diff --git a/PATCHES/openid_connect_windows_aad-3346603-5.patch b/PATCHES/openid_connect_windows_aad-3346603-5.patch
new file mode 100644
index 000000000..56a481852
--- /dev/null
+++ b/PATCHES/openid_connect_windows_aad-3346603-5.patch
@@ -0,0 +1,13 @@
+diff --git a/src/Plugin/OpenIDConnectClient/WindowsAad.php b/src/Plugin/OpenIDConnectClient/WindowsAad.php
+index 8845843..6431581 100644
+--- a/src/Plugin/OpenIDConnectClient/WindowsAad.php
++++ b/src/Plugin/OpenIDConnectClient/WindowsAad.php
+@@ -318,7 +318,7 @@ as the mapping between Azure AD accounts and Drupal users.
+ case 2:
+ $v2 = str_contains($endpoints['token'], '/oauth2/v2.0/');
+ if (!$v2) {
+- $request_options['form_params']['resource'] = 'https://graph.microsoft.com';
++ $request_options['form_params']['scope'] = 'https://graph.microsoft.com/.default';
+ }
+ break;
+ }
diff --git a/composer.json b/composer.json
index 3ee5861ec..0f4b096f1 100644
--- a/composer.json
+++ b/composer.json
@@ -41,15 +41,19 @@
"drupal/default_content": "^2.0@alpha",
"drupal/dynamic_entity_reference": "^3.2",
"drupal/environment_indicator": "^4.0",
+ "drupal/externalauth": "^2.0",
"drupal/facets": "^2.0",
"drupal/imageapi_optimize_binaries": "^1.0@beta",
"drupal/imageapi_optimize_webp": "^2.0",
"drupal/imagemagick": "^4",
+ "drupal/key": "^1.17",
"drupal/layout_paragraphs": "^2.0",
"drupal/mailsystem": "^4.4",
"drupal/maintenance200": "^2",
"drupal/memcache": "^2.5",
"drupal/metatag": "^2.0",
+ "drupal/openid_connect": "dev-3.x",
+ "drupal/openid_connect_windows_aad": "^2.0@beta",
"drupal/paragraphs": "^1.16",
"drupal/paragraphs_edit": "^3",
"drupal/paragraphs_modal_edit": "^1.0@alpha",
diff --git a/composer.lock b/composer.lock
index 8b91ccd39..d44dd8a80 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
"This file is @generated automatically"
],
- "content-hash": "f534564f2287599af7b68bb952e16098",
+ "content-hash": "bb51faa456242b0b26b94f38edba50c5",
"packages": [
{
"name": "asm89/stack-cors",
@@ -3522,6 +3522,60 @@
"source": "https://git.drupalcode.org/project/environment_indicator"
}
},
+ {
+ "name": "drupal/externalauth",
+ "version": "2.0.5",
+ "source": {
+ "type": "git",
+ "url": "https://git.drupalcode.org/project/externalauth.git",
+ "reference": "2.0.5"
+ },
+ "dist": {
+ "type": "zip",
+ "url": "https://ftp.drupal.org/files/projects/externalauth-2.0.5.zip",
+ "reference": "2.0.5",
+ "shasum": "7c262c7ca20d26aae45896daee4249e47b637abc"
+ },
+ "require": {
+ "drupal/core": "^9 || ^10"
+ },
+ "type": "drupal-module",
+ "extra": {
+ "drupal": {
+ "version": "2.0.5",
+ "datestamp": "1708329378",
+ "security-coverage": {
+ "status": "covered",
+ "message": "Covered by Drupal's security advisory policy"
+ }
+ }
+ },
+ "notification-url": "https://packages.drupal.org/8/downloads",
+ "license": [
+ "GPL-2.0-or-later"
+ ],
+ "authors": [
+ {
+ "name": "Sven Decabooter",
+ "homepage": "https://www.drupal.org/u/svendecabooter",
