From b9612f2d30dbf2ba377ed61e9e529398709ea6c2 Mon Sep 17 00:00:00 2001
From: jasquat <jasquat@users.noreply.github.com>
Date: Wed, 11 Jan 2023 14:52:12 -0500
Subject: [PATCH 01/12] debugging cookies w/ burnettk

---
 spiffworkflow-backend/bin/start_keycloak      |   3 +-
 spiffworkflow-backend/poetry.lock             | 128 +++---------------
 spiffworkflow-backend/pyproject.toml          |   2 +-
 .../spiffworkflow_backend/config/__init__.py  |  10 --
 .../spiffworkflow_backend/config/default.py   |  12 +-
 .../openid_blueprint/openid_blueprint.py      |   2 +
 .../routes/process_groups_controller.py       |   6 +-
 .../src/spiffworkflow_backend/routes/user.py  |   9 +-
 .../services/authentication_service.py        |   6 +
 spiffworkflow-frontend/src/config.tsx         |   6 +-
 .../src/routes/TaskShow.tsx                   |   8 ++
 .../src/services/UserService.ts               |   2 +
 12 files changed, 69 insertions(+), 125 deletions(-)

diff --git a/spiffworkflow-backend/bin/start_keycloak b/spiffworkflow-backend/bin/start_keycloak
index f76347da..a44c0f51 100755
--- a/spiffworkflow-backend/bin/start_keycloak
+++ b/spiffworkflow-backend/bin/start_keycloak
@@ -39,7 +39,8 @@ docker run \
   -e KEYCLOAK_LOGLEVEL=ALL \
   -e ROOT_LOGLEVEL=ALL \
   -e KEYCLOAK_ADMIN=admin \
-  -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:20.0.1 start-dev \
+  -e KEYCLOAK_ADMIN_PASSWORD=admin \
+  quay.io/keycloak/keycloak:20.0.1 start-dev \
   -Dkeycloak.profile.feature.token_exchange=enabled \
   -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled
 
diff --git a/spiffworkflow-backend/poetry.lock b/spiffworkflow-backend/poetry.lock
index b726c91a..2e001a93 100644
--- a/spiffworkflow-backend/poetry.lock
+++ b/spiffworkflow-backend/poetry.lock
@@ -462,21 +462,6 @@ toml = "*"
 conda = ["pyyaml"]
 pipenv = ["pipenv"]
 
-[[package]]
-name = "ecdsa"
-version = "0.18.0"
-description = "ECDSA cryptographic signature library (pure python)"
-category = "main"
-optional = false
-python-versions = ">=2.6, !=3.0.*, !=3.1.*, !=3.2.*"
-
-[package.dependencies]
-six = ">=1.9.0"
-
-[package.extras]
-gmpy = ["gmpy"]
-gmpy2 = ["gmpy2"]
-
 [[package]]
 name = "exceptiongroup"
 version = "1.0.4"
@@ -668,6 +653,22 @@ python-versions = "*"
 Flask = ">=0.9"
 Six = "*"
 
+[[package]]
+name = "flask-jwt-extended"
+version = "4.4.4"
+description = "Extended JWT integration with Flask"
+category = "main"
+optional = false
+python-versions = ">=3.7,<4"
+
+[package.dependencies]
+Flask = ">=2.0,<3.0"
+PyJWT = ">=2.0,<3.0"
+Werkzeug = ">=0.14"
+
+[package.extras]
+asymmetric-crypto = ["cryptography (>=3.3.1)"]
+
 [[package]]
 name = "Flask-Mail"
 version = "0.9.1"
@@ -1223,14 +1224,6 @@ category = "main"
 optional = false
 python-versions = ">=3.6"
 
-[[package]]
-name = "pyasn1"
-version = "0.4.8"
-description = "ASN.1 types and codecs"
-category = "main"
-optional = false
-python-versions = "*"
-
 [[package]]
 name = "pycodestyle"
 version = "2.8.0"
@@ -1384,41 +1377,6 @@ python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,>=2.7"
 [package.dependencies]
 six = ">=1.5"
 
-[[package]]
-name = "python-jose"
-version = "3.3.0"
-description = "JOSE implementation in Python"
-category = "main"
-optional = false
-python-versions = "*"
-
-[package.dependencies]
-ecdsa = "!=0.15"
-pyasn1 = "*"
-rsa = "*"
-
-[package.extras]
-cryptography = ["cryptography (>=3.4.0)"]
-pycrypto = ["pyasn1", "pycrypto (>=2.6.0,<2.7.0)"]
-pycryptodome = ["pyasn1", "pycryptodome (>=3.3.1,<4.0.0)"]
-
-[[package]]
-name = "python-keycloak"
-version = "2.6.0"
-description = "python-keycloak is a Python package providing access to the Keycloak API."
-category = "main"
-optional = false
-python-versions = ">=3.7,<4.0"
-
-[package.dependencies]
-python-jose = ">=3.3.0,<4.0.0"
-requests = ">=2.20.0,<3.0.0"
-requests-toolbelt = ">=0.9.1,<0.10.0"
-urllib3 = ">=1.26.0,<2.0.0"
-
-[package.extras]
-docs = ["Sphinx (>=5.0.2,<6.0.0)", "alabaster (>=0.7.12,<0.8.0)", "commonmark (>=0.9.1,<0.10.0)", "m2r2 (>=0.3.2,<0.4.0)", "mock (>=4.0.3,<5.0.0)", "readthedocs-sphinx-ext (>=2.1.8,<3.0.0)", "recommonmark (>=0.7.1,<0.8.0)", "sphinx-autoapi (>=1.8.4,<2.0.0)", "sphinx-rtd-theme (>=1.0.0,<2.0.0)"]
-
 [[package]]
 name = "pytz"
 version = "2022.6"
@@ -1494,17 +1452,6 @@ urllib3 = ">=1.21.1,<1.27"
 socks = ["PySocks (>=1.5.6,!=1.5.7)"]
 use-chardet-on-py3 = ["chardet (>=3.0.2,<6)"]
 
