From 8ade069dd1e6d11ab760a5ba914e5c585780478e Mon Sep 17 00:00:00 2001
From: Dan <daniel.h.funk@gmail.com>
Date: Thu, 1 Dec 2022 11:42:36 -0500
Subject: [PATCH] A little cleanup of the ui Don't check authorization on
 static assets Do not require unique username on user table (uniqueness check
 is on the service and service id composite.)

---
 .../{ff1c1628337c_.py => 3f049fa4d8ac_.py}    |   9 +-
 .../config/permissions/development.yml        |   6 +-
 src/spiffworkflow_backend/models/user.py      |   2 +-
 .../openid_blueprint/openid_blueprint.py      |  79 +++++++-----
 .../routes/openid_blueprint/static/login.css  | 112 ++++++++++++++++++
 .../routes/openid_blueprint/static/logo.png   | Bin 0 -> 10138 bytes
 .../openid_blueprint/static/logo_small.png    | Bin 0 -> 5000 bytes
 .../openid_blueprint/templates/login.html     |  85 ++-----------
 .../services/authorization_service.py         |   3 +-
 .../integration/test_openid_blueprint.py      |  22 +---
 10 files changed, 177 insertions(+), 141 deletions(-)
 rename migrations/versions/{ff1c1628337c_.py => 3f049fa4d8ac_.py} (99%)
 create mode 100644 src/spiffworkflow_backend/routes/openid_blueprint/static/login.css
 create mode 100644 src/spiffworkflow_backend/routes/openid_blueprint/static/logo.png
 create mode 100644 src/spiffworkflow_backend/routes/openid_blueprint/static/logo_small.png

diff --git a/migrations/versions/ff1c1628337c_.py b/migrations/versions/3f049fa4d8ac_.py
similarity index 99%
rename from migrations/versions/ff1c1628337c_.py
rename to migrations/versions/3f049fa4d8ac_.py
index d8da6d3c..dc8675a6 100644
--- a/migrations/versions/ff1c1628337c_.py
+++ b/migrations/versions/3f049fa4d8ac_.py
@@ -1,8 +1,8 @@
 """empty message
 
-Revision ID: ff1c1628337c
+Revision ID: 3f049fa4d8ac
 Revises: 
-Create Date: 2022-11-28 15:08:52.014254
+Create Date: 2022-11-30 16:49:54.805372
 
 """
 from alembic import op
@@ -10,7 +10,7 @@ import sqlalchemy as sa
 
 
 # revision identifiers, used by Alembic.
-revision = 'ff1c1628337c'
+revision = '3f049fa4d8ac'
 down_revision = None
 branch_labels = None
 depends_on = None
@@ -79,8 +79,7 @@ def upgrade():
     sa.Column('email', sa.String(length=255), nullable=True),
     sa.PrimaryKeyConstraint('id'),
     sa.UniqueConstraint('service', 'service_id', name='service_key'),
-    sa.UniqueConstraint('uid'),
-    sa.UniqueConstraint('username')
+    sa.UniqueConstraint('uid')
     )
     op.create_table('message_correlation_property',
     sa.Column('id', sa.Integer(), nullable=False),
diff --git a/src/spiffworkflow_backend/config/permissions/development.yml b/src/spiffworkflow_backend/config/permissions/development.yml
index 1acace14..d92daeaf 100644
--- a/src/spiffworkflow_backend/config/permissions/development.yml
+++ b/src/spiffworkflow_backend/config/permissions/development.yml
@@ -4,11 +4,7 @@ users:
   admin:
     email: admin@spiffworkflow.org
     password: admin
-  dan:
-    email: dan@spiffworkflow.org
-    password: password
-
-
+    preferred_username: Admin
 
 groups:
   admin:
diff --git a/src/spiffworkflow_backend/models/user.py b/src/spiffworkflow_backend/models/user.py
index eb88e5de..ed6d10e6 100644
--- a/src/spiffworkflow_backend/models/user.py
+++ b/src/spiffworkflow_backend/models/user.py
@@ -30,7 +30,7 @@ class UserModel(SpiffworkflowBaseDBModel):
     __table_args__ = (db.UniqueConstraint("service", "service_id", name="service_key"),)
 
     id = db.Column(db.Integer, primary_key=True)
-    username = db.Column(db.String(255), nullable=False, unique=True)
+    username = db.Column(db.String(255), nullable=False, unique=False)  # server and service id must be unique, not username.
     uid = db.Column(db.String(50), unique=True)
     service = db.Column(db.String(50), nullable=False, unique=False)
     service_id = db.Column(db.String(255), nullable=False, unique=False)
diff --git a/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py b/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py
index b16ba46a..5c96d62b 100644
--- a/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py
+++ b/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py
@@ -1,23 +1,22 @@
 """
 Provides the bare minimum endpoints required by SpiffWorkflow to
-handle openid authentication -- definitely not a production system.
-This is just here to make local development, testing, and
-demonstration easier.
+handle openid authentication -- definitely not a production ready system.
+This is just here to make local development, testing, and demonstration easier.
 """
 import base64
 import time
-import urllib
 from urllib.parse import urlencode
 
 import jwt
 import yaml
-from flask import Blueprint, render_template, request, current_app, redirect, url_for, g
+from flask import Blueprint, render_template, request, current_app, redirect, url_for
 
 openid_blueprint = Blueprint(
     "openid", __name__, template_folder="templates", static_folder="static"
 )
 
-MY_SECRET_CODE = ":this_should_be_some_crazy_code_different_all_the_time"
+MY_SECRET_CODE = ":this_is_not_secure_do_not_use_in_production"
+
 
 @openid_blueprint.route("/.well-known/openid-configuration", methods=["GET"])
 def well_known():
@@ -26,8 +25,9 @@ def well_known():
     host_url = request.host_url.strip('/')
     return {
         "issuer": f"{host_url}/openid",
-        "authorization_endpoint":  f"{host_url}{url_for('openid.auth')}",
+        "authorization_endpoint": f"{host_url}{url_for('openid.auth')}",
         "token_endpoint": f"{host_url}{url_for('openid.token')}",
+        "end_session_endpoint": f"{host_url}{url_for('openid.end_session')}",
     }
 
 
@@ -40,23 +40,22 @@ def auth():
                            client_id=request.args.get('client_id'),
                            scope=request.args.get('scope'),
                            redirect_uri=request.args.get('redirect_uri'),
-                           error_message=request.args.get('error_message'))
+                           error_message=request.args.get('error_message', ''))
 
 
 @openid_blueprint.route("/form_submit", methods=["POST"])
 def form_submit():
-
     users = get_users()
     if request.values['Uname'] in users and request.values['Pass'] == users[request.values['Uname']]["password"]:
         # Redirect back to the end user with some detailed information
         state = request.values.get('state')
         data = {
-            "state": base64.b64encode(bytes(state, 'UTF-8')),
+            "state": state,
             "code": request.values['Uname'] + MY_SECRET_CODE,
             "session_state": ""
         }
         url = request.values.get('redirect_uri') + "?" + urlencode(data)
-        return redirect(url, code=200)
+        return redirect(url)
     else:
         return render_template('login.html',
                                state=request.values.get('state'),
@@ -64,18 +63,19 @@ def form_submit():
                                client_id=request.values.get('client_id'),
                                scope=request.values.get('scope'),
                                redirect_uri=request.values.get('redirect_uri'),
-                               error_message="Login failed.  Please try agian.")
+                               error_message="Login failed.  Please try again.")
 