+ "role": "Maintainer"
+ },
+ {
+ "name": "snufkin",
+ "homepage": "https://www.drupal.org/user/58645"
+ },
+ {
+ "name": "svendecabooter",
+ "homepage": "https://www.drupal.org/user/35369"
+ }
+ ],
+ "description": "Helper module to authenticate users using an external site / service and storing identification details",
+ "homepage": "https://drupal.org/project/externalauth",
+ "support": {
+ "source": "https://git.drupalcode.org/project/externalauth",
+ "issues": "https://www.drupal.org/project/issues/externalauth"
+ }
+ },
{
"name": "drupal/facets",
"version": "2.0.7",
@@ -3878,6 +3932,71 @@
"source": "https://git.drupalcode.org/project/imagemagick"
}
},
+ {
+ "name": "drupal/key",
+ "version": "1.17.0",
+ "source": {
+ "type": "git",
+ "url": "https://git.drupalcode.org/project/key.git",
+ "reference": "8.x-1.17"
+ },
+ "dist": {
+ "type": "zip",
+ "url": "https://ftp.drupal.org/files/projects/key-8.x-1.17.zip",
+ "reference": "8.x-1.17",
+ "shasum": "fa9f606d2ba0e20693e12040004e2ed31302ed03"
+ },
+ "require": {
+ "drupal/core": ">=8.9 <11"
+ },
+ "type": "drupal-module",
+ "extra": {
+ "drupal": {
+ "version": "8.x-1.17",
+ "datestamp": "1674343967",
+ "security-coverage": {
+ "status": "covered",
+ "message": "Covered by Drupal's security advisory policy"
+ }
+ },
+ "drush": {
+ "services": {
+ "drush.services.yml": ">=9"
+ }
+ }
+ },
+ "notification-url": "https://packages.drupal.org/8/downloads",
+ "license": [
+ "GPL-2.0-or-later"
+ ],
+ "authors": [
+ {
+ "name": "Cellar Door",
+ "homepage": "https://www.drupal.org/user/658076"
+ },
+ {
+ "name": "crashtest_",
+ "homepage": "https://www.drupal.org/user/261457"
+ },
+ {
+ "name": "nerdstein",
+ "homepage": "https://www.drupal.org/user/1557710"
+ },
+ {
+ "name": "rlhawk",
+ "homepage": "https://www.drupal.org/user/352283"
+ }
+ ],
+ "description": "Provides the ability to manage site-wide keys",
+ "homepage": "http://drupal.org/project/key",
+ "keywords": [
+ "Drupal"
+ ],
+ "support": {
+ "source": "https://git.drupalcode.org/project/key",
+ "issues": "http://drupal.org/project/key"
+ }
+ },
{
"name": "drupal/layout_paragraphs",
"version": "2.0.5",
@@ -4287,6 +4406,138 @@
"source": "https://git.drupalcode.org/project/monitoring"
}
},
+ {
+ "name": "drupal/openid_connect",
+ "version": "dev-3.x",
+ "source": {
+ "type": "git",
+ "url": "https://git.drupalcode.org/project/openid_connect.git",
+ "reference": "184d20cd9651d2f8b6372e4da188a70d16d405d2"
+ },
+ "require": {
+ "drupal/core": "^9.3 || ^10",
+ "drupal/externalauth": "^2.0",
+ "ext-json": "*",
+ "php": ">=7.1.0"
+ },
+ "type": "drupal-module",
+ "extra": {
+ "branch-alias": {
+ "dev-3.x": "3.x-dev"
+ },
+ "drupal": {
+ "version": "3.0.0-alpha2+12-dev",
+ "datestamp": "1705685372",
+ "security-coverage": {
+ "status": "not-covered",
+ "message": "Dev releases are not covered by Drupal security advisories."