-[[package]]
-name = "requests-toolbelt"
-version = "0.9.1"
-description = "A utility belt for advanced users of python-requests"
-category = "main"
-optional = false
-python-versions = "*"
-
-[package.dependencies]
-requests = ">=2.0.1,<3.0.0"
-
 [[package]]
 name = "restrictedpython"
 version = "6.0"
@@ -1528,17 +1475,6 @@ python-versions = "*"
 [package.dependencies]
 docutils = ">=0.11,<1.0"
 
-[[package]]
-name = "rsa"
-version = "4.9"
-description = "Pure-Python RSA implementation"
-category = "main"
-optional = false
-python-versions = ">=3.6,<4"
-
-[package.dependencies]
-pyasn1 = ">=0.1.3"
-
 [[package]]
 name = "ruamel.yaml"
 version = "0.17.21"
@@ -1851,7 +1787,7 @@ lxml = "*"
 type = "git"
 url = "https://github.com/sartography/SpiffWorkflow"
 reference = "main"
-resolved_reference = "5eed83ab12f67c01c7836424a22fc425a33fc55d"
+resolved_reference = "be26100bcbef8026e26312c665dae42faf476485"
 
 [[package]]
 name = "SQLAlchemy"
@@ -2222,7 +2158,7 @@ testing = ["flake8 (<5)", "func-timeout", "jaraco.functools", "jaraco.itertools"
 [metadata]
 lock-version = "1.1"
 python-versions = ">=3.9,<3.12"
-content-hash = "832c1b6cd8d9aebc8529fdce11167bddcb3634fd0767dd2e490b74ababcf2714"
+content-hash = "8592e94ba80b7d0338a9c003ca4d0e189b5f470d97391438ddc1fc9050febedb"
 