 
 @openid_blueprint.route("/token", methods=["POST"])
 def token():
     """Url that will return a valid token, given the super secret sauce"""
-    grant_type=request.values.get('grant_type')
-    code=request.values.get('code')
-    redirect_uri=request.values.get('redirect_uri')
+    grant_type = request.values.get('grant_type')
+    code = request.values.get('code')
+    redirect_uri = request.values.get('redirect_uri')
 
     """We just stuffed the user name on the front of the code, so grab it."""
     user_name, secret_hash = code.split(":")
+    user_details = get_users()[user_name]
 
     """Get authentication from headers."""
     authorization = request.headers.get('Authorization')
@@ -83,35 +83,50 @@ def token():
     authorization = base64.b64decode(authorization).decode('utf-8')
     client_id, client_secret = authorization.split(":")
 
-    base_url = url_for(openid_blueprint)
-    access_token = "..."
-    refresh_token = "..."
+    base_url = request.host_url + "openid"
+    access_token = user_name + ":" + "always_good_demo_access_token"
+    refresh_token = user_name + ":" + "always_good_demo_refresh_token"
+
     id_token = jwt.encode({
         "iss": base_url,
         "aud": [client_id, "account"],
         "iat": time.time(),
-        "exp": time.time() + 86400 # Exprire after a day.
-    })
-
-    {'exp': 1669757386, 'iat': 1669755586, 'auth_time': 1669753049, 'jti': '0ec2cc09-3498-4921-a021-c3b98427df70',
-     'iss': 'http://localhost:7002/realms/spiffworkflow', 'aud': 'spiffworkflow-backend',
-     'sub': '99e7e4ea-d4ae-4944-bd31-873dac7b004c', 'typ': 'ID', 'azp': 'spiffworkflow-backend',
-     'session_state': '8751d5f6-2c60-4205-9be0-2b1005f5891e', 'at_hash': 'O5i-VLus6sryR0grMS2Y4w', 'acr': '0',
-     'sid': '8751d5f6-2c60-4205-9be0-2b1005f5891e', 'email_verified': False, 'preferred_username': 'dan'}
-
+        "exp": time.time() + 86400,  # Expire after a day.
+        "sub": user_name,
+        "preferred_username": user_details.get('preferred_username', user_name)
+    },
+        client_secret,
+        algorithm="HS256",
+    )
     response = {
         "access_token": id_token,
         "id_token": id_token,
+        "refresh_token": id_token
     }
+    return response
+
+
+@openid_blueprint.route("/end_session", methods=["GET"])
+def end_session():
+    redirect_url = request.args.get('post_logout_redirect_uri')
+    id_token_hint = request.args.get('id_token_hint')
+    return redirect(redirect_url)
+
 
