
Me/dpc 5372 portal db changes (#3001)
26b2037 
## 🎫 Ticket

https://jira.cms.gov/browse/DPC-5372

## 🛠 Changes

- Adds three new tables, `csps`, `csp_users` and `user_emails` and
populates them on invitation and login.
- Removes `IdpUid` table.
- Removes `Devise` in favor of directly calling `OmniAuth`.
- Configured auth around for Login.gov.

## ℹ️ Context

We're preparing to support multiple CSPs, and this is the first step.
This was created and modified from
#2896.

Note:

- Before deploying to test, the `user.provider` field in the DB needs to
be updated to "login_dot_gov" for all users. This can be done
afterwards, but it's easier if you do it before.
- This has already been done in dev, but make sure your callbacks are
registered with Login.gov or the login process will fail.

## 🧪 Validation

- Deployed to dev and was able to login. (Deploy:
[here](https://github.com/CMSgov/dpc-app/actions/runs/25342609259))
- Ran locally and could create a new user and login as an existing one.
(If you want to test with an existing user on your machine, make sure to
update `user.provider` in the DB as described above.)
- Verified that new tables are populated both locally and in dev:
    * `csps`: Populated on migration.
* `csp_users`: Populated on migration with values from the `user` table
and whenever a new user is created.
    * `user_emails`:  Populated and updated whenever a user logs in.

---------

Co-authored-by: jdettmannnava <145699825+jdettmannnava@users.noreply.github.com>
Co-authored-by: jose-verdance <jose@verdance.co>
Co-authored-by: Copilot <copilot@github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MEspositoE14s MEspositoE14s MEspositoE14s approved these changes

@ashley-weaver ashley-weaver ashley-weaver approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jdettmannnava @Jose-verdance @MEspositoE14s @ashley-weaver