 [metadata.files]
 alabaster = [
@@ -2443,10 +2379,6 @@ dparse = [
     {file = "dparse-0.6.2-py3-none-any.whl", hash = "sha256:8097076f1dd26c377f30d4745e6ec18fef42f3bf493933b842ac5bafad8c345f"},
     {file = "dparse-0.6.2.tar.gz", hash = "sha256:d45255bda21f998bc7ddf2afd5e62505ba6134756ba2d42a84c56b0826614dfe"},
 ]
-ecdsa = [
-    {file = "ecdsa-0.18.0-py2.py3-none-any.whl", hash = "sha256:80600258e7ed2f16b9aa1d7c295bd70194109ad5a30fdee0eaeefef1d4c559dd"},
-    {file = "ecdsa-0.18.0.tar.gz", hash = "sha256:190348041559e21b22a1d65cee485282ca11a6f81d503fddb84d5017e9ed1e49"},
-]
 exceptiongroup = [
     {file = "exceptiongroup-1.0.4-py3-none-any.whl", hash = "sha256:542adf9dea4055530d6e1279602fa5cb11dab2395fa650b8674eaec35fc4a828"},
     {file = "exceptiongroup-1.0.4.tar.gz", hash = "sha256:bd14967b79cd9bdb54d97323216f8fdf533e278df937aa2a90089e7d6e06e5ec"},
@@ -2494,6 +2426,10 @@ Flask-Cors = [
     {file = "Flask-Cors-3.0.10.tar.gz", hash = "sha256:b60839393f3b84a0f3746f6cdca56c1ad7426aa738b70d6c61375857823181de"},
     {file = "Flask_Cors-3.0.10-py2.py3-none-any.whl", hash = "sha256:74efc975af1194fc7891ff5cd85b0f7478be4f7f59fe158102e91abb72bb4438"},
 ]
+flask-jwt-extended = [
+    {file = "Flask-JWT-Extended-4.4.4.tar.gz", hash = "sha256:62b521d75494c290a646ae8acc77123721e4364790f1e64af0038d823961fbf0"},
+    {file = "Flask_JWT_Extended-4.4.4-py2.py3-none-any.whl", hash = "sha256:a85eebfa17c339a7260c4643475af444784ba6de5588adda67406f0a75599553"},
+]
 Flask-Mail = [
     {file = "Flask-Mail-0.9.1.tar.gz", hash = "sha256:22e5eb9a940bf407bcf30410ecc3708f3c56cc44b29c34e1726fe85006935f41"},
 ]
@@ -2988,10 +2924,6 @@ psycopg2 = [
     {file = "psycopg2-2.9.4-cp39-cp39-win_amd64.whl", hash = "sha256:849bd868ae3369932127f0771c08d1109b254f08d48dc42493c3d1b87cb2d308"},
     {file = "psycopg2-2.9.4.tar.gz", hash = "sha256:d529926254e093a1b669f692a3aa50069bc71faf5b0ecd91686a78f62767d52f"},
 ]
-pyasn1 = [
-    {file = "pyasn1-0.4.8-py2.py3-none-any.whl", hash = "sha256:39c7e2ec30515947ff4e87fb6f456dfc6e84857d34be479c9d4a4ba4bf46aa5d"},
-    {file = "pyasn1-0.4.8.tar.gz", hash = "sha256:aef77c9fb94a3ac588e87841208bdec464471d9871bd5050a287cc9a475cd0ba"},
-]
 pycodestyle = [
     {file = "pycodestyle-2.8.0-py2.py3-none-any.whl", hash = "sha256:720f8b39dde8b293825e7ff02c475f3077124006db4f440dcbc9a20b76548a20"},
     {file = "pycodestyle-2.8.0.tar.gz", hash = "sha256:eddd5847ef438ea1c7870ca7eb78a9d47ce0cdb4851a5523949f2601d0cbbe7f"},
@@ -3059,14 +2991,6 @@ python-dateutil = [
     {file = "python-dateutil-2.8.2.tar.gz", hash = "sha256:0123cacc1627ae19ddf3c27a5de5bd67ee4586fbdd6440d9748f8abb483d3e86"},
     {file = "python_dateutil-2.8.2-py2.py3-none-any.whl", hash = "sha256:961d03dc3453ebbc59dbdea9e4e11c5651520a876d0f4db161e8674aae935da9"},
 ]
-python-jose = [
-    {file = "python-jose-3.3.0.tar.gz", hash = "sha256:55779b5e6ad599c6336191246e95eb2293a9ddebd555f796a65f838f07e5d78a"},
-    {file = "python_jose-3.3.0-py2.py3-none-any.whl", hash = "sha256:9b1376b023f8b298536eedd47ae1089bcdb848f1535ab30555cd92002d78923a"},
-]
-python-keycloak = [
-    {file = "python-keycloak-2.6.0.tar.gz", hash = "sha256:08c530ff86f631faccb8033d9d9345cc3148cb2cf132ff7564f025292e4dbd96"},
-    {file = "python_keycloak-2.6.0-py3-none-any.whl", hash = "sha256:a1ce102b978beb56d385319b3ca20992b915c2c12d15a2d0c23f1104882f3fb6"},
-]
 pytz = [
     {file = "pytz-2022.6-py2.py3-none-any.whl", hash = "sha256:222439474e9c98fced559f1709d89e6c9cbf8d79c794ff3eb9f8800064291427"},
     {file = "pytz-2022.6.tar.gz", hash = "sha256:e89512406b793ca39f5971bc999cc538ce125c0e51c27941bef4568b460095e2"},
@@ -3205,10 +3129,6 @@ requests = [
     {file = "requests-2.28.1-py3-none-any.whl", hash = "sha256:8fefa2a1a1365bf5520aac41836fbee479da67864514bdb821f31ce07ce65349"},
     {file = "requests-2.28.1.tar.gz", hash = "sha256:7c5599b102feddaa661c826c56ab4fee28bfd17f5abca1ebbe3e7f19d7c97983"},
 ]
-requests-toolbelt = [
-    {file = "requests-toolbelt-0.9.1.tar.gz", hash = "sha256:968089d4584ad4ad7c171454f0a5c6dac23971e9472521ea3b6d49d610aa6fc0"},
-    {file = "requests_toolbelt-0.9.1-py2.py3-none-any.whl", hash = "sha256:380606e1d10dc85c3bd47bf5a6095f815ec007be7a8b69c878507068df059e6f"},
-]
 restrictedpython = [
     {file = "RestrictedPython-6.0-py3-none-any.whl", hash = "sha256:3479303f7bff48a7dedad76f96e7704993c5e86c5adbd67f607295d5352f0fb8"},
     {file = "RestrictedPython-6.0.tar.gz", hash = "sha256:405cf0bd9eec2f19b1326b5f48228efe56d6590b4e91826b8cc3b2cd400a96ad"},
@@ -3216,10 +3136,6 @@ restrictedpython = [
 restructuredtext-lint = [
     {file = "restructuredtext_lint-1.4.0.tar.gz", hash = "sha256:1b235c0c922341ab6c530390892eb9e92f90b9b75046063e047cacfb0f050c45"},
 ]
-rsa = [
-    {file = "rsa-4.9-py3-none-any.whl", hash = "sha256:90260d9058e514786967344d0ef75fa8727eed8a7d2e43ce9f4bcf1b536174f7"},
-    {file = "rsa-4.9.tar.gz", hash = "sha256:e38464a49c6c85d7f1351b0126661487a7e0a14a50f1675ec50eb34d4f20ef21"},
-]
 "ruamel.yaml" = [
     {file = "ruamel.yaml-0.17.21-py3-none-any.whl", hash = "sha256:742b35d3d665023981bd6d16b3d24248ce5df75fdb4e2924e93a05c1f8b61ca7"},
     {file = "ruamel.yaml-0.17.21.tar.gz", hash = "sha256:8b7ce697a2f212752a35c1ac414471dc16c424c9573be4926b56ff3f5d23b7af"},
diff --git a/spiffworkflow-backend/pyproject.toml b/spiffworkflow-backend/pyproject.toml
index b43d1ec3..83a43482 100644
--- a/spiffworkflow-backend/pyproject.toml
+++ b/spiffworkflow-backend/pyproject.toml
@@ -44,7 +44,6 @@ marshmallow-enum = "^1.5.1"
 marshmallow-sqlalchemy = "^0.28.0"
 PyJWT = "^2.6.0"
 gunicorn = "^20.1.0"
-python-keycloak = "^2.5.0"
 APScheduler = "*"
 Jinja2 = "^3.1.2"
 RestrictedPython = "^6.0"
@@ -72,6 +71,7 @@ simplejson = "^3.17.6"
 pytz = "^2022.6"
 dateparser = "^1.1.2"
 types-dateparser = "^1.1.4.1"
+flask-jwt-extended = "^4.4.4"
 
 
 [tool.poetry.dev-dependencies]
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/__init__.py b/spiffworkflow-backend/src/spiffworkflow_backend/config/__init__.py
index fb5901f0..7d915946 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/config/__init__.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/__init__.py
@@ -63,7 +63,6 @@ def setup_config(app: Flask) -> None:
     )
     app.config["SQLALCHEMY_TRACK_MODIFICATIONS"] = False
     app.config.from_object("spiffworkflow_backend.config.default")
-    print("loaded config: default")
 
     env_config_prefix = "spiffworkflow_backend.config."
     if (
@@ -71,7 +70,6 @@ def setup_config(app: Flask) -> None:
         and os.environ.get("SPIFFWORKFLOW_BACKEND_ENV") is not None
     ):
         load_config_file(app, f"{env_config_prefix}terraform_deployed_environment")
-        print("loaded config: terraform_deployed_environment")
 
     env_config_module = env_config_prefix + app.config["ENV_IDENTIFIER"]
     load_config_file(app, env_config_module)
@@ -90,14 +88,6 @@ def setup_config(app: Flask) -> None:
             "permissions",
             app.config["SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME"],
         )
-        print(
-            "set permissions file name config:"
-            f" {app.config['SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME']}"
-        )
-        print(
-            "set permissions file name full path:"
-            f" {app.config['PERMISSIONS_FILE_FULLPATH']}"
-        )
 