 @openid_blueprint.route("/refresh", methods=["POST"])
 def refresh():
     pass
 
+
+permission_cache = None
+
+
 def get_users():
-    with open(current_app.config["PERMISSIONS_FILE_FULLPATH"]) as file:
-        permission_configs = yaml.safe_load(file)
-    if "users" in permission_configs:
-        return permission_configs["users"]
+    global permission_cache
+    if not permission_cache:
+        with open(current_app.config["PERMISSIONS_FILE_FULLPATH"]) as file:
+            permission_cache = yaml.safe_load(file)
+    if "users" in permission_cache:
+        return permission_cache["users"]
     else:
-        return {}
\ No newline at end of file
+        return {}
diff --git a/src/spiffworkflow_backend/routes/openid_blueprint/static/login.css b/src/spiffworkflow_backend/routes/openid_blueprint/static/login.css
new file mode 100644
index 00000000..15b093f6
--- /dev/null
+++ b/src/spiffworkflow_backend/routes/openid_blueprint/static/login.css
@@ -0,0 +1,112 @@
+        body{
+            margin: 0;
+            padding: 0;
+            background-color:white;
+            font-family: 'Arial';
+        }
+        header {
+            width: 100%;
+            background-color: black;
+        }
+        .logo_small {
+            padding: 5px 20px;
+        }
+        .error {
+            margin: 20px auto;
+            color: red;
+            font-weight: bold;
+            text-align: center;
+        }
+        .login{
+                width: 400px;
+                overflow: hidden;
+                margin: 20px auto;
+                padding: 50px;
+                background: #fff;
+                border-radius: 15px ;
+        }
+        h2{
+            text-align: center;
+            color: #277582;
+            padding: 20px;
+        }
+        label{
+            color: #fff;
+            width: 200px;
+            display: inline-block;
+        }
+        #log {
+            width: 100px;
+            height: 50px;
+            border: none;
+            padding-left: 7px;
+            background-color:#202020;
+            color: #DDD;
+            text-align: left;
+        }
+        .cds--btn--primary {
+            background-color: #0f62fe;
+            border: 1px solid #0000;
+            color: #fff;
+        }
+        .cds--btn {
+            align-items: center;
+            border: 0;
+            border-radius: 0;
+            box-sizing: border-box;
+            cursor: pointer;
+            display: inline-flex;
+            flex-shrink: 0;
+            font-family: inherit;
+            font-size: 100%;
+            font-size: .875rem;
+            font-weight: 400;
+            justify-content: space-between;
+            letter-spacing: .16px;
+            line-height: 1.28572;
+            margin: 0;
+            max-width: 20rem;
+            min-height: 3rem;
+            outline: none;
+            padding: calc(0.875rem - 3px) 63px calc(0.875rem - 3px) 15px;
+            position: relative;
+            text-align: left;
+            text-decoration: none;
+            transition: background 70ms cubic-bezier(0, 0, .38, .9), box-shadow 70ms cubic-bezier(0, 0, .38, .9), border-color 70ms cubic-bezier(0, 0, .38, .9), outline 70ms cubic-bezier(0, 0, .38, .9);
+            vertical-align: initial;
+            vertical-align: top;
+            width: max-content;
+        }
+        .cds--btn:hover {
+            background-color: #0145c5;
+        }
+        .cds--btn:focus {
+            background-color: #01369a;
+        }
+
+        .cds--text-input {
+            background-color: #eee;
+            border: none;
+            border-bottom: 1px solid #8d8d8d;
+            color: #161616;
+            font-family: inherit;
+            font-size: .875rem;
+            font-weight: 400;
+            height: 2.5rem;
+            letter-spacing: .16px;
+            line-height: 1.28572;
+            outline: 2px solid #0000;
+            outline-offset: -2px;
+            padding: 0 1rem;
+            transition: background-color 70ms cubic-bezier(.2,0,.38,.9),outline 70ms cubic-bezier(.2,0,.38,.9);
+            width: 100%;
+        }
+
+        span{
+            color: white;
+            font-size: 17px;
+        }
+        a{
+            float: right;
+            background-color: grey;
+        }
diff --git a/src/spiffworkflow_backend/routes/openid_blueprint/static/logo.png b/src/spiffworkflow_backend/routes/openid_blueprint/static/logo.png
