SEED_DATA_OIDC_EXTENSION.md

# OIDC Extension to Seed Data Script

## Summary

Extended [`scripts/seed_data.py`](scripts/seed_data.py) to include OIDC client seeding functionality.

## Changes Made

### 1. Added Imports
- `import secrets` - For generating secure random values
- `import hashlib` - For hashing client secrets
- `from app.models.oidc_client import OIDCClient` - OIDC client model

### 2. New Helper Function: `create_or_get_oidc_client()`
Creates OIDC clients with proper configuration or returns existing ones. Features:
- Checks for existing clients by `client_id`
- Hashes client secrets using SHA256
- Supports all OIDC client configuration options
- Proper error handling and logging

### 3. New Seed Step: Step 5 - Create OIDC Clients

Added 4 OIDC clients across the 3 seeded organizations:

#### Acme Corporation (2 clients)
1. **Acme Internal Portal** (`acme-portal-001`)
   - Confidential client
   - Grant types: authorization_code, refresh_token
   - Scopes: openid, profile, email, offline_access
   - PKCE required
   - Redirect URIs for production and localhost

2. **Acme Mobile App** (`acme-mobile-001`)
   - Public client (mobile app)
   - Shorter token lifetimes for security
   - PKCE required
   - Custom URL scheme for mobile redirect

#### Tech Startup Inc (1 client)
3. **Tech Startup Dashboard** (`tech-dashboard-001`)
   - Confidential client
   - Standard OIDC configuration
   - PKCE required

#### Data Systems Inc (1 client)
4. **Data Systems API Client** (`data-api-001`)
   - Confidential server-to-server client
   - Additional grant type: client_credentials
   - Custom scopes: api:read, api:write
   - PKCE not required (server-to-server)

## OIDC Client Test Credentials

All clients are configured with test credentials for development:

| Client | Client ID | Client Secret |
|--------|-----------|---------------|
| Acme Portal | `acme-portal-001` | `acme_secret_portal_2024` |
| Acme Mobile | `acme-mobile-001` | `acme_secret_mobile_2024` |
| Tech Dashboard | `tech-dashboard-001` | `tech_secret_dashboard_2024` |
| Data API | `data-api-001` | `data_secret_api_2024` |

## Enhanced Summary Output

The seed script now displays:
- Total count of OIDC clients created
- Detailed information for each client including:
  - Client name and ID
  - Organization
  - Configured grant types
  - Configured scopes
  - Number of redirect URIs
- Complete test credentials table

## Example Output

```
[Step 5] Creating OIDC Clients...

  Acme Corporation OIDC Clients:
  → Created OIDC client: Acme Internal Portal
  → Created OIDC client: Acme Mobile App

  Tech Startup OIDC Clients:
  → Created OIDC client: Tech Startup Dashboard

  Data Systems OIDC Clients:
  → Created OIDC client: Data Systems API Client

  Created 4 OIDC clients

============================================================
Seed Complete!
============================================================

📊 Summary:
  Organizations: 3
  Admin Users: 2
  Regular Users: 9
  OIDC Clients: 4

🔐 OIDC Clients:
  Acme Internal Portal
    Client ID: acme-portal-001
    Organization: Acme Corporation
    Grant Types: authorization_code, refresh_token
    Scopes: openid, profile, email, offline_access
    Redirect URIs: 2 configured
  ...
```

## Features

- **Idempotent**: Running the script multiple times won't create duplicate clients
- **Comprehensive**: Creates diverse client types (confidential, public, server-to-server)
- **Production-ready**: Includes proper secret hashing and security configurations
- **Developer-friendly**: Includes localhost URLs and clear test credentials
- **Well-documented**: Clear console output showing what was created

## Usage

Run the seed script as usual:

```bash
python scripts/seed_data.py
```

The OIDC clients will be automatically created along with users and organizations.

## Security Notes

- Client secrets are hashed using SHA256 before storage
- Test credentials are clearly marked and should **not** be used in production
- PKCE is enabled by default for web and mobile clients
- Token lifetimes are configured appropriately for each client type
major checkpoint 2026-01-08 15:59:53 +10:30			`# OIDC Extension to Seed Data Script`

			`## Summary`

			Extended [`scripts/seed_data.py`](scripts/seed_data.py) to include OIDC client seeding functionality.