     # unversioned (see .gitignore) config that can override everything and include secrets.
     # src/spiffworkflow_backend/config/secrets.py
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py b/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py
index d0d6a401..fe4cd8a9 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py
@@ -17,10 +17,12 @@ RUN_BACKGROUND_SCHEDULER = (
     environ.get("RUN_BACKGROUND_SCHEDULER", default="false") == "true"
 )
 SPIFFWORKFLOW_FRONTEND_URL = environ.get(
-    "SPIFFWORKFLOW_FRONTEND_URL", default="http://localhost:7001"
+    # "SPIFFWORKFLOW_FRONTEND_URL", default="http://localhost:7001"
+    "SPIFFWORKFLOW_FRONTEND_URL", default="http://spiff.localdev"
 )
 SPIFFWORKFLOW_BACKEND_URL = environ.get(
-    "SPIFFWORKFLOW_BACKEND_URL", default="http://localhost:7000"
+    # "SPIFFWORKFLOW_BACKEND_URL", default="http://localhost:7000"
+    "SPIFFWORKFLOW_BACKEND_URL", default="http://api.spiff.localdev"
 )
 # service task connector proxy
 CONNECTOR_PROXY_URL = environ.get(
@@ -29,12 +31,16 @@ CONNECTOR_PROXY_URL = environ.get(
 
 # Open ID server
 OPEN_ID_SERVER_URL = environ.get(
-    "OPEN_ID_SERVER_URL", default="http://localhost:7002/realms/spiffworkflow"
+    # "OPEN_ID_SERVER_URL", default="http://localhost:7002/realms/spiffworkflow"
+    # "OPEN_ID_SERVER_URL", default="http://keycloak.spiff.localdev/realms/spiffworkflow"
+    "OPEN_ID_SERVER_URL", default="http://api.spiff.localdev/openid"
 )
+
 # Replace above line with this to use the built-in Open ID Server.
 # OPEN_ID_SERVER_URL = environ.get("OPEN_ID_SERVER_URL", default="http://localhost:7000/openid")
 OPEN_ID_CLIENT_ID = environ.get("OPEN_ID_CLIENT_ID", default="spiffworkflow-backend")
 OPEN_ID_CLIENT_SECRET_KEY = environ.get(
+    # "OPEN_ID_CLIENT_SECRET_KEY", default="JXeQExm0JhQPLumgHtIIqf52bDalHz0q"
     "OPEN_ID_CLIENT_SECRET_KEY", default="JXeQExm0JhQPLumgHtIIqf52bDalHz0q"
 )  # noqa: S105
 
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py
index f25100ee..fa913528 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py
@@ -34,6 +34,8 @@ def well_known() -> dict:
     These urls can be very different from one openid impl to the next, this is just a small subset.
     """
     host_url = request.host_url.strip("/")
+    print(f"host_url: {host_url}")
+    print(f"request.path: {request.url}")
     return {
         "issuer": f"{host_url}/openid",
         "authorization_endpoint": f"{host_url}{url_for('openid.auth')}",
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/process_groups_controller.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/process_groups_controller.py
index 228be181..f4476449 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/process_groups_controller.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/process_groups_controller.py
@@ -1,5 +1,6 @@
 """APIs for dealing with process groups, process models, and process instances."""
 import json
+from flask import current_app
 from typing import Any
 from typing import Optional
 
@@ -88,7 +89,10 @@ def process_group_list(
             "pages": pages,
         },
     }
-    return Response(json.dumps(response_json), status=200, mimetype="application/json")
+    response = make_response(jsonify(response_json), 200)
+    current_app.logger.info("SETTING COOKIE")
+    # response.set_cookie('TEST_COOKIE', 'HEY', domain=".spiff.dev", secure=False, httponly=True)
+    return response
 
 
 def process_group_show(
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
index 1ac6207c..ffe523da 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
@@ -23,6 +23,8 @@ from spiffworkflow_backend.services.authentication_service import (
 from spiffworkflow_backend.services.authorization_service import AuthorizationService
 from spiffworkflow_backend.services.user_service import UserService
 
+# from flask_jwt_extended import set_access_cookies
+
 """
 .. module:: crc.api.user
    :synopsis: Single Sign On (SSO) user login and session handlers
@@ -77,6 +79,7 @@ def verify_token(
                 except (
                     ApiError
                 ) as ae:  # API Error is only thrown in the token is outdated.
+                    print("HEY WE IN ERROR")
                     # Try to refresh the token
                     user = UserService.get_user_by_service_and_service_id(
                         decoded_token["iss"], decoded_token["sub"]
@@ -89,10 +92,12 @@ def verify_token(
                                     refresh_token
                                 )
                             )
+                            # set_access_cookies()
+                            print(f"auth_token: {auth_token}")
                             if auth_token and "error" not in auth_token:
                                 # We have the user, but this code is a bit convoluted, and will later demand
                                 # a user_info object so it can look up the user.  Sorry to leave this crap here.
-                                user_info = {"sub": user.service_id}
+                                user_info = {"sub": user.service_id, "iss": user.service}
                             else:
                                 raise ae
                         else:
@@ -106,7 +111,7 @@ def verify_token(
                         message="Cannot get user info from token",
                         status_code=401,
                     ) from e
-
+                print(f"USER_INFO: {user_info}")
                 if (
                     user_info is not None
                     and "error" not in user_info
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
index f697904e..cf1ed8fc 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
@@ -53,8 +53,11 @@ class AuthenticationService:
     def open_id_endpoint_for_name(cls, name: str) -> str:
         """All openid systems provide a mapping of static names to the full path of that endpoint."""
         openid_config_url = f"{cls.server_url()}/.well-known/openid-configuration"
+        print(f"openid_config_url: {openid_config_url}")
         if name not in AuthenticationService.ENDPOINT_CACHE:
+            print("BEFORE")
             response = requests.get(openid_config_url)
+            print("AFTER")
             AuthenticationService.ENDPOINT_CACHE = response.json()
         if name not in AuthenticationService.ENDPOINT_CACHE:
             raise Exception(
@@ -137,6 +140,9 @@ class AuthenticationService:
                 message="Cannot decode id_token",
                 status_code=401,
             ) from e
+        print(f"decoded_token: {decoded_token}")
+        print(f"cls.service_url(): {cls.server_url()}")
+        # import pdb; pdb.set_trace()
         if decoded_token["iss"] != cls.server_url():
             valid = False
         elif (
diff --git a/spiffworkflow-frontend/src/config.tsx b/spiffworkflow-frontend/src/config.tsx
index abaadd5e..79056dd6 100644
--- a/spiffworkflow-frontend/src/config.tsx
+++ b/spiffworkflow-frontend/src/config.tsx
@@ -1,4 +1,6 @@
 const { port, hostname } = window.location;
+console.log('START');
+console.log('window.location', window.location);
 let hostAndPort = `api.${hostname}`;
 let protocol = 'https';
 