new file mode 100644
index 0000000000000000000000000000000000000000..4cffb07fdf112e035c669c06bd5cbdc9355f43a5
GIT binary patch
literal 10138
zcmW++byyT%7hbwVSh_*F^G7Qo-MMtS(%l`qg0u)oHz**;g22)xNJw`rEJ$~Ee)!!#
zX3jJB&O9?`&OPrv?|WmkHI?vjsc-=R0KST{ye<HM^8VRY!^V6*Dy2R6J)dygm5sds
z0PN>M*tjV12VLpU7b(3JjJ);SY`y)gJ#7Gfetx_Tu1;QHYj+!7H&46l!`D;*00Tfp
zURK{f=OEX?pJqC>dfBUG1D{%rhZ5X{o?IP8NW}0e!)lGN|CA+@n_r#b?gjdfG?&Ys
znn9jgEN3-A!WtAxUt3m628c|x95w`?GKY`zIda%&=@hg6D=es;9#k{6<YQXdqg=BW
zk{9~5-E`@&T*_y6(Q6c_$npKQM4Zvr#88*dyyN#E{#Ee1=Y|<ad5H6Z1h^!dRGSiT
zrdw{UV|&U$KK<e<=l|Vu?;6?owR`DA);M%Np$72vzX0#=<Iv}dH#y!8N&CKT^_+Ac
z<zr=KE$QfY*RtYQmsqN(*!?dNrR9RtBFesYS=jbZbH#`YJ*=tc_wV25={h{0QFLpC
z=(~>rpSjCT61QuN`1^kUjwe&B{8N;zkqGm*=_*t@M5Qs)7Zwq*kw2wd5wk-3OuN~1
z-ow0--6^(`-z}M%kx@BXHv1W+Bxm<vpKWLmUD}L%4``mIwLS6bc)%X@CH~V9Iue}@
z%@t(<Q~YvfbFlLO9eUXOH&-=(|7GioI@FzKQ+;U0ZYt3D+;%t>Ngcg7u2f5_<DkAd
zyzDd?$BXpHOQ-t%N*bF+;rJneg>a;@^Q_YjQ{Yfrh`!Ofkqt;ptVh}7JFEMe&v?>S
z3b$2BzQj?7o{3^g6KO&m|2B#9OH5>BvsdI28|I;>rz&Tz!wB0!vaJ13K88rtQyBWS
z<%+?I%t{ry7Q+z=5+DM^K0WC?>XrhBw?V#lR&;t<2N3y-LX537s_I)luC>yov0#(^
zH>+2knTV!|-50`FfWBZWN;W5uqel+;n9oPm4Zs3syv)OwR<hhj-IqIVdyV6~4-!SW
zb{9KhgRmnWN35UHyTlcfUTg`Y_-ExEv9sFhul;8{H4}7KmQf2CMf)($swA-odBoj(
zLX%QrFcZDvlunajutdqBo9V#+50L-TG7%*TK#v-VF?F%q!RVaAMkuI-rWE00$uj2q
zq<PFv;LhwGCKjqz<xvhP#YXoR4Je4EOHts0bRJ$VhoWT2CXOu;T+>6TF~bSW(EpQY
zPZ8)O2q)eNI1OaV`9MGNq*`#d*+warztXb1$-VLx72?u8`d`%Blpfi?_bnYCM%*>i
zB{oTkg&f%hjQ2g0MGHmRwpB^bNFcc$rewW@_AzJAVeI+rY^tvuYrLo$=fw&e<N!E&
zm!qc9<$n;KKmt^aQ6|D_OBO<_tH`x|!uqEdkeNnm2qq3>9)0DoXw3z?5A|C3SjwuZ
zNW>D)@(6_&Z?9#`HXMQd-x?aukf0$jL*|oj@TC`|3T>H<a5D;}G$McFp%ec1o&bL@
z48!bYFz3EBZDWKCv2?^r%-ZK7a6HDNB#oCPlo~nQ+4CiIOF*Fb6Dq_^((R;0Br$cF
z-4i!8L#UqT<6Hg?4J+L;9?oU-;AENZ5O(f8)GP>j_bsC9)HUJU6}9pV8#UpCV#N{F
zI!JwPv#k2bGWOFJF}8GgL)VifucH_3FZ^}4&eiH4ruKe#!xiCd*mYwi)rWXV`L7!T
z8i4jSqreQCP_mg^<$~P&m#>Lt@~LJ**zOSznIo_KWBqBwTDB=_v0atbARu&;%Xd(=
zwo%FdyL*oDbH!HRbXLO^grp_W#Z6s)zPLOt7jvv3O$NbJ?;xdWMYS`G?9{@Euwgq^
zH$sLmwMNMx@)Qalrhyr3p=u1Rj@Wd|aqu<OfWq0Qy>2il@@Sd-(FJ#q)QC1sA%qVH
zHT#Mank_4Eg#RQpS+Ng-W)J55z4MC-%io{g6vv%sx<^bnSuEv)8Me4sZRLTF*P!@i
zZ=pAdT?i(!4TIkz8zyabSYnC|ZCB$(rwwt)#8-qcP-oc3gFWoJaaRi#ekU5uYW^9_
z`^--CBotdB?5-e8vDpNh-R7>2!EnjAU1Yqy8xHyjdY}JNTx3eng%)83!_3E{7MBxn
z;04!Z%2D1dM(03L^DIr@rx;3MW)xj~jlLpNI?4voAJ`qo2`*+WQ+H<!z4M7HI)OsJ
zRt>~28IKhkajyf6$ZXKsurf4O5{|i03uj$|9x%sb8Rm+$QDw#JSGC5v*ZwX$px5uW
zYoj8L+R;VR-X$g~VLPuyje{-3Gi0u%Xxoo?rJ;0QYA1dZZ>l&*N1k1vpY;1I-nOX#
zO3Rpy6Ur_JN4S(V2>D5O84i#oh#_8EB{Zg5SvzQ<`oV_Lp`IZ62MZ>`l6-uGA=<^4
z=G-Ox99gUS?RvNr@#PcAF#{w)441{dEnC(q9fX?DK=k<5>PYHU&g4U<JSt>C)k=iJ
zmgAThb@-wKyYBA?Y%-K83{AYmCkrUs$N9g@u1BBuaL7c`ff;<<zx*b%m2mcvPb$aW
zCszJBOkM3-gv3IzDl>JNi80PUhf^8G3j1$B;6C%V+aSB<(EDypjgU?5q*(M*?F?1}
z;>Da#%!JWZ#2G*sle^lUVz+Nk;*B^|q51|Lbw>pnStZof>`KQ>cnCVrVExhwKRiRH
z!`is!g%spyRbMn_<|(w}E4Ww|^=ZC1=7A>gvY}cs^Yh#%b$%i0fulPSd0{V(%}f+O
zRIxP*n9+PP)hH0or=~+gZMkC$XF-n(8wL79%;f))9f7+?&)hms&_yqmqD8(v;}j=z
zs)aX4f942gk>!90-~F<mr!Lwn(DFH(JOTIQS0%!R7e<87fcD#2IGF*fk(1P5Q}F}8
ztNks>E=jLkA@KiQKFR2DYDpB0SF|~UoyV=r#^y9SU|Cm`Fc0o%@Vj@4XewX6IHAEo
ziovjEea%h1#*A5}Xz--Gy800NJN={H3Kyeu3{WP0JDj0G8CtSG(YuO|A@JOo@^rX9
z@9k#WmhbX}hcA-gt!89ojE|I&_HzbObhY^&Q%n4Vbw%`I0|q<E5{q78HouD{!Dsxo
z_2v&0`uMv`?AfFSpX07S-<aVNuj5oR2RmsMn0A_HanPtNp9=rMR!Chl{TSzOVHftX
zTyig2r4{awCH&`0bjJq<r?Xz$S%Wiz*Q2R#Icz0uCid~1`t)xk=UYpNlt~put%$1N
zJa3*Z`d{YRxpRaf-_pxBta>Zasz4b;lPEZ_BPoPrSaT1jK|Wc}=@oE<iqv0k|2kGz
z()3fTF_<|;tEr4tXZnH`B*kPbg&B|c)rNv>E=qsq`fGL`O514J;`q!$qoCst4t$NE
zTLUdr@d4LeF#!05kv;}SyqmJkJonBJQ}iNN*MZ9*RemBBm+hVo;&YR1YL((NN8r1l
z!7e{$h|59F&@1+30~@mSD_wedC{H!}%H7wA%nNkc(nFz`-#kmG5~;)lsoQmy7jbQ7
zTye;lQGOF;##T)&z{%T)kmdOu=WKnS49O&@cJd_pLsk`yp4UWA5Zuyhq}lVqX)oLM
zyZ2H=jUK(u4N(CW0Ly6HQ5B4t;@F?FSz!^cO?sb|6R(#6*?m!QD;fv|^f>d;1UVJ?
zE|lBCbKYj&XTOpplIOeUHa902ONkaOp=XwTM3Hz?uA3T`{oh^J4Ru<6dO~^PPWJA6
zoS)neu4RO#tyv#8)OmXRVJi@;yvh&wJ_$x4>&nSn@qIKW)-xci7X_(#dwZr*%lD%)
z`JTRrpv0vqE%IT&Azjt(F+A;SGwLt;S!;se1F9;qvW}o1w?pP)$y^lhd{@)MHbM}&
zUS3wNArELN*|9=5&&~Ak!J|UmUa}MWwnFei7&LJq{XzY{DFp01f25hDTR7Fy!e=<H
zW&NTxDFl2(+J?tk!k5D+STHo?2Wy%@G+N&T7)S6%T&1;sPE?1v1!{dmn;CIgAQxi}
z<i1=qV@bk&OY*(0fvHO%35+xCqIbOqkUI0#GJjb8z!Gh|BweQujQ*bUev2Z=4ph2R
z#FlUJicyLA?DQ>XZj+{bzP@Slr)^p#Yo>lK6(>szuWyFDq~p~>^@HsTARCfdru^x!
z=G&Q}lb4+Xg=k{?m5aV+vaT%x>skeDAAEY0tLQVZx%3;Dt$7$6_Wyoi)lKM~)%x<L
z<S(&4)tu@ESXrgK)YYIDF9oeTHcx)pHkL>on%&UlT~D1%&3m=rI2jj8VVmWvgO^jn
zi6*8Xr*%c*+~xgsSE$2aoEqVDQId4MW*P#&vMrbL!s|Nu20wid8-cO&5b)0oaXW2*