+ }
+ }
+ },
+ "notification-url": "https://packages.drupal.org/8/downloads",
+ "license": [
+ "GPL-2.0-or-later"
+ ],
+ "authors": [
+ {
+ "name": "bojanz",
+ "homepage": "https://www.drupal.org/user/86106"
+ },
+ {
+ "name": "jcnventura",
+ "homepage": "https://www.drupal.org/user/122464"
+ },
+ {
+ "name": "pfrilling",
+ "homepage": "https://www.drupal.org/user/169695"
+ },
+ {
+ "name": "pjcdawkins",
+ "homepage": "https://www.drupal.org/user/1025236"
+ },
+ {
+ "name": "sanduhrs",
+ "homepage": "https://www.drupal.org/user/28074"
+ }
+ ],
+ "description": "A pluggable client implementation for the OpenID Connect protocol.",
+ "homepage": "https://www.drupal.org/project/openid_connect",
+ "keywords": [
+ "Drupal"
+ ],
+ "support": {
+ "source": "https://git.drupalcode.org/project/openid_connect",
+ "issues": "https://www.drupal.org/project/issues/openid_connect"
+ }
+ },
+ {
+ "name": "drupal/openid_connect_windows_aad",
+ "version": "2.0.0-beta7",
+ "source": {
+ "type": "git",
+ "url": "https://git.drupalcode.org/project/openid_connect_windows_aad.git",
+ "reference": "2.0.0-beta7"
+ },
+ "dist": {
+ "type": "zip",
+ "url": "https://ftp.drupal.org/files/projects/openid_connect_windows_aad-2.0.0-beta7.zip",
+ "reference": "2.0.0-beta7",
+ "shasum": "fff769a63f20c2481dfcadfd1622032188007cf4"
+ },
+ "require": {
+ "drupal/core": "^9 || ^10",
+ "drupal/key": "^1.0",
+ "drupal/openid_connect": "^2.0 || ^3.0",
+ "lcobucci/jwt": "^4.2.1",
+ "php": ">=8.0.0"
+ },
+ "type": "drupal-module",
+ "extra": {
+ "drupal": {
+ "version": "2.0.0-beta7",
+ "datestamp": "1701908835",
+ "security-coverage": {
+ "status": "not-covered",
+ "message": "Beta releases are not covered by Drupal security advisories."
+ }
+ }
+ },
+ "notification-url": "https://packages.drupal.org/8/downloads",
+ "license": [
+ "GPL-2.0+"
+ ],
+ "authors": [
+ {
+ "name": "acrazyanimal",
+ "homepage": "https://www.drupal.org/user/696648"
+ },
+ {
+ "name": "ajayNimbolkar",
+ "homepage": "https://www.drupal.org/user/2876727"
+ },
+ {
+ "name": "fabianderijk",
+ "homepage": "https://www.drupal.org/user/278745"
+ },
+ {
+ "name": "tomvv",
+ "homepage": "https://www.drupal.org/user/2748021"
+ },
+ {
+ "name": "webflo",
+ "homepage": "https://www.drupal.org/user/254778"
+ }
+ ],
+ "description": "A CTools plugin that adds a Windows Azure AD client to OpenID Connect.",
+ "homepage": "https://www.drupal.org/project/openid_connect_windows_aad",
+ "keywords": [
+ "Drupal"
+ ],
+ "support": {
+ "source": "http://cgit.drupalcode.org/openid_connect_windows_aad",
+ "issues": "https://www.drupal.org/project/issues/openid_connect_windows_aad"
+ }
+ },
{
"name": "drupal/paragraphs",
"version": "1.17.0",
@@ -6672,6 +6923,144 @@
},
"time": "2023-09-26T02:20:38+00:00"
},
+ {
+ "name": "lcobucci/clock",
+ "version": "3.2.0",
+ "source": {
+ "type": "git",
+ "url": "https://github.com/lcobucci/clock.git",
+ "reference": "6f28b826ea01306b07980cb8320ab30b966cd715"
+ },
+ "dist": {
+ "type": "zip",