@@ -10,12 +12,14 @@ if (/^\d+\./.test(hostname) || hostname === 'localhost') {
   hostAndPort = `${hostname}:${serverPort}`;
   protocol = 'http';
 }
+protocol = 'http';
 
 let url = `${protocol}://${hostAndPort}/v1.0`;
-// Allow overriding the backend base url with an environment variable at build time.
+console.log('OUR URL', url);
 if (process.env.REACT_APP_BACKEND_BASE_URL) {
   url = process.env.REACT_APP_BACKEND_BASE_URL;
 }
+console.log('NO THIS ONE', url);
 
 export const BACKEND_BASE_URL = url;
 
diff --git a/spiffworkflow-frontend/src/routes/TaskShow.tsx b/spiffworkflow-frontend/src/routes/TaskShow.tsx
index 0841da1b..51bf42e7 100644
--- a/spiffworkflow-frontend/src/routes/TaskShow.tsx
+++ b/spiffworkflow-frontend/src/routes/TaskShow.tsx
@@ -184,6 +184,13 @@ export default function TaskShow() {
       );
     }
 
+    function customValidate(formData: any, errors: any) {
+      if (formData.pass1 !== formData.pass2) {
+        errors.pass2.addError("Passwords don't match");
+      }
+      return errors;
+    }
+
     return (
       <Grid fullWidth condensed>
         <Column md={5} lg={8} sm={4}>
@@ -193,6 +200,7 @@ export default function TaskShow() {
             schema={jsonSchema}
             uiSchema={formUiSchema}
             validator={validator}
+            customValidate={customValidate}
           >
             {reactFragmentToHideSubmitButton}
           </Form>
diff --git a/spiffworkflow-frontend/src/services/UserService.ts b/spiffworkflow-frontend/src/services/UserService.ts
index f893b926..f3917f85 100644
--- a/spiffworkflow-frontend/src/services/UserService.ts
+++ b/spiffworkflow-frontend/src/services/UserService.ts
@@ -21,6 +21,7 @@ const getCurrentLocation = () => {
 
 const doLogin = () => {
   const url = `${BACKEND_BASE_URL}/login?redirect_url=${getCurrentLocation()}`;
+  console.log('URL', url);
   window.location.href = url;
 };
 const getIdToken = () => {
@@ -77,6 +78,7 @@ const getAuthTokenFromParams = () => {
       localStorage.setItem('jwtIdToken', idToken);
     }
     // window.location.href = `${getCurrentLocation(queryParams.toString())}`;
+    console.log('THE PALCE: ', `${getCurrentLocation()}`);
     window.location.href = `${getCurrentLocation()}`;
   } else if (!isLoggedIn()) {
     doLogin();

From 0974cda18589a84c085da76d3302cb00b1059c60 Mon Sep 17 00:00:00 2001
From: jasquat <jasquat@users.noreply.github.com>
Date: Wed, 11 Jan 2023 15:57:01 -0500
Subject: [PATCH 02/12] this somewhat works and sets cookies w/ burnettk

---
 .../src/spiffworkflow_backend/__init__.py                 | 2 +-
 .../src/spiffworkflow_backend/routes/health_controller.py | 5 ++++-
 .../routes/process_groups_controller.py                   | 5 +++--
 spiffworkflow-frontend/src/routes/ProcessGroupList.tsx    | 8 ++++++++
 spiffworkflow-frontend/src/services/HttpService.ts        | 1 +
 5 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/__init__.py b/spiffworkflow-backend/src/spiffworkflow_backend/__init__.py
index f1de793d..bda2f03c 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/__init__.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/__init__.py
@@ -115,7 +115,7 @@ def create_app() -> flask.app.Flask:
         r"^https?:\/\/%s(.*)" % o.replace(".", r"\.")
         for o in app.config["CORS_ALLOW_ORIGINS"]
     ]
-    CORS(app, origins=origins_re, max_age=3600)
+    CORS(app, origins=origins_re, max_age=3600, supports_credentials=True)
 
     connexion_app.add_api("api.yml", base_path=V1_API_PATH_PREFIX)
 