z=ya0uqZdSgnI+qY(4j7Ou!Ej$nz&DFe<J7rS6@FOmvEkb`a`YYO?q3eku2ePyEni_
zLUv+CO2@{aX-_%HI5i$E+`4&?g!fl47&BtTdm7ujYy$N*gQAyRkaSQMd-`PcXhj*7
zS>00ydCNvfvH4sOfq_y?{dT&>;)p3x;l|f^A5+Y>rm9MNVeRDCMAcl?im5?6KW?Qg
ziYGOOi-KZIJ>R5M)GF!kZn6$ozzXHBL+hJ<F5**$mut36R2~feO&$6GcGF;}ust8&
z?fy5dZI?h>m${p2OPl!cpE7iWdFjk*;>1(NO*0t7M{~jTOvwN@Udb?@^1_{E?Y5K&
z^^W350;BOe#|e$ChKBzv1Q$~{R<crBJdeRp!yXECxWtq+2zHb{`jfv&-CW_!<ex`5
z-765%MS&gv;{3n~rO|a4kG^JXHcOr{vwsv2YETbi5R+Oh3lVB)Jux;K>nnU0``uzt
zeldt->bl-?)<b>6*<)@*SQN>_c!r&<_Q`+<YGH;L^FDOfde1)Q8M?As|3=c?Hed7e
zwNj6lZfT4{a>-tG`|aIa>=3XX>I*;EltcexSZqY;CP6^~t}8byIbBq?Y@i$_S;VLv
zPT+xGXgukU=dZSpDZMUlZiKb(WY*90K2gV>>~31{Yn)vc8)R@6wU@W&X+P+hR$MJ;
z$4e8+|2}E~**L5Ef?lTy{Lp5hHO88RNDf?(7w$tXv?O<Gb8kHx)i%owY++^p^7X>_
z&wO}uRP;WBGHE$=@O8^(Mc$8oXF-|Wk>>Zw9ZhFz(8F?0#?J>eF{Dh3!`}U{mPg$;
zvlV0-hly@}O7F4siF>y(oi<p2clxj%Q)x3VYED%;wVKKV>5AM2fBJ(OJi>O`X<HJj
zAKTM<qmBEsI+-<2yF!x+jObC@@TSekQlAcuX+8<eB*neE$sLPPeL{4ucTSU;%dxSu
z=}Qu+Bdvfbg=wGU#USutfKy=l^l+P17W_s?=i!H!_D0`#@6FxhL<R{yMC)-g4|w=e
z%DHE#G(NMSeDa<pb>xe(h~-9sPh|o|9`OxKfQ$GKui9^4qsT<bExeTga6ggFnK`~X
z4=19*^$=q+$J7%=K9?$h@s%rNKLG4lyIDcjZY}CV^O70k)to<BFg_;3yp7(@&=C+e
z>~Nvw;NX7fh@m{qcT2{I5sE~;Ir$UQ(pIxxr?F%s?A7WA)<{{J^2mwcO(3EZ&8(wm
z>lcx-ccf~4P#ETOXE#J8u$3$cZSpIC={N6ew_a>1!3i>xRqcudaeOvS$o60NbEH@A
zwQ}`#Ov6u18FQjXm40PeNXzSE00Ajl--HOtPKz%kg1GY16RD~sa&HPe_%5ZAos5rn
zJkL~wxtmc_-6W{X@{*m*{o^VEuiOIHX0!zPh#!96>aNqB?I+(<ZJLnhytsT*K19}t
zw(fwV3vVDebE-TWWPfkc4xY>@!zE3Y(fFgbF}TE|iysG*Sx+bAkO9PZz2FKA(~y`X
zI-K_t5I^<T7W%cF7W$lqoiqY<DlQ(<wKK8Q*@ZS=>a1}Hk`;)wT{AuZCrzgzFt+8_
z)-ZLSDI@R?%bL9E!*VYKX-vE{Prq!-NXxs{GX|&RD58x(Hcz`L_xAjwLFd0F%E80%
zg?v>}+T4LG5Uw;ZLnR=x8!)L8`uW|#neav2z@t(3QTui<zYREajZD%{BXHcVCyNcE
zT{9vqfH6O;c2R(n#b<Xl3@7rWgJhJ$|4+qD@U&=iq{qLJdKZ~dvPXsY3813BVq5l2
z^JB^h4a)$@juQo78XA3ZFn=90zgh&fuJM`va86IsZ0~}}9m$x&`MsUSo3)x#SRrS=
z$N9md#h^tkweOdm&Jmpu(ojo-yJ5J06~ORgRnmv81eMAp%IN<{T~v5wQjY-Sm*923
z*=I~4M4a>JZyL-gq3`M$3%!bZ?6cZWEB7pqK3}Gk_T)yG9kx)ufSRM6{!IpV%{81-
z6R<`*XhT)5YsV(;phm9xe<fKq-hD!6ToYCopGI^O@a{+7C^+@~V|NM+`K#HZT4MUm
zzkgK7G&_4+B~6<!0PJ*g+{=ChjUzZ}-H|qZFpp`_!0+=&J%%to2>+*5n-qSfEt9|@
z0q9}`ze9B&9hJT=er9ADFU<<zE*j3|M4h$yKASq7e9AvB)qAonHji-JO?`H=fdK0;
zhN=#RMD!3HM0H>kwqhlns`y#nY;3>i*a^sO+Q2&+o}On4zsos@xcY~u+p}{bC&UH1
z){EJ0r4yM?6fzw;QE4Yf!n(Z=8cYX$d$m4~1IIfRWo>jDR0FK>XJR^diT^$<n%Bnt
zl^sTEr0`Bj?cMa?cAwMpgaWo@o?58i_~=Ov^a}69=`SFD;y$_3K;^6w1WtEqN(!t?
zN~9(u24o^VL~%ea8p7{2IbqdvmWn=rf+4D?toB*q@V33@ygF>oqa?{GlCZpAMU#u#
zL_NB9o^+(!D<mH*{#9BI*QDs?qWFph;#=dwwCx5_rp`4<Ao=pExZq23+4o1v(OO)c
z69V7t9M?e0bq~VQhdJ`vnyb6!k3+K2p`+979oT`^J`$7Zd_DvNf8Py{!sAQTlzsWL
zvwd^@di?bd*}d?q$epBxlSSRWPG~5_^#{m_6in#q<=@C072Q*`VMPsT$D1;MKmAz$
zERvsikN=Nj)4MJxMhwitPLOm<sFX&t6W5H#@wJft7ECekbVg~?@i5`8Uyeh43h$*L
zv<L+a(#HlY|JTU|Vch*}EtX|c+9fxuNSB6IqD@|a%4c2*yhX0Da?2R13Qn!B<SNfu
zJ@M3k-Kfj^QyW|!Z-4Rr5=i*Bm+jQ(dYMV5n<eMaZMVkjQK*%*-U^h>;lwr5C;t^0
zJwlYK#c<DN-xMhfUU7U~HGy$-Vx99z>N6yp>ownvLFn3WG|gZ8pYvtGzeun9qC*R3
zef-QanJN=n5A_EYX1P}9Oo<DIznC6rhXDS*#}oP)SjSk(smq%&P634Nnpgkztis<I
zFYATUi8)+Gj-S}*7sGmzJ*KSdm3=dd-Cq}~R9gshzF{x&r@fZZkL;59Z>F`3Cf&(}
z8<}yuvL1lc_|qCNCk!jF#KNo-uz9BaEDPBvG@sWL%u`K#*WaDJiYLud%<BtQ-l}{P
z8u?;q4!#hj=5=%48#N<sv;53XeX*Wpo);1(`P!J@{FQFYn09qVKNHb~F~}B0dfS}j
z-s*I`{&nhIP)FtWQFW|=8zs>#M;|&1uv@}T=t|W0k3*E~>EgEsDFc~&8!Iz{U?n2g
zH;<O2ZF)(i!VaSPKFL#GJ=~BSbaFdz4rP{9(_rE4E!yFb&sC{sn2t^sjXguPlR0=L
zo0XF-l|qQs_Crj$gSsuLDo$7G$^odE)7om0PgW45LU%_Y9h$SVE#3xecd-4nB^oG7
z74VS7xs!!+?|0O-qN3r)<(N%s4{C(@6%vN%k*wPr_M4_$h2bDHaZ3dg1ArCEA!nBJ
zy4Ei`n^}-*oyIn|hqL+pcEzL|f_Nk==?i}5iO}**KY%mrmR3g!*7al6ON@2gN9-k!
zs{9dOFyFHK2ytHj^g;lykSr|V*A>aYO$~w7unax16G1<m_xkEGEmHJ{i}CUAf6sRr
zY$K0#E3#2a%44v6#tlJzH8O>kY{p>G*$Mxkr>)zOckunDTOSzw=O4Izo|Cb=$Z?RN
zU22!tbY+qvaDywKFhQ4{ZiJ~Lj(u5LchI*grj?KrjEI+^GvS{7QZX{KKn=l%-F`hT
ze3d_m4K|B<VjyhtL1er&{6)JJz#&TzZ+|-qAKZGPEqKWCno&tIpsmr<2+<oiaA|m$
zqiU(CmN$=M2MmYIJCnlPr(-;Sf6;3TbuLIQm6aACImsk;M530t*k|E;HlIZ^Zf#|e
z-@8}$A$I*ObfZIKQMJ8|Z&2iQ%ymni1llwl=Be)N*WU_$S}`y&VP)*V8wU5_eHB!^
zM@=!I@SNGWIE_0Ddj~O#kWm`ZPba882*|asb0QBf;_ZGAkt39`U_zUz&^_)?+fQbS
zX`YE4!c#5uMI?|s$mkb8yvML`w%l}?$E0)Q=t<0MtKN7AL94C@@5*(Slu1PX3>7r~
zNuCHq@awnyIW0Q)?manP-aIw0?5$GYbW&6(hMXz!b$O??_-pudP4av;Bw_p;=xR;#
zgPy3(K<yhXSe_lJN2bN4=C?NUAY{4B_m9p#gA#HvX+L_&vUq}hT3W`7D-D_dv4t&$
zqZYyP&xnij9QYnS7aBtUD8$rrT9>j@M@z{X0ROJV_Zj=AITwN$l7ddycRg~qam?TH
zl7n#^-dbKwlQHMNwU7_lNHK^qA9VE*w0`9|L||pUZD*P1q<M%MGGJUKBB-bGd)>mt
z$)dWZsGhWVcFhQjX#Jy^>L|s+nv22@9zU1`jQN9l<Hr3F?6#E|cO*3$@u0zP3Y(wW
zFL_`;4ItmnX#M4zouN8RX7XN%tn}%`RMPdhfg34Feo+!Si}+qUFa*3NlDe~U=Euk2
ziaklt_$HLdbnm`sduREe(j-&_<cwu1FhG(t_yp=l3ed7E+C-8jyev%{OGJG_*B(sL
zA+uc8`oX;|7`lk&tEZ$=6Je!Rj~fkJ7PzsVQfy8n?W@xMYG8(&q8Rj9z9Cg)wz-3m
zl!vO~_*xrNQm}kDn#4_X8A|F(6La#*ysTMh3;RLL(4M;gFljBCN6he#W?N~6YEd^J
zdI%kcMcAFx!=^bd{cvF7CKRr7R*;%pb=#Sh!kf1kIxM~?b~zK_=-qD&xohcr<;eJt
zSg0@DxrcF{8A8t7*E#X-=%A+$!{Fia=3CZT+#`Fi*Rn<@1xHNMc-+BT2Cc<y>G(Ad
zi)t*nMkjUEs#lR6zKFyYhnDkw{7!I>3uL!hJPr+ipxo=q8v6F`XS9#oht$yb?LZH=
z8Ew<?LlGe5Lb$B!RegcU1)I+Wl2<Nps4_ZQY&3NupIhP3i-i$m%kg3wnZ4q^tp9T7
zMsy;<CC*^cApJ?`o0BRI<?Mw(_^#iZJCtZ7h69J088>0SkDa;T_h)h>|NHK{S-{K3
zp4i9NsUzHbOeNjyGIyRxtWFc3US~p~a=8oxb$`1=vw4GchH%akf>&KkZ@(yeMLE{d
z&R+>%L$F~9QWdeqM==~hUOrJGJc?8EGZe%Da-6@)ClB1Yex}4W2@J3WGZ#5VZJMPz
zRM_t{5w#)41DDM;Pn*GizL<GI1MCN>M+cc+n=O3&0AO~@ahRJL;0x?nW_;}@{wLc?
z)aQrx##57op^Th{!AGVP8E+{W8RkHxOyX2rH~HNuDCzforDl9>R*ebS0>*MIB~W?H
zp&kD?UJxsd5>uNnp|y=iW~#h+W!-5hg%8$MgR1^|EfCTbKQ*;AsNhO1fNg6(Lb`gn
z@kzq4ee!{4TmTu&V8+E|Od-<#q%8|cQ{0|BHX&^wI&nVHTP1_E2AHjyyp55fK+iN!
zaorW79U~-eY9o`GK6e{!KZdCWrzd1AE%i-JKS*q{_cpJ+oYfy~Us=M|vB1t6B5x_h
zP+!=VmXDZM21zvzsvyxL`g`c%-?HF9pT~X--`+FM=~lBt)#!!4Wc^hR_IvU2bw6R&
zItr$tQN;9DO{hrod3Mf%mS)EU4$}T6(W@IYG1v06HWoLer5X3}Y8F?UC@#WrDrGhF
zR~<Vg6ZeyXM-oceGxw>WpO~=!9{|1W>zK>?Jzy`%+|p9lWm~dE|EH8a@^nf*8J(?R
zwcl+MEtTU)@e2Z(_n0^Wk0^7;Mch9EO4gw-ZxC>#Z36!X?EPf{ktXT!UjcQTRUI6>
zLk4$Yzy9*U`0GWo<EQF_h#i%Kns+fmimC+a>25!(Fu!!If-j?l^pCS!gIu#b%SCJ6
zgb`ihEdDwwH5k3{J#vcXz>mA?q`fkgEN5)Bag`iVit!Gst8OS@*`p`pcz6!6w>$S&
zD_@TcU+q&1w`-T@QorW=&YAkLEEuoPHk^?)CgY5Y#;bE`=mhCf=PV^A{HH7RUR7CU
z9%Eqa52C3@&w0M>0zoGGdZ}zl75ns6#GBZ`!LJb1PC^GuSgoU-;?-xnE{v?VP=*a&
zS&VlbX0CJqoaK8i*Q>GV`I*RWk}@UNf$7~O7q!ta+R?!~N6p`~RqxC5`DYW>FLL2(
zZSYSCvH%L{@vWu-(}$uKgS>h7CUQzTnF!_D$W9C8^`qAHK!S(Cd>&3ZJ<-F2?ii6K
z=l+=+7TZtnT{LaW5GklKq-_)L(tbEO1OrEfgb)67SJ!jAI6l}thfnPfU9jpT0glKW
zZE9laVr)codHL(5vdjgarXN4?742}821<KwysVYl@?|58DVQ{p_U!&$AIr#v{)V+^
zS5JQK%G`I=^+yfkz&CB?TgCaP@DA$eEb8*$1{l(GQ?&>F|I&F0e!^{6@4DVz=xwt{
z5ZhMamyCGk1Ndf3gmzXNaofb2MbgD2@tAyzqd{$^@<o14<s%h&dk^*px_pANJ?nbB
z<-na-b!C+Bxgc{8PD&%2+e4Z2Zjj>RP*0-1j0_znPxN<i@tgl-n)o<Xe*R43Yh=YO
zPz`zJk8gQ^b+1S3`Lds^?x^o*B1te;*xzBjATZweSs40#y9#o19u1ye006M4|Lp}x
z`X=+ME$(}8$JGsv7edpEm;L<g_2rDbM)QudY{%v<S65Yi1M}xz`5;A^_u;|PM{H_C
zcx^bt3_2wr`==e(j2K>2OZU<ix+!tR1hI~usWSf5$O^GOK$ugz`Mq()d@+bxpW-|S
z-II0ooUU-}O;rIif0i-DC=#{7ITCDN1WCGisGRpU2fC%p*X+IQ+}PZ@b4-)m_4k^;
zsfc;`bStGFn}583&|}GRk52P95ks5E*1Z#u(fv(J4!Cv++JkO8ziOb}^2<F8X(*qh
z>5f*9E>DCva5qw7(rn%81?+X`r;IFe9SaVi8(ny?U!h@Cn25aWtyjK;hdgF11WcPi
z^|jk#{N-n)FEYi>pBX%5J391OISIx2M3+*_jTd@ZPA4;^RAj;}XnA{&F|7gZBDpu;
ziYf?2ifsw{!#)Yl!n<P42JeAa%wK6irTudw-O)(FJQ63jEbr#4SF>w(?h`Y+Z3fvE
z=U~Dpy>J>uWP65V|02gRd4&;hezH9DQ?$2H+wGDCO){JUzwT_+r!Ypj&@d6Z!^^Gl
zCqcT!Y0@c(#hP)L8S}~<1K2bS!jd)9NvOZV7u}P;aFRO~6PI1V>oki<8E{eyKUEGI
zgqGdABSfCP5~rV&QCs9Zrff5t+DRN@<1pedtWcmst=X)?8T@ixU7t$!Dfd*h_hW<y
zPQu@B{}!I#1=v<C7!dICNi*qA_GnXDO6fyqtJDe$Ywm$`khs!H>lkHWJijem=c!Kc
z0wpG*o4$$Asd!cm;K_rRUmV<e?waSFsf)j|SW`B0*<>?b@K8VQY9qqr8C*Z@l{Y0t
zVSk)H?6_axxtm}+@Xd$Qe#<w7tMj^^5n?v(VM-+tEZm18mn1VqzMjn_zNdIsb3@>G
zld+hu`HlRF=j%sEz1k?!>aRcMqvRq~CQ3&f30EA;zMQ?heZzaz&?TFTDt>=(Mfny4
zVj3nT#9kLn<SlWV6$X|jZt@>XWH5ORCy*{3FzVdUjV-%JnllCl2i0DkhbKx7{48Na
z$<k7%Fic`y5{Z=7yIgpoO`SVdm+^1ret3gDYcM}BSFlZ9%aiaV6fJ-RE;t>${Z9f<
zE!-l<(a3DXOx*cjIT7*ml5oI&fOKrr)XTf6;2vYqHz!efKH5_OC6XqA@gXU0p%E-V
zt$np5w|}zHyW}u}p$FRG0^Lc<rWXxXH19*2(r&(eym&lmH&a_vfm%TCepZP-RnO3*
zx>#JF$<q1h*VbpT?U;s35%pGVXLo8E@<x(|SAo94<aj-KkX+BI<|sh$Tnp_Cqv@B{
z0vf`U3^|?{+8wpE5t2mg-glr`bZKkXTx9*Mv0Op(t0Z2Wd(xcf(s&n{fu};<4^D4F
z%%vme1pjEED9|6#VzbvI@c0p<TbT#->6gZ<LSJLcySibB|Cj12@#eWW3Q$SiN;vU)
zB!J+2dw6z=Y`)IWlS5aB%Yp8Zo18!yMJ2|#Gv3xSp16`YZ2}uLE=HIU7`KfKqVZaq
z_v2h@ntOZDfba<nK7fQo0)l7k^vhu7DCffx{xvm?sdfr=FTT_Wbjw)74hCe`cu!TN
z{8VF5hKyIvbg4b98N?sx**(g=A**(O*7~yhnD5srcgIncv;#wt2G<{eO<EBME<v5L
zR;ayqy!qdz$04Ep^Z(=%?KtNk&9HALJz3{PdgwPL6~h!M(kSf5WINmc<;HwHiX~mF
zIx<b&VtJ=T6&}k&T_$aI|EBnvuT4j^zM&g0hU|Rlou3EXTO{3KGU2HU1~gpc=2HWS
zGZo52LsO-aha}gyi^~%u+V95u$~5h4DOA@0Bp#JiEnh?CyGoDAK;LR&GRtf~D>sz5
z&Zxb8IUKj_=lnO6AvTv?5(bmOmf*O`BsHjS;AWq9l(_j4=SVTD1LnT*%{DRD8CuWK
z>4u%bD4x>Hr4`OpC?!LkP1zg4iVV+Ww{z4d4O*Y%p}lL3Iv1hBFqB_s>YPrG@k}cA
zKy!3~FL!2zpy{;BnMnK(xhpdT`x?p@5VO6m0ln6L%J2&y=4dUar)K0qMVSl*+8*(r
z_2?xa2{AFT5Rm}jU^t;erU$-Jvm9+NhnP6KBe&uCC*4Zg4b~^;s7p~Qea?7f==wIl
z87arQ_$(y9t0xb<yn+Act)D;}_JUuVUQNMUr#|4<yqsX|KYjNg9-1&)(c!mg+LYE?
zRUk;tsdh<uN)CK@4+|(1{aPCr6B9H4DH{8cG0Vxt%$C@f05pOR27GbGBHPwB`o3-G
zMXR@*?_y!(o35t*uLUH-V#oeIzFS$1*}*G~7rt5QNq1;}r=e?@C`z197tiPZ|6#8*
zA&c1wJX@9X*iQAA@Bc~C^>&KRs_FlKse~s2E+GiFbSEY9d0!nsML|;@_SOpeKeuZ5
AE&u=k

literal 0
HcmV?d00001

diff --git a/src/spiffworkflow_backend/routes/openid_blueprint/static/logo_small.png b/src/spiffworkflow_backend/routes/openid_blueprint/static/logo_small.png
new file mode 100644
index 0000000000000000000000000000000000000000..d0ad4499a9f187c829438db52f20575863e526c1
GIT binary patch
literal 5000
zcmV;36L;*1P)<h;3K|Lk000e1NJLTq00651001Ni1^@s6_72Jv00009a7bBm000Br
z000Br0g<}oCjbBd8FWQhbW?9;ba!ELWdL_~cP?peYja~^aAhuUa%Y?FJQ@H16BS8B
zK~#90?VNjjRMoY|ziZEg1mux969kbe_Ti)2Du@MzYJIeoPh0QR7PP4MT6>E{GC{1Z
z){<~C!B<tlOhAjb>a7n%t9|$>)M^n$@zG+n+SV4|$~&0}ghw7Td)+_InVB;o2>}x9
zz0L3Q$tP#;z4qE`?^$O*)>``ry#%K`ezOSgHBfpdiHerqYNrqXItcX^<Kl6r*9+X=
zpXTzCac6|eCVcJXZ7)2Y?ydIv@c$puo6Mb9{8Hej04VFk$W4Q`W$t|U9=EwS+wBah
zIsh0gBG2_8&%=Qd5&3&h@$5s#Fuln<*)r^2;C%puLshkQ+aU8^Bvy0v$XWCHcUDhT
z*Q)B{s``woUa-G%sOrW3V-&c0fBCh;slYis%(D+2AUCs)nC1>>?iacYvFCw&9OzV;
z_7VpH{W{2BFCsT~G}Ef;>mqWTstyGH2uuWK`toiB)&ds-MZjgiO(HT~RqKEUfiQ5e
zh&-gK#{$0xeg(`2?)U4r0p9@*2WA5;z%?RL@5^w4pWg~x1pEm2EU;2U7OLt+z+@l;
zJP+If%ma#n1tRkDevVro+Q9$}z1;m|bFp~^(Rm;ffe}EYhyFTJRDcowO#4<e7Qdt;
z0uk8`yb630m;kI2kvd={umC6lP6iHB)uVt>z<I#ef%kkKe*rd%$YsC|zs^)Zfib|1
zz^{S7<0*a?^MF}+FU5G^7!jEaoZ~P3bAj`LH9q}xycg*KAl^xz`>-D{Loas+rbA{q
z@TrfW{cXTqZDITCjtW&Z3>*u*?PvYL|NlGSB%m2@cKsbN2UvnPQ+@_-M(zl2i--lb
z;H@4JyxIR<;5PxfQecyaC{RXrI|G}5;eZv9W;_MO=Mw@3;mzQE=wXD@#*~XUb7iqn
zktalT*PbeiA&qKNS2T*8$L=q}HlQ{gw)3~mcat4d>!+%B0Y?F~BC=Uk3!280dAOf`
z9Jm3f06quo6p>7T{w-Bq1l*1{qXuz1-c0*9JO$3;KHyPRT?c#*xJp$Q0*Bzurq8SD
zoxTju;LWJF`TXDNVo3V1j}RwT{Rfb-etLadKYM)Bt!{l!Fn40^U@#xz%{H)SB?UlL
zhv02d8vU6KRUHIu7ZFv}e!x&*Gk}P+scNZ+G^%PbU_@kBfL{@wl6?pa5RvVw+8<~W
zk+iBF1VlvS!*+5+Job|GXZc~k1`)BUYJ8rXfslwa`!t6FAGUj0`p^RigB+1h%5Qo~
zQ2|6kF<;5LrKI_KvbBS}roeM6u&!NsqyK+52ZV^UkzdBQ`+2(p<vZ~9v+e7p0?+AS
zoBmcJn{Erxytk+R^<m!-CU^i6yS=9vI~6r&tLiL7YtkWI&>bc1Lm#?AxYsyatLY*=
zvQJ6-&{OC&Wlh%2dAzrH_u*d?VZde+s#5e3%Cbi|74a#eItJnShT1v5YF{3W&HWr=
z&sEDPF{IV95s?>@8;|-04^PPy(5M_PqL~~`H1kVb_y1JvLL^pmwZTRJ5T0nLo%8#>
zsXw%$=2IEfZwhjxf<f$NQF%rB7e7Kv>j-Q0@;tSzOeWlIJ=%f2L>Slr3;__8iA;Vd
zl>K4<nGl&dcOup<RRk1DuW&~<E^uGTmPadUeyD1%LlFd2@%?kUmWQYO93WC2zecgw
z<1@+9DEj7*hR~nFvFh(+`6+sR`yXf6RW~1$ZrNFxO^Y#i*WXsTTTDPS7M~3|5Wph8
zNhPXQ_4IfE2>M+`M)?Bo#Pig33(<<|b2F+-fg;UX^Hfl1wvGA=DYA!Qq#{diLPa;?
z9h5&ZgjMwk5jh$F(G#5EZ#*Uy)l1c~b6=T?n2aLplPyEnu=ujJo)A>54k$>c%|Y4c
zVc&HRZc}yXI51}kz`)q`Lxps8M>Hb3L_;>EY4d%u@e;~Yc=p>ITAO#CDkAyV0;}8c
zJXtv$JoCC?X`89ZHWO0$ZTEY5fZ)1D8)N~VL!~{Ir50ba)tOO!przU)!m6QLMeL<`
zUL1f)sxoPR;<3CpRdI?pC5hEspNwYa<GOZ_6}vz(nt9Tx54kEj2IcuwUFB-10-&{D
zXsmd)*KGS!Q&C-7x+VOvOi6kNK#{hMMI=w7T$n1e4@OdqOo!RobgP?;#^SFkj0V6k
zfp*F&$Qi-3g)?ZUtm#a8B9a@t=8~d=UfiF4_XZ*<MgoWBGDK^V8;+?yc*NSWbeneO
z9{<P@Zd^F~y|VI}saA9;p5MGD;eg%}Z3vBSKraSq?>*{1T-PQc@VZy!AFVopmrGL{
zk9mm16x$fIc?wRDU8>AJgzMT=-u{ZhQ~1iNDxYsJf(T~@J7D0Hk+bIY|8V}5y8@XL
z0zR_U1!eyvP{9e#MONhz9-flf?75QvX%PmfudDoZX)He8z;(cv=y-Y9XDE816N^8c
zOmHVaX)J!4@gkZK(fb;jhd<zyY>KJMg@PUdY!;Dw8+6Dm*;@u>Gi#2rR_k(1Gv?Cd
zqS+smUg4e~8NL;0PMqOy{FYc8L{iDx$|)X=1Zi*@%yMFJfW~B^YO*iq3PG*}5cnLf
z+Yi@m1sF8r`lymV-mjhlA_~R3(mN&qPX;<WA^$8ZvyY=LaZ8#8hrX?<=L4Sr`h%<k
zyWHB)!p4QOb1zmjR&$o3R|6Q~n)=$RHPMRdb5&&ya0GBqGEp_Nt1&-#=5@o`Y-X{*
z0Ixr~rXf-F!_q6N50^~n%AnWT!0k>fz5_s8`h6p{_?q3EGVKv9uQ@}7X^NgGo;NWG
ztP$iV4T;L!ctm3Hguu}NsyvdatGXjw=FF)6B1V1?V7nxlsJbg(xB4rBT;Y#vea>{%
zn5cRc`09vh?ttcEMj0{t93rS{LaI6e(d)_0)^Zhi%4&pRC};T{80hrdbT-Nbk{`f`
zs?K$2oRD<guj0B^(ZS%=0T7cusBDHi#%9bP*?k{+mM_Sr(pY@7$*`tV8sB9LAm}QP
zG~P=*z-b7NNx};NMbh>K5N|&#@=H`b<rh5@Us*>?a|bjdqjTdBlBWQim^*Tth91KU
zI}DCg1mrkl>~|vN)l*Y-bC!EN?IEam<Aa<Xjm0OaQj@PnYX`%ggA;QHw^_SPyr?o1
z-VB@YMI)wF_ixUae}J~1j84uzv=!SuYy(uBiuin0o#~BP4nu$=6#Ygd7OzVsDl0%#
z&|Tp5MMMYUg;IJje4W5=>a)8mpET!#dUXx=?Ph0Pzu4Ug{IzR=yM>pc74d^rxyDZ)
zIrMUO_?AWP#zHa~k1!ti0M&O88BIQxV3LzGmnPxAJ8B>!rcK~wyrAk)fg&$#Pe=;3
z4K-cTWHXWpcbiilUxP5tE3*^vl~s(Kk&UHM)w=~Q#yg<q_OY!cG7inHN;^`K^h>y|
zp<eDs3KaDnV57ho_2OSkMP%uaSk36IiOPZ?7*)NTe87&E=f~W3gpsr6_21dn^q7c_
z@w3)z$bND2f~rj;rnv)vKcfslI3`f-ufQ&VP+Gb)-$lx6E<+_at2g2W0UeQ*Q=r_5
z)x4EVu)qk*t@3@3RK_|ncW~ayBB%TGE&e#1oL|jUgqoZpTg&p^^I!oAe+s74#tbDN
zQWwO}lN*n|fQP4KqO;~6s%iTIFw$o-jZTy`Raf;IFg6;C|A)f=WSdPUs>Ze>9UHBv
zzF1X$md)sZ1^_WUrRpiGdQ18({&Q9-n^RHyVzj}$<{if5#L_F=(#8dDqqSyYU|aqi
zuG<=|s6JCgPR);r{2-O6ycxVWVjD86)mugfg}hq~)7ptN0#J}8D%=-BH(@gyc9UDA
z4c86tXxRRs<l9TB*e^FOaNmX8L^QT+hC9ZJS(B@5nUY*s^_PyuqX4dJq=Cvn&MMQt
z_$&24zPbt5?dQ~+2NBNo%c_Xg-d^t{pK}_d32y=lD{>m}m=kkH0!MmdqW6GY1`KeL
z;ju|r9VxFl4lhs$Ad}Yc<Gp&V1(iYzK*)AzV^FBg+IAb}&t8X0P&r4By2S12gI}jm
z^_Fe`0~0_cI&1Es`1>w_7jfNI6@A7h3x%wl27u^<JRhC{uqywaXU@9R#-rwClUo+K
zZzBF3HIHC2=<Z`AIyaf9oSLewTvlIOwWhw#UEhJ|+oMU7ko*;!orw8rs@8pdFNdI0
zI9tp(yqCulOSHQF$5(p+My}hc#s*HkL?Wcl!gX5}R^;mV78MaWGn*F@b1RSrP-{>1
z%fA%h^-|NqYa0q?*0LGy7;DVAB8)<{NkvvBHyr&)Z#xOX8N0SH$G#re4TVz!Lx+TS
z3q$Q46cv{|*VeMD73ilhv}{K8r!*tuvhrk=*;uo}inni5I33r0j0VPM`IwNWtVS4>
z3&j;)Z$Fl5_2q!6t8~ze8w#uz0HL%l+LPR>ItiGR%MfNIYiF<ScE`H`H9ATHyVTYq
zeKlB~s-5$fXsjl?q+^gz0En;*<==e4&HzwrPDd1!x3?rJ*G6JBe-?C%2&VxzX7{RI
z!?N7thv%7zR>beO#;gHmt8$Sd(@~Z>!`^tUG!`FC@1ii;%b0?2y>Ph4O=_KD(=FfM
z0s2xloiTEfTA7$ltLO@VbU5=2-u)}EGTzx@j=}c?0^1rQb`5|kkvw-Vj4=pp*VmFz
zW;bQsvS?0sOiGgqQc8JOmooParZkvpdjHd@!g5h1?@Urr$NO&sjuAa}=;iJ}(9Z*i
zVKsoD&-w%><GNwslw7MumjM_iKNM<f+4ZO@Q#+JTIL5#e&W!l6d*3-538unr9ec%8
z@=J@CVLuj3hSVJ3$SnyjTVoJT^piVMQTrl5;{vx4?{Ejg@nSeBz+hD%&LE(mTJU27
zo{cyF)0*kPY}9T0^gH+mCEzo=(oMH^vtIY0S|Hn?!~R<E`!ek(MdT01px(=wy3Ktb
z$nJ?lnNa8ygd+f~#k&?SWUt2$aq8tvV6dOwSYKQDGJuH=f8%02+iE~4)<J=JB#L3L
zIzD9j4H47?0wLJ3CFFe25v_)#;6+g6vw`IH&5^c-y=i-YVFLSB-~`B>oS)6wT>%8m
zDs>6oMa67MuD+_ilF#R)_WN&R0(M#0u;~tWGy4R6HXXKORk<pcgG_hIt0(Upzuh5X
zgMFc2OK4&+9qGSi9DztaBf)Kg=4MyLo<q(bZN05Z+B_d<DKM7&Hv6)M75#Q#f4IxS
zq{h0cr-w|xA!5R9j|zOjFZ*&N7GELRrLU__L6OpSJl>_dEFSLcGeW8+KBT<nm92G^
z??h(Koha7k4EPEwaNRUB58Q>(f!i}LY#U^D;aw;^+5eAHpu{L<1-|iK1NK5=GkIkd
zd060Dyg_!F2Fbh;)7-1pFLrlE%Bv@-@}GHrJhJan%M;t?&q;#b9*Na_Id{+!`Dxh<
z_tpA^?mzaOw})h6&flEa+&_bU7C=RB7!s>_ZEK?PE#HbWFF?MbUL(0Zvk1#o`5u5l
z&i0pz##DsY0g{Vmf8dnI*C8BA(Do`U&psNE<H=)5W1{M5fUURxFl9{6M(Wq&be~a|
ze+s8jsHmGHY-V>p40>Eh^lc{=-yznnA|I!q_@<)+iFfaDo7K0k68L_CF}ax(fRdKX
zv*LYkAV}9(zxmU-8O3+D+?`D;GQGLjG&-?(lZY$})T<Avy<z{Q7i}Z_UwF}U0E4VC
z4-l&@?g`%FU7pNZd5#XDZ#uDfO4IfO2yBH^e-xaY8XR4Pe>PFig9pm$f|wEEdH?^%
z{hUlXWOLpyL(mDK6c~ghWA@t$pzx*|`=y5Yv)6S((tzY<l!C}AROa+nc-@{Lg<AoD
ztqtpsF8FZ8`o-=}g_nYP3M<>6_y;%H86rFo$SMK`1}d!+%vU-wN$oYZC$8NBatV2#
z>WPk|Zt4l%4T;JpMf4K#dt>k>rmP;NMdaFK-JH7%D!Oi~c(E5bNPeH{XHXdQqxxL%
zrb!s|b&&Bs@zk=4_~QE7sx`x|y7{2CmR*HwugWWkc0+-+1<VJieIg~1`?#&kuLwFx
z$6gRk$~P7BHPjv=BJT=%SAC)?*SU<?Ek@1aY}(lT!9_9uK&@9M+TmeDHMBNI(;cWj
zO4cy}VEB87COp*y$lvmGvRhEN|HYXLBeD1$pyz`eD`-EE^@=>%zcq93`o&fGQ*<|F
zRn;YeL;+NEO|UGPsQg{DqGqOAJ<iW6DJyqJ)YrM|Ghyl_Lw+p9wma2>37hvb)-KGZ
zZKf?}wP>iFb8lI>`+GH^Z>iN&5G?~q0)GsN{A^2Y<=XcAe0djw<Qy6n9xEiU%TSZM
zwl9W)@Jewi;?q!m63ENoeVyb`@}?LRR;ChFr*|a8-omMfPeEClO(!WW>H92ZANB;3
zbnIPd&Km>XS4BQeKv98h3RfOj(fZJbLKs{(t*yo9Nc$-{kM|HWsWDOYr%uZI(1!zp
zFn}Mwc#a=udY%X$M`f#uu1q@iXSh{ehNShO4+jDTu>ro>>gkV2mOk{MOZ+cn4Di%D
S|CE~m0000<MNUMnLSTaG#Dc2;