+ "url": "https://api.github.com/repos/lcobucci/clock/zipball/6f28b826ea01306b07980cb8320ab30b966cd715",
+ "reference": "6f28b826ea01306b07980cb8320ab30b966cd715",
+ "shasum": ""
+ },
+ "require": {
+ "php": "~8.2.0 || ~8.3.0",
+ "psr/clock": "^1.0"
+ },
+ "provide": {
+ "psr/clock-implementation": "1.0"
+ },
+ "require-dev": {
+ "infection/infection": "^0.27",
+ "lcobucci/coding-standard": "^11.0.0",
+ "phpstan/extension-installer": "^1.3.1",
+ "phpstan/phpstan": "^1.10.25",
+ "phpstan/phpstan-deprecation-rules": "^1.1.3",
+ "phpstan/phpstan-phpunit": "^1.3.13",
+ "phpstan/phpstan-strict-rules": "^1.5.1",
+ "phpunit/phpunit": "^10.2.3"
+ },
+ "type": "library",
+ "autoload": {
+ "psr-4": {
+ "Lcobucci\\Clock\\": "src"
+ }
+ },
+ "notification-url": "https://packagist.org/downloads/",
+ "license": [
+ "MIT"
+ ],
+ "authors": [
+ {
+ "name": "Luís Cobucci",
+ "email": "lcobucci@gmail.com"
+ }
+ ],
+ "description": "Yet another clock abstraction",
+ "support": {
+ "issues": "https://github.com/lcobucci/clock/issues",
+ "source": "https://github.com/lcobucci/clock/tree/3.2.0"
+ },
+ "funding": [
+ {
+ "url": "https://github.com/lcobucci",
+ "type": "github"
+ },
+ {
+ "url": "https://www.patreon.com/lcobucci",
+ "type": "patreon"
+ }
+ ],
+ "time": "2023-11-17T17:00:27+00:00"
+ },
+ {
+ "name": "lcobucci/jwt",
+ "version": "4.3.0",
+ "source": {
+ "type": "git",
+ "url": "https://github.com/lcobucci/jwt.git",
+ "reference": "4d7de2fe0d51a96418c0d04004986e410e87f6b4"
+ },
+ "dist": {
+ "type": "zip",
+ "url": "https://api.github.com/repos/lcobucci/jwt/zipball/4d7de2fe0d51a96418c0d04004986e410e87f6b4",
+ "reference": "4d7de2fe0d51a96418c0d04004986e410e87f6b4",
+ "shasum": ""
+ },
+ "require": {
+ "ext-hash": "*",
+ "ext-json": "*",
+ "ext-mbstring": "*",
+ "ext-openssl": "*",
+ "ext-sodium": "*",
+ "lcobucci/clock": "^2.0 || ^3.0",
+ "php": "^7.4 || ^8.0"
+ },
+ "require-dev": {
+ "infection/infection": "^0.21",
+ "lcobucci/coding-standard": "^6.0",
+ "mikey179/vfsstream": "^1.6.7",
+ "phpbench/phpbench": "^1.2",
+ "phpstan/extension-installer": "^1.0",
+ "phpstan/phpstan": "^1.4",
+ "phpstan/phpstan-deprecation-rules": "^1.0",
+ "phpstan/phpstan-phpunit": "^1.0",
+ "phpstan/phpstan-strict-rules": "^1.0",
+ "phpunit/php-invoker": "^3.1",
+ "phpunit/phpunit": "^9.5"
+ },
+ "type": "library",
+ "autoload": {
+ "psr-4": {
+ "Lcobucci\\JWT\\": "src"
+ }
+ },
+ "notification-url": "https://packagist.org/downloads/",
+ "license": [
+ "BSD-3-Clause"
+ ],
+ "authors": [
+ {
+ "name": "Luís Cobucci",
+ "email": "lcobucci@gmail.com",
+ "role": "Developer"
+ }
+ ],
+ "description": "A simple library to work with JSON Web Token and JSON Web Signature",
+ "keywords": [
+ "JWS",
+ "jwt"
+ ],
+ "support": {
+ "issues": "https://github.com/lcobucci/jwt/issues",
+ "source": "https://github.com/lcobucci/jwt/tree/4.3.0"
+ },
+ "funding": [
+ {
+ "url": "https://github.com/lcobucci",
+ "type": "github"
+ },
+ {
+ "url": "https://www.patreon.com/lcobucci",
+ "type": "patreon"
+ }
+ ],