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/health_controller.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/health_controller.py
index e9831110..5d8856a4 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/health_controller.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/health_controller.py
@@ -10,4 +10,7 @@ from spiffworkflow_backend.models.process_instance import ProcessInstanceModel
 def status() -> flask.wrappers.Response:
     """Status."""
     ProcessInstanceModel.query.filter().first()
-    return Response(json.dumps({"ok": True}), status=200, mimetype="application/json")
+    response = Response(json.dumps({"ok": True}), status=200, mimetype="application/json")
+    response.set_cookie('TEST_COOKIE', 'HEY')
+    response.set_cookie('TEST_COOKIE', 'HEY', domain='spiff.localdev')
+    return response
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/process_groups_controller.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/process_groups_controller.py
index f4476449..d972d18c 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/process_groups_controller.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/process_groups_controller.py
@@ -89,9 +89,10 @@ def process_group_list(
             "pages": pages,
         },
     }
-    response = make_response(jsonify(response_json), 200)
+    # response = make_response(jsonify(response_json), 200)
+    response = Response(json.dumps(response_json), status=200, mimetype="application/json")
     current_app.logger.info("SETTING COOKIE")
-    # response.set_cookie('TEST_COOKIE', 'HEY', domain=".spiff.dev", secure=False, httponly=True)
+    response.set_cookie('TEST_COOKIE', 'HEY1', domain='spiff.localdev')
     return response
 
 
diff --git a/spiffworkflow-frontend/src/routes/ProcessGroupList.tsx b/spiffworkflow-frontend/src/routes/ProcessGroupList.tsx
index 7dee4f20..4c0f5d9a 100644
--- a/spiffworkflow-frontend/src/routes/ProcessGroupList.tsx
+++ b/spiffworkflow-frontend/src/routes/ProcessGroupList.tsx
@@ -42,6 +42,12 @@ export default function ProcessGroupList() {
       path: `/process-models?per_page=1000&recursive=true&include_parent_groups=true`,
       successCallback: processResultForProcessModels,
     });
+    HttpService.makeCallToBackend({
+      path: `/status`,
+      successCallback: (result: any) => {
+        console.log(result);
+      },
+    });
   }, [searchParams]);
 
   const processModelSearchArea = () => {
@@ -63,8 +69,10 @@ export default function ProcessGroupList() {
   };
 
   if (processModelAvailableItems) {
+    console.log('document.cookie', document.cookie);
     return (
       <>
+        {document.cookie}
         <ProcessBreadcrumb hotCrumbs={[['Process Groups']]} />
         <Can I="POST" a={targetUris.processGroupListPath} ability={ability}>
           <Button kind="secondary" href="/admin/process-groups/new">
diff --git a/spiffworkflow-frontend/src/services/HttpService.ts b/spiffworkflow-frontend/src/services/HttpService.ts
index 78a29d07..4d31f1b4 100644
--- a/spiffworkflow-frontend/src/services/HttpService.ts
+++ b/spiffworkflow-frontend/src/services/HttpService.ts
@@ -64,6 +64,7 @@ backendCallProps) => {
   Object.assign(httpArgs, {
     headers: new Headers(headers as any),
     method: httpMethod,
+    credentials: 'include',
   });
 
   const updatedPath = path.replace(/^\/v1\.0/, '');

From 8ab5ad70748544d7880760845314d629a35f5cdd Mon Sep 17 00:00:00 2001
From: jasquat <jasquat@users.noreply.github.com>
Date: Wed, 11 Jan 2023 16:11:21 -0500
Subject: [PATCH 03/12] this can run on localhost with cookies w/ burnettk

---
 .../src/spiffworkflow_backend/config/default.py          | 9 +++------
 .../spiffworkflow_backend/routes/health_controller.py    | 5 +++--
 .../routes/process_groups_controller.py                  | 2 +-
 3 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py b/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py
index fe4cd8a9..6e20357e 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py
@@ -17,12 +17,10 @@ RUN_BACKGROUND_SCHEDULER = (
     environ.get("RUN_BACKGROUND_SCHEDULER", default="false") == "true"
 )
 SPIFFWORKFLOW_FRONTEND_URL = environ.get(
-    # "SPIFFWORKFLOW_FRONTEND_URL", default="http://localhost:7001"
-    "SPIFFWORKFLOW_FRONTEND_URL", default="http://spiff.localdev"
+    "SPIFFWORKFLOW_FRONTEND_URL", default="http://localhost:7001"
 )
 SPIFFWORKFLOW_BACKEND_URL = environ.get(
-    # "SPIFFWORKFLOW_BACKEND_URL", default="http://localhost:7000"
-    "SPIFFWORKFLOW_BACKEND_URL", default="http://api.spiff.localdev"
+    "SPIFFWORKFLOW_BACKEND_URL", default="http://localhost:7000"
 )
 # service task connector proxy
 CONNECTOR_PROXY_URL = environ.get(
@@ -32,8 +30,7 @@ CONNECTOR_PROXY_URL = environ.get(
 # Open ID server
 OPEN_ID_SERVER_URL = environ.get(
     # "OPEN_ID_SERVER_URL", default="http://localhost:7002/realms/spiffworkflow"
-    # "OPEN_ID_SERVER_URL", default="http://keycloak.spiff.localdev/realms/spiffworkflow"
-    "OPEN_ID_SERVER_URL", default="http://api.spiff.localdev/openid"
+    "OPEN_ID_SERVER_URL", default="http://localhost:7000/openid"
 )
 
 # Replace above line with this to use the built-in Open ID Server.
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/health_controller.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/health_controller.py
index 5d8856a4..30757e2a 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/health_controller.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/health_controller.py
@@ -1,5 +1,6 @@
 """APIs for dealing with process groups, process models, and process instances."""
 import json
+from flask import current_app
 
 import flask.wrappers
 from flask.wrappers import Response
@@ -11,6 +12,6 @@ def status() -> flask.wrappers.Response:
     """Status."""
     ProcessInstanceModel.query.filter().first()
     response = Response(json.dumps({"ok": True}), status=200, mimetype="application/json")
-    response.set_cookie('TEST_COOKIE', 'HEY')
-    response.set_cookie('TEST_COOKIE', 'HEY', domain='spiff.localdev')
+    # print(f"current_app.config.get('SPIFFWORKFLOW_FRONTEND_URL').replace('http://', ''): {current_app.config.get('SPIFFWORKFLOW_FRONTEND_URL').replace('http://', '')}")
+    response.set_cookie('TEST_COOKIE1', 'HEY', domain=None)
     return response
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/process_groups_controller.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/process_groups_controller.py
index d972d18c..5a593cd5 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/process_groups_controller.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/process_groups_controller.py
@@ -92,7 +92,7 @@ def process_group_list(
     # response = make_response(jsonify(response_json), 200)
     response = Response(json.dumps(response_json), status=200, mimetype="application/json")
     current_app.logger.info("SETTING COOKIE")
-    response.set_cookie('TEST_COOKIE', 'HEY1', domain='spiff.localdev')
+    response.set_cookie('TEST_COOKIE', 'HEY1')
     return response
 