			`## Changes Made`

			`### 1. Added Imports`
			- `import secrets` - For generating secure random values
			- `import hashlib` - For hashing client secrets
			- `from app.models.oidc_client import OIDCClient` - OIDC client model

			### 2. New Helper Function: `create_or_get_oidc_client()`
			`Creates OIDC clients with proper configuration or returns existing ones. Features:`
			- Checks for existing clients by `client_id`
			`- Hashes client secrets using SHA256`
			`- Supports all OIDC client configuration options`
			`- Proper error handling and logging`

			`### 3. New Seed Step: Step 5 - Create OIDC Clients`

			`Added 4 OIDC clients across the 3 seeded organizations:`

			`#### Acme Corporation (2 clients)`
			1. Acme Internal Portal (`acme-portal-001`)
			`- Confidential client`
			`- Grant types: authorization_code, refresh_token`
			`- Scopes: openid, profile, email, offline_access`
			`- PKCE required`
			`- Redirect URIs for production and localhost`

			2. Acme Mobile App (`acme-mobile-001`)
			`- Public client (mobile app)`
			`- Shorter token lifetimes for security`
			`- PKCE required`
			`- Custom URL scheme for mobile redirect`

			`#### Tech Startup Inc (1 client)`
			3. Tech Startup Dashboard (`tech-dashboard-001`)
			`- Confidential client`
			`- Standard OIDC configuration`
			`- PKCE required`

			`#### Data Systems Inc (1 client)`
			4. Data Systems API Client (`data-api-001`)
			`- Confidential server-to-server client`
			`- Additional grant type: client_credentials`
			`- Custom scopes: api:read, api:write`
			`- PKCE not required (server-to-server)`

			`## OIDC Client Test Credentials`

			`All clients are configured with test credentials for development:`

			`\| Client \| Client ID \| Client Secret \|`
			`\|--------\|-----------\|---------------\|`
			\| Acme Portal \| `acme-portal-001` \| `acme_secret_portal_2024` \|
			\| Acme Mobile \| `acme-mobile-001` \| `acme_secret_mobile_2024` \|
			\| Tech Dashboard \| `tech-dashboard-001` \| `tech_secret_dashboard_2024` \|
			\| Data API \| `data-api-001` \| `data_secret_api_2024` \|

			`## Enhanced Summary Output`

			`The seed script now displays:`
			`- Total count of OIDC clients created`
			`- Detailed information for each client including:`
			`- Client name and ID`
			`- Organization`
			`- Configured grant types`
			`- Configured scopes`
			`- Number of redirect URIs`
			`- Complete test credentials table`

			`## Example Output`

			```
			`[Step 5] Creating OIDC Clients...`

			`Acme Corporation OIDC Clients:`
			`→ Created OIDC client: Acme Internal Portal`
			`→ Created OIDC client: Acme Mobile App`

			`Tech Startup OIDC Clients:`
			`→ Created OIDC client: Tech Startup Dashboard`

			`Data Systems OIDC Clients:`
			`→ Created OIDC client: Data Systems API Client`

			`Created 4 OIDC clients`

			`============================================================`
			`Seed Complete!`
			`============================================================`

			`📊 Summary:`
			`Organizations: 3`
			`Admin Users: 2`
			`Regular Users: 9`
			`OIDC Clients: 4`

			`🔐 OIDC Clients:`
			`Acme Internal Portal`
			`Client ID: acme-portal-001`
			`Organization: Acme Corporation`
			`Grant Types: authorization_code, refresh_token`
			`Scopes: openid, profile, email, offline_access`
			`Redirect URIs: 2 configured`
			`...`
			```

			`## Features`

			`- Idempotent: Running the script multiple times won't create duplicate clients`
			`- Comprehensive: Creates diverse client types (confidential, public, server-to-server)`
			`- Production-ready: Includes proper secret hashing and security configurations`
			`- Developer-friendly: Includes localhost URLs and clear test credentials`
			`- Well-documented: Clear console output showing what was created`

			`## Usage`

			`Run the seed script as usual:`

			```bash
			`python scripts/seed_data.py`
			```

			`The OIDC clients will be automatically created along with users and organizations.`

			`## Security Notes`

			`- Client secrets are hashed using SHA256 before storage`
			`- Test credentials are clearly marked and should not be used in production`
			`- PKCE is enabled by default for web and mobile clients`
			`- Token lifetimes are configured appropriately for each client type`