+ "time": "2023-01-02T13:28:00+00:00"
+ },
{
"name": "league/container",
"version": "4.2.2",
@@ -9762,6 +10151,54 @@
},
"time": "2021-02-03T23:26:27+00:00"
},
+ {
+ "name": "psr/clock",
+ "version": "1.0.0",
+ "source": {
+ "type": "git",
+ "url": "https://github.com/php-fig/clock.git",
+ "reference": "e41a24703d4560fd0acb709162f73b8adfc3aa0d"
+ },
+ "dist": {
+ "type": "zip",
+ "url": "https://api.github.com/repos/php-fig/clock/zipball/e41a24703d4560fd0acb709162f73b8adfc3aa0d",
+ "reference": "e41a24703d4560fd0acb709162f73b8adfc3aa0d",
+ "shasum": ""
+ },
+ "require": {
+ "php": "^7.0 || ^8.0"
+ },
+ "type": "library",
+ "autoload": {
+ "psr-4": {
+ "Psr\\Clock\\": "src/"
+ }
+ },
+ "notification-url": "https://packagist.org/downloads/",
+ "license": [
+ "MIT"
+ ],
+ "authors": [
+ {
+ "name": "PHP-FIG",
+ "homepage": "https://www.php-fig.org/"
+ }
+ ],
+ "description": "Common interface for reading the clock.",
+ "homepage": "https://github.com/php-fig/clock",
+ "keywords": [
+ "clock",
+ "now",
+ "psr",
+ "psr-20",
+ "time"
+ ],
+ "support": {
+ "issues": "https://github.com/php-fig/clock/issues",
+ "source": "https://github.com/php-fig/clock/tree/1.0.0"
+ },
+ "time": "2022-11-25T14:36:26+00:00"
+ },
{
"name": "psr/container",
"version": "2.0.2",
@@ -16590,6 +17027,8 @@
"drupal/config_split": 5,
"drupal/default_content": 15,
"drupal/imageapi_optimize_binaries": 10,
+ "drupal/openid_connect": 20,
+ "drupal/openid_connect_windows_aad": 10,
"drupal/paragraphs_modal_edit": 15,
"drupal/paragraphs_viewmode": 15,
"drupal/samples": 10,
diff --git a/composer.patches.json b/composer.patches.json
index 9ad946d3a..739125008 100644
--- a/composer.patches.json
+++ b/composer.patches.json
@@ -9,6 +9,9 @@
"drupal/default_content" : {
"https://www.drupal.org/project/default_content/issues/2885285#comment-15342107": "https://www.drupal.org/files/issues/2023-12-01/i2885285-exporting-menu-link-2.patch"
},
+ "drupal/openid_connect_windows_aad": {
+ "Failed to get authentication tokens for Windows Azure AD": "PATCHES/openid_connect_windows_aad-3346603-5.patch"
+ },
"drupal/user_expire": {
"Allow the notification email to be customised": "PATCHES/user_expire-customize-notification-email.patch",
"Reset expiration when user is reactivated": "PATCHES/user_expire-reset-expiration-on-reactivation.patch"
diff --git a/config/azure_tweaks.settings.yml b/config/azure_tweaks.settings.yml
new file mode 100644
index 000000000..9e5403b92
--- /dev/null
+++ b/config/azure_tweaks.settings.yml
@@ -0,0 +1,4 @@
+_core:
+ default_config_hash: TIPnIyFAvtUYyRrJ3PZfoG0mvxc-M7mUieId5CixGRk
+password_url: 'https://unb2c.b2clogin.com/unb2c.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_OCHA_PASSWORD_RESET&nonce=defaultNonce&scope=openid&response_type=code&prompt=login'
+register_url: 'https://unb2c.b2clogin.com/unb2c.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_OCHA_SIGNUP&nonce=defaultNonce&scope=openid&response_type=code&prompt=login'
diff --git a/config/core.extension.yml b/config/core.extension.yml