 

From 2630dbfb459ed0478b0f51fcc3c6fd690b7f0acc Mon Sep 17 00:00:00 2001
From: jasquat <jasquat@users.noreply.github.com>
Date: Wed, 11 Jan 2023 17:27:12 -0500
Subject: [PATCH 04/12] use the cookie from the frontend w/ burnettk

---
 .../src/spiffworkflow_backend/__init__.py     |  3 +-
 .../spiffworkflow_backend/config/default.py   |  4 +-
 .../openid_blueprint/openid_blueprint.py      |  2 -
 .../src/spiffworkflow_backend/routes/user.py  | 52 ++++++++++++-------
 .../services/authentication_service.py        | 30 +++++------
 spiffworkflow-frontend/package-lock.json      | 14 +++++
 spiffworkflow-frontend/package.json           |  2 +
 spiffworkflow-frontend/src/index.tsx          |  2 +-
 .../src/routes/AuthenticationList.tsx         |  2 +-
 .../src/routes/ProcessGroupList.tsx           |  1 -
 .../src/services/HttpService.ts               |  2 +-
 .../src/services/UserService.ts               | 47 +++++++----------
 12 files changed, 91 insertions(+), 70 deletions(-)

diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/__init__.py b/spiffworkflow-backend/src/spiffworkflow_backend/__init__.py
index bda2f03c..4ffc2f59 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/__init__.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/__init__.py
@@ -23,7 +23,7 @@ from spiffworkflow_backend.routes.admin_blueprint.admin_blueprint import admin_b
 from spiffworkflow_backend.routes.openid_blueprint.openid_blueprint import (
     openid_blueprint,
 )
-from spiffworkflow_backend.routes.user import verify_token
+from spiffworkflow_backend.routes.user import set_new_access_token_in_cookie, verify_token
 from spiffworkflow_backend.routes.user_blueprint import user_blueprint
 from spiffworkflow_backend.services.authorization_service import AuthorizationService
 from spiffworkflow_backend.services.background_processing_service import (
@@ -131,6 +131,7 @@ def create_app() -> flask.app.Flask:
 
     app.before_request(verify_token)
     app.before_request(AuthorizationService.check_for_permission)
+    app.after_request(set_new_access_token_in_cookie)
 
     return app  # type: ignore
 
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py b/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py
index 6e20357e..0032a8a8 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py
@@ -29,8 +29,8 @@ CONNECTOR_PROXY_URL = environ.get(
 
 # Open ID server
 OPEN_ID_SERVER_URL = environ.get(
-    # "OPEN_ID_SERVER_URL", default="http://localhost:7002/realms/spiffworkflow"
-    "OPEN_ID_SERVER_URL", default="http://localhost:7000/openid"
+    "OPEN_ID_SERVER_URL", default="http://localhost:7002/realms/spiffworkflow"
+    # "OPEN_ID_SERVER_URL", default="http://localhost:7000/openid"
 )
 
 # Replace above line with this to use the built-in Open ID Server.
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py
index fa913528..f25100ee 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py
@@ -34,8 +34,6 @@ def well_known() -> dict:
     These urls can be very different from one openid impl to the next, this is just a small subset.
     """
     host_url = request.host_url.strip("/")
-    print(f"host_url: {host_url}")
-    print(f"request.path: {request.url}")
     return {
         "issuer": f"{host_url}/openid",
         "authorization_endpoint": f"{host_url}{url_for('openid.auth')}",
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
index ffe523da..c1966c3a 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
@@ -14,9 +14,11 @@ from flask import redirect
 from flask import request
 from flask_bpmn.api.api_error import ApiError
 from werkzeug.wrappers import Response
+# from flask.wrappers import Response
+import flask
 
 from spiffworkflow_backend.models.user import UserModel
-from spiffworkflow_backend.services.authentication_service import AuthenticationService
+from spiffworkflow_backend.services.authentication_service import TokenExpiredError, AuthenticationService
 from spiffworkflow_backend.services.authentication_service import (
     MissingAccessTokenError,
 )
@@ -57,6 +59,11 @@ def verify_token(
     if not token and "Authorization" in request.headers:
         token = request.headers["Authorization"].removeprefix("Bearer ")
 
+    # This should never be set here but just in case
+    tld = current_app.config['THREAD_LOCAL_DATA']
+    if hasattr(tld, "new_access_token"):
+        tld.new_access_token = None
+
     if token:
         user_model = None
         decoded_token = get_decoded_token(token)
@@ -73,13 +80,11 @@ def verify_token(
                             f" internal token. {e}"
                         )
             elif "iss" in decoded_token.keys():
+                user_info = None
                 try:
-                    if AuthenticationService.validate_id_token(token):
+                    if AuthenticationService.validate_id_or_access_token(token):
                         user_info = decoded_token
-                except (
-                    ApiError
-                ) as ae:  # API Error is only thrown in the token is outdated.
-                    print("HEY WE IN ERROR")
+                except (TokenExpiredError) as token_expired_error:
                     # Try to refresh the token
                     user = UserService.get_user_by_service_and_service_id(
                         decoded_token["iss"], decoded_token["sub"]
@@ -92,26 +97,28 @@ def verify_token(
                                     refresh_token
                                 )
                             )
-                            # set_access_cookies()
-                            print(f"auth_token: {auth_token}")
                             if auth_token and "error" not in auth_token:
+                                print("SETTING NEW TOKEN")
+                                print(f"auth_token: {auth_token}")
+                                tld.new_access_token = auth_token['access_token']
                                 # We have the user, but this code is a bit convoluted, and will later demand
                                 # a user_info object so it can look up the user.  Sorry to leave this crap here.
                                 user_info = {"sub": user.service_id, "iss": user.service}
-                            else:
-                                raise ae
-                        else:
-                            raise ae
-                    else:
-                        raise ae
+
+                    if user_info is None:
+                        raise ApiError(
+                            error_code="invalid_token",
+                            message="Your token is expired. Please Login",
+                            status_code=401,
+                        ) from token_expired_error
+
                 except Exception as e:
-                    current_app.logger.error(f"Exception raised in get_token: {e}")
                     raise ApiError(
                         error_code="fail_get_user_info",
                         message="Cannot get user info from token",
                         status_code=401,
                     ) from e
-                print(f"USER_INFO: {user_info}")
+
                 if (
                     user_info is not None
                     and "error" not in user_info
@@ -165,6 +172,14 @@ def verify_token(
     )
 