literal 0
HcmV?d00001

diff --git a/src/spiffworkflow_backend/routes/openid_blueprint/templates/login.html b/src/spiffworkflow_backend/routes/openid_blueprint/templates/login.html
index 1da64914..6ef26457 100644
--- a/src/spiffworkflow_backend/routes/openid_blueprint/templates/login.html
+++ b/src/spiffworkflow_backend/routes/openid_blueprint/templates/login.html
@@ -2,94 +2,27 @@
 <html>
 <head>
     <title>Login Form</title>
-    <link rel="stylesheet" type="text/css" href="css/style.css">
-    <style>
-        body{
-            margin: 0;
-            padding: 0;
-            background-color:white;
-            font-family: 'Arial';
-        }
-        .error {
-            margin: 20px auto;
-            color: red;
-            font-weight: bold;
-            text-align: center;
-        }
-        .login{
-                width: 382px;
-                overflow: hidden;
-                margin: 20px auto;
-                padding: 80px;
-                background: #000;
-                border-radius: 15px ;
-
-        }
-        h2{
-            text-align: center;
-            color: #277582;
-            padding: 20px;
-        }
-        label{
-            color: #fff;
-            font-size: 17px;
-        }
-        #Uname{
-            width: 300px;
-            height: 30px;
-            border: none;
-            border-radius: 3px;
-            padding-left: 8px;
-        }
-        #Pass{
-            width: 300px;
-            height: 30px;
-            border: none;
-            border-radius: 3px;
-            padding-left: 8px;
-
-        }
-        #log{
-            width: 300px;
-            height: 30px;
-            border: none;
-            border-radius: 17px;
-            padding-left: 7px;
-            color: blue;
-
-
-        }
-        span{
-            color: white;
-            font-size: 17px;
-        }
-        a{
-            float: right;
-            background-color: grey;
-        }
-    </style>
+    <link rel="stylesheet" type="text/css" href="{{ url_for('openid.static', filename='login.css') }}">
 </head>
 <body>
-    <h2>Login to SpiffWorkflow</h2><br>
+    <header>
+        <img class="logo_small" src="{{ url_for('openid.static', filename='logo_small.png') }}"/>
+    </header>
+
+    <h2>Login</h2>
     <div class="error">{{error_message}}</div>
     <div class="login">
     <form id="login" method="post" action="{{ url_for('openid.form_submit') }}">
-        <label><b>User Name
-        </b>
-        </label>
-        <input type="text" name="Uname" id="Uname" placeholder="Username">
+        <input type="text" class="cds--text-input" name="Uname" id="Uname" placeholder="Username">
         <br><br>
-        <label><b>Password
-        </b>
-        </label>
-        <input type="Password" name="Pass" id="Pass" placeholder="Password">
+        <input type="Password" class="cds--text-input" name="Pass" id="Pass" placeholder="Password">
         <br><br>
         <input type="hidden" name="state" value="{{state}}"/>
         <input type="hidden" name="response_type" value="{{response_type}}"/>
         <input type="hidden" name="client_id" value="{{client_id}}"/>
         <input type="hidden" name="scope" value="{{scope}}"/>
         <input type="hidden" name="redirect_uri" value="{{redirect_uri}}"/>
-        <input type="submit" name="log" id="log" value="Log In">
+        <input type="submit" name="log" class="cds--btn cds--btn--primary" value="Log In">
         <br><br>
         <!-- should maybe add this stuff in eventually, but this is just for testing.
         <input type="checkbox" id="check">
diff --git a/src/spiffworkflow_backend/services/authorization_service.py b/src/spiffworkflow_backend/services/authorization_service.py
index f29c0985..d7bd40a1 100644
--- a/src/spiffworkflow_backend/services/authorization_service.py
+++ b/src/spiffworkflow_backend/services/authorization_service.py
@@ -6,7 +6,7 @@ from typing import Union
 
 import jwt
 import yaml
-from flask import current_app
+from flask import current_app, scaffold
 from flask import g
 from flask import request
 from flask_bpmn.api.api_error import ApiError
@@ -253,6 +253,7 @@ class AuthorizationService:
             or api_view_function.__name__ in authentication_exclusion_list
             or api_view_function.__name__ in swagger_functions
             or module == openid_blueprint
+            or module == scaffold  # don't check permissions for static assets
         ):
             return True
 
diff --git a/tests/spiffworkflow_backend/integration/test_openid_blueprint.py b/tests/spiffworkflow_backend/integration/test_openid_blueprint.py
index b234d914..963b5585 100644
--- a/tests/spiffworkflow_backend/integration/test_openid_blueprint.py
+++ b/tests/spiffworkflow_backend/integration/test_openid_blueprint.py
@@ -21,7 +21,7 @@ class TestFaskOpenId(BaseTest):
                                     app: Flask,
                                     client: FlaskClient,
                                     with_db_and_bpmn_file_cleanup: None,) -> None:
-        response = client.get("/openid/well-known/openid-configuration")
+        response = client.get("/openid/.well-known/openid-configuration")
         discovered_urls = response.json
         assert "http://localhost/openid" == discovered_urls["issuer"]
         assert "http://localhost/openid/auth" == discovered_urls["authorization_endpoint"]
@@ -57,23 +57,3 @@ class TestFaskOpenId(BaseTest):
         response = client.post("/openid/token", data=data, headers=headers)
         assert response
 
-    def test_refresh_token_endpoint(self,
-        app: Flask,
-        client: FlaskClient,
-        with_db_and_bpmn_file_cleanup: None,) -> None:
-        pass
-        # Handle a refresh with the following
-        # data provided
-        #             "grant_type": "refresh_token",
-        #             "refresh_token": refresh_token,
-        #             "client_id": open_id_client_id,
-        #             "client_secret": open_id_client_secret_key,
-        # Return an json response with:
-        #   id  - (this users' id)
-
-    def test_logout(self,
-        app: Flask,
-        client: FlaskClient,
-        with_db_and_bpmn_file_cleanup: None,) -> None:
-        pass
-        # It should be possible to logout and be redirected back.