From aa36e9a785b01c67052c7008775235f94a4fad41 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Thu, 27 Jul 2023 08:40:27 -0400
Subject: [PATCH] oidc

---
 salt/kratos/defaults.yaml       | 2 +-
 salt/kratos/soc_kratos.yaml     | 8 ++++----
 salt/manager/tools/sbin/so-user | 4 ++--
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/salt/kratos/defaults.yaml b/salt/kratos/defaults.yaml
index 202670e3d..1e2eef5ed 100644
--- a/salt/kratos/defaults.yaml
+++ b/salt/kratos/defaults.yaml
@@ -6,7 +6,7 @@ kratos:
       id: SSO
       mapper_url: file:///kratos-conf/oidc.jsonnet
       subject_source: userinfo
-      scopes:
+      scope:
         - email
         - profile
       requested_claims:
diff --git a/salt/kratos/soc_kratos.yaml b/salt/kratos/soc_kratos.yaml
index 3d63f825e..6269fda60 100644
--- a/salt/kratos/soc_kratos.yaml
+++ b/salt/kratos/soc_kratos.yaml
@@ -6,7 +6,7 @@ kratos:
 
   oidc:
     enabled: 
-      description: Set to True to enable OIDC / Single Sign-On (SSO) into SOC. Requires a valid Security Onion license key.
+      description: Set to True to enable OIDC / Single Sign-On (SSO) to SOC. Requires a valid Security Onion license key.
       global: True
       helpLink: oidc.html
     config:
@@ -104,7 +104,7 @@ kratos:
       methods:
         password:
           enabled: 
-            description: Set to True to enable traditional password authentication. Leave as default to ensure proper security protections remain in place.
+            description: Set to True to enable traditional password authentication to SOC. Typically set to true, except when exclusively using OIDC authentication. 
             global: True
             advanced: True
             helpLink: kratos.html
@@ -115,7 +115,7 @@ kratos:
               helpLink: kratos.html
         totp:
           enabled: 
-            description: Set to True to enable Time-based One-Time Password (TOTP) multi-factor authentication (MFA). Enable to ensure proper security protections remain in place. Be aware that disabling this setting, after users have already setup TOTP, may prevent users from logging in.
+            description: Set to True to enable Time-based One-Time Password (TOTP) multi-factor authentication (MFA) to SOC. Enable to ensure proper security protections remain in place. Be aware that disabling this setting, after users have already setup TOTP, may prevent users from logging in.
             global: True
             helpLink: kratos.html
           config:
@@ -126,7 +126,7 @@ kratos:
               helpLink: kratos.html
         webauthn:
           enabled:
-            description: Set to True to enable Security Keys (WebAuthn / PassKeys) for passwordless or multi-factor authentication (MFA) logins. Security Keys are a Public-Key Infrastructure (PKI) based authentication method, typically involving biometric hardware devices, such as laptop fingerprint scanners and USB hardware keys. Be aware that disabling this setting, after users have already setup their accounts with Security Keys, may prevent users from logging in.
+            description: Set to True to enable Security Keys (WebAuthn / PassKeys) for passwordless or multi-factor authentication (MFA) SOC logins. Security Keys are a Public-Key Infrastructure (PKI) based authentication method, typically involving biometric hardware devices, such as laptop fingerprint scanners and USB hardware keys. Be aware that disabling this setting, after users have already setup their accounts with Security Keys, may prevent users from logging in.
             global: True
             helpLink: kratos.html
           config:
diff --git a/salt/manager/tools/sbin/so-user b/salt/manager/tools/sbin/so-user
index 98850143e..d597cdacb 100755
--- a/salt/manager/tools/sbin/so-user
+++ b/salt/manager/tools/sbin/so-user
@@ -235,8 +235,8 @@ function updatePassword() {
     # Update DB with new hash
     echo "update identity_credentials set config=CAST('{\"hashed_password\":\"$passwordHash\"}' as BLOB), created_at=datetime('now'), updated_at=datetime('now') where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='password');" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath"
     # Deactivate MFA
-    echo "delete from identity_credential_identifiers where identity_credential_id=(select id from identity_credentials where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name in ('totp', 'webauthn')));" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath"
-    echo "delete from identity_credentials where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name in ('totp', 'webauthn'));" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath"
+    echo "delete from identity_credential_identifiers where identity_credential_id=(select id from identity_credentials where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name in ('totp', 'webauthn', 'oidc')));" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath"
+    echo "delete from identity_credentials where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name in ('totp', 'webauthn', 'oidc'));" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath"
     [[ $? != 0 ]] && fail "Unable to update password"
   fi
 }