index 291e9d994..c1efaef26 100644
--- a/config/core.extension.yml
+++ b/config/core.extension.yml
@@ -2,6 +2,7 @@ _core:
default_config_hash: R4IF-ClDHXxblLcG0L7MgsLvfBIMAvi_skumNFQwkDc
module:
admin_denied: 0
+ azure_tweaks: 0
amazon_ses: 0
aws: 0
big_pipe: 0
@@ -21,6 +22,7 @@ module:
editor: 0
entity_reference_revisions: 0
environment_indicator: 0
+ externalauth: 0
facets: 0
facets_summary: 0
field: 0
@@ -30,6 +32,7 @@ module:
gtm_barebones: 0
image: 0
inline_form_errors: 0
+ key: 0
language: 0
layout_builder: 0
layout_discovery: 0
@@ -46,6 +49,8 @@ module:
ocha_media_content: 0
ocha_monitoring: 0
ocha_search: 0
+ openid_connect: 0
+ openid_connect_windows_aad: 0
options: 0
page_cache: 0
path: 0
@@ -59,9 +64,6 @@ module:
seckit: 0
select_a11y: 0
serialization: 0
- social_api: 0
- social_auth: 0
- social_auth_hid: 0
syslog: 0
system: 0
taxonomy: 0
diff --git a/config/key.key.3ad9233a_021a_46e3_9d6a_a57c7eacce71.yml b/config/key.key.3ad9233a_021a_46e3_9d6a_a57c7eacce71.yml
new file mode 100644
index 000000000..ff186e9ad
--- /dev/null
+++ b/config/key.key.3ad9233a_021a_46e3_9d6a_a57c7eacce71.yml
@@ -0,0 +1,15 @@
+uuid: d9519929-5673-460d-8c29-9519a8852a0f
+langcode: en
+status: true
+dependencies: { }
+id: 3ad9233a_021a_46e3_9d6a_a57c7eacce71
+label: 3ad9233a-021a-46e3-9d6a-a57c7eacce71
+description: 'CD Client Secret'
+key_type: authentication
+key_type_settings: { }
+key_provider: file
+key_provider_settings:
+ file_location: /srv/www/shared/settings/oidc.3ad9233a-021a-46e3-9d6a-a57c7eacce71.key
+ strip_line_breaks: true
+key_input: none
+key_input_settings: { }
diff --git a/config/key.key.b6ea6184_be93_4eeb_8407_6151fc6d7669.yml b/config/key.key.b6ea6184_be93_4eeb_8407_6151fc6d7669.yml
new file mode 100644
index 000000000..3f4281b8f
--- /dev/null
+++ b/config/key.key.b6ea6184_be93_4eeb_8407_6151fc6d7669.yml
@@ -0,0 +1,15 @@
+uuid: dbf5f678-e8b0-4f48-9013-b953575cb7b7
+langcode: en
+status: true
+dependencies: { }
+id: b6ea6184_be93_4eeb_8407_6151fc6d7669
+label: b6ea6184-be93-4eeb-8407-6151fc6d7669
+description: 'CD Feature Key'
+key_type: authentication
+key_type_settings: { }
+key_provider: file
+key_provider_settings:
+ file_location: /srv/www/shared/settings/oidc.b6ea6184-be93-4eeb-8407-6151fc6d7669.key
+ strip_line_breaks: true
+key_input: none
+key_input_settings: { }
diff --git a/config/openid_connect.client.uniteid.yml b/config/openid_connect.client.uniteid.yml
new file mode 100644
index 000000000..449329be3
--- /dev/null
+++ b/config/openid_connect.client.uniteid.yml
@@ -0,0 +1,28 @@
+uuid: acf656d3-d5f6-4adb-ba7c-594e3c08eced
+langcode: en
+status: true
+dependencies:
+ module:
+ - openid_connect_windows_aad
+id: uniteid
+label: 'Azure B2C Signup/Signin'
+plugin: windows_aad
+settings:
+ client_id: 64661a42-4710-4bfd-97ab-916bcfeddb59
+ client_secret: 3ad9233a_021a_46e3_9d6a_a57c7eacce71
+ authorization_endpoint_wa: 'https://unb2c.b2clogin.com/unb2c.onmicrosoft.com/B2C_1_OCHA_SIGNUP_SIGNIN/oauth2/v2.0/authorize'
+ token_endpoint_wa: 'https://unb2c.b2clogin.com/unb2c.onmicrosoft.com/B2C_1_OCHA_SIGNUP_SIGNIN/oauth2/v2.0/token'
+ userinfo_endpoint_wa: 'https://graph.microsoft.com/oidc/userinfo'
+ map_ad_groups_to_roles: true
+ group_mapping:
+ method: 0
+ mappings: ''
+ strict: false
+ userinfo_graph_api_wa: 1
+ userinfo_graph_api_use_other_mails: true
+ userinfo_update_email: true
+ hide_email_address_warning: true
+ subject_key: sub
+ end_session_endpoint: 'https://unb2c.b2clogin.com/unb2c.onmicrosoft.com/B2C_1_OCHA_SIGNUP_SIGNIN/oauth2/v2.0/logout'
+ iss_allowed_domains: feature.commondesign-unocha-org.ahconu.org
+ front_channel_logout_url: ''
diff --git a/config/openid_connect.settings.yml b/config/openid_connect.settings.yml
new file mode 100644
index 000000000..cc2e6e8c9
--- /dev/null
+++ b/config/openid_connect.settings.yml
@@ -0,0 +1,9 @@
+always_save_userinfo: true
+connect_existing_users: false
+override_registration_settings: false
+end_session_enabled: true
+user_login_display: above
+redirect_login: ''
+redirect_logout: ''
+userinfo_mappings:
+ timezone: zoneinfo
diff --git a/config/social_auth.settings.yml b/config/social_auth.settings.yml
deleted file mode 100644
index d367a8d4a..000000000
--- a/config/social_auth.settings.yml
+++ /dev/null
@@ -1,12 +0,0 @@
-_core:
- default_config_hash: 0E8z47ONguVcapiw1PGWDRs6g0NRDCzrym4mP_jcELU
-auth:
- social_auth_hid:
- route: social_auth_hid.redirect_to_hid
- img_path: modules/contrib/social_auth_hid/img/hid_logo.png
-post_login: /user
-user_allowed: register
-redirect_user_form: false
-disable_admin_login: false
-disabled_roles:
- admin_user: '0'
diff --git a/config/social_auth_hid.settings.yml b/config/social_auth_hid.settings.yml
deleted file mode 100644
index 7adee90e7..000000000
--- a/config/social_auth_hid.settings.yml
+++ /dev/null
@@ -1,14 +0,0 @@
-_core:
- default_config_hash: _t9faeey8ijkiUWjKuz8shcOTzmFLyWYpJQpwcaA3XY
-client_id: HID_CLIENT_ID_DO_NOT_COMMIT_TO_REPOSITORY
-client_secret: HID_CLIENT_ID_DO_NOT_COMMIT_TO_REPOSITORY
-base_url: 'https://auth.humanitarian.id'
-auto_redirect: true
-disable_default: true
-disable_password_fields: true
-disable_email_field: true
-disable_user_field: true
-disable_user_create: false
-maintenance_access: false
-scopes: profile
-endpoints: ''
diff --git a/config/user.settings.yml b/config/user.settings.yml
index 912f5f910..6ca1f80e0 100644
--- a/config/user.settings.yml
+++ b/config/user.settings.yml
@@ -12,7 +12,7 @@ notify:
register_admin_created: true
register_no_approval_required: true
register_pending_approval: true
-register: admin_only
+register: visitors_admin_approval
cancel_method: user_cancel_block_unpublish
password_reset_timeout: 86400
password_strength: true
diff --git a/html/modules/custom/azure_tweaks/azure_tweaks.info.yml b/html/modules/custom/azure_tweaks/azure_tweaks.info.yml
new file mode 100755
index 000000000..e8dd64c41
--- /dev/null
+++ b/html/modules/custom/azure_tweaks/azure_tweaks.info.yml
@@ -0,0 +1,7 @@
+name: 'Azure tweaks'
+description: Tweaks for Azure B2C.
+type: module
+core_version_requirement: ^9 || ^10
+package: 'UNOCHA'
+dependencies:
+ - openid_connect_windows_aad:openid_connect_windows_aad
diff --git a/html/modules/custom/azure_tweaks/azure_tweaks.links.task.yml b/html/modules/custom/azure_tweaks/azure_tweaks.links.task.yml
new file mode 100644
index 000000000..1f451598b
--- /dev/null
+++ b/html/modules/custom/azure_tweaks/azure_tweaks.links.task.yml
@@ -0,0 +1,9 @@
+azure_tweaks.register:
+ route_name: azure_tweaks.register
+ base_route: user.page
+ title: 'Create new account'
+
+azure_tweaks.pass:
+ route_name: azure_tweaks.pass
+ base_route: user.page
+ title: 'Reset your password'
diff --git a/html/modules/custom/azure_tweaks/azure_tweaks.module b/html/modules/custom/azure_tweaks/azure_tweaks.module
new file mode 100755
index 000000000..62aa67d7e
--- /dev/null
+++ b/html/modules/custom/azure_tweaks/azure_tweaks.module
@@ -0,0 +1,6 @@
+config('azure_tweaks.settings')->get('register_url');
+ $client_id = $this->config('openid_connect.client.uniteid')->get('settings.client_id');
+ $redirect = Url::fromRoute('')->setAbsolute()->toString();
+ $redirect .= 'openid-connect/uniteid';
+
+ $url .= '&client_id=' . $client_id;
+ $url .= '&redirect_uri=' . $redirect;
+
+ /** @var \Drupal\Core\Routing\TrustedRedirectResponse|\Symfony\Component\HttpFoundation\RedirectResponse $response */
+ $response = new TrustedRedirectResponse($url);
+
+ return $response->send();
+ }
+
+ /**
+ * Redirect the password reset page.
+ */
+ public function redirectResetPassword() {
+ $url = $this->config('azure_tweaks.settings')->get('password_url');
+ $client_id = $this->config('openid_connect.client.uniteid')->get('settings.client_id');
+ $redirect = Url::fromRoute('')->setAbsolute()->toString();
+ $redirect .= 'openid-connect/uniteid';
+
+ $url .= '&client_id=' . $client_id;
+ $url .= '&redirect_uri=' . $redirect;
+
+ /** @var \Drupal\Core\Routing\TrustedRedirectResponse|\Symfony\Component\HttpFoundation\RedirectResponse $response */
+ $response = new TrustedRedirectResponse($url);
+
+ return $response->send();
+ }
+
+}
diff --git a/html/modules/custom/azure_tweaks/src/Routing/RouteSubscriber.php b/html/modules/custom/azure_tweaks/src/Routing/RouteSubscriber.php
new file mode 100644
index 000000000..dc17fdffa
--- /dev/null
+++ b/html/modules/custom/azure_tweaks/src/Routing/RouteSubscriber.php
@@ -0,0 +1,56 @@
+config = $configFactory->get('azure_tweaks.settings');
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ protected function alterRoutes(RouteCollection $collection) {
+ if ($route = $collection->get('user.login.http')) {
+ $route->setRequirement('_access', 'FALSE');
+ }
+ if ($route = $collection->get('user.pass')) {
+ $route->setRequirement('_access', 'FALSE');
+ }
+ if ($route = $collection->get('user.pass.http')) {
+ $route->setRequirement('_access', 'FALSE');
+ }
+ if ($route = $collection->get('user.register')) {
+ $route->setRequirement('_access', 'FALSE');
+ }
+
+ // Deny access to user_create form.
+ if ($this->config->get('disable_user_create')) {
+ if ($route = $collection->get('user.admin_create')) {
+ $route->setRequirement('_access', 'FALSE');
+ }
+ }
+ }
+
+}