 
+def set_new_access_token_in_cookie(response: flask.wrappers.Response) -> flask.wrappers.Response:
+    print(f"response: {response.__class__}")
+    tld = current_app.config['THREAD_LOCAL_DATA']
+    if hasattr(tld, "new_access_token") and tld.new_access_token:
+        response.set_cookie('access_token', tld.new_access_token)
+    return response
+
+
 def validate_scope(token: Any) -> bool:
     """Validate_scope."""
     print("validate_scope")
@@ -220,7 +235,6 @@ def parse_id_token(token: str) -> Any:
     decoded = base64.b64decode(padded)
     return json.loads(decoded)
 
-
 def login_return(code: str, state: str, session_state: str) -> Optional[Response]:
     """Login_return."""
     state_dict = ast.literal_eval(base64.b64decode(state).decode("utf-8"))
@@ -231,7 +245,7 @@ def login_return(code: str, state: str, session_state: str) -> Optional[Response
 
         user_info = parse_id_token(id_token)
 
-        if AuthenticationService.validate_id_token(id_token):
+        if AuthenticationService.validate_id_or_access_token(id_token):
             if user_info and "error" not in user_info:
                 user_model = AuthorizationService.create_user_from_sign_in(user_info)
                 g.user = user_model.id
@@ -244,6 +258,8 @@ def login_return(code: str, state: str, session_state: str) -> Optional[Response
                     + f"access_token={auth_token_object['access_token']}&"
                     + f"id_token={id_token}"
                 )
+                tld = current_app.config['THREAD_LOCAL_DATA']
+                tld.new_access_token = auth_token_object['access_token']
                 return redirect(redirect_url)
 
         raise ApiError(
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
index cf1ed8fc..309dca1e 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
@@ -20,6 +20,15 @@ class MissingAccessTokenError(Exception):
     """MissingAccessTokenError."""
 
 
+# These could be either 'id' OR 'access' tokens and we can't always know which
+class TokenExpiredError(Exception):
+    pass
+
+
+class TokenInvalidError(Exception):
+    pass
+
+
 class AuthenticationProviderTypes(enum.Enum):
     """AuthenticationServiceProviders."""
 
@@ -128,21 +137,15 @@ class AuthenticationService:
         return auth_token_object
 
     @classmethod
-    def validate_id_token(cls, id_token: str) -> bool:
+    def validate_id_or_access_token(cls, token: str) -> bool:
         """Https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation."""
         valid = True
         now = time.time()
         try:
-            decoded_token = jwt.decode(id_token, options={"verify_signature": False})
+            decoded_token = jwt.decode(token, options={"verify_signature": False})
         except Exception as e:
-            raise ApiError(
-                error_code="bad_id_token",
-                message="Cannot decode id_token",
-                status_code=401,
-            ) from e
-        print(f"decoded_token: {decoded_token}")
-        print(f"cls.service_url(): {cls.server_url()}")
-        # import pdb; pdb.set_trace()
+            raise TokenInvalidError('Cannot decode token') from e
+
         if decoded_token["iss"] != cls.server_url():
             valid = False
         elif (
@@ -159,15 +162,10 @@ class AuthenticationService:
             valid = False
 
         if not valid:
-            current_app.logger.error(f"Invalid token in validate_id_token: {id_token}")
             return False
 
         if now > decoded_token["exp"]:
-            raise ApiError(
-                error_code="invalid_token",
-                message="Your token is expired. Please Login",
-                status_code=401,
-            )
+            raise TokenExpiredError("Your token is expired. Please Login")
 
         return True
 
diff --git a/spiffworkflow-frontend/package-lock.json b/spiffworkflow-frontend/package-lock.json
index 0d174daf..8466f7a8 100644
--- a/spiffworkflow-frontend/package-lock.json
+++ b/spiffworkflow-frontend/package-lock.json
@@ -39,6 +39,7 @@
         "bpmn-js": "^9.3.2",
         "bpmn-js-properties-panel": "^1.10.0",
         "bpmn-js-spiffworkflow": "sartography/bpmn-js-spiffworkflow#main",
+        "cookie": "^0.5.0",
         "craco": "^0.0.3",
         "date-fns": "^2.28.0",
         "diagram-js": "^8.5.0",
@@ -66,6 +67,7 @@
       },
       "devDependencies": {
         "@cypress/grep": "^3.1.0",
+        "@types/cookie": "^0.5.1",
         "@typescript-eslint/eslint-plugin": "^5.30.5",
         "@typescript-eslint/parser": "^5.30.6",
         "cypress": "^12",
@@ -5654,6 +5656,12 @@
         "@types/node": "*"
       }
     },
+    "node_modules/@types/cookie": {
+      "version": "0.5.1",
+      "resolved": "https://registry.npmjs.org/@types/cookie/-/cookie-0.5.1.tgz",
+      "integrity": "sha512-COUnqfB2+ckwXXSFInsFdOAWQzCCx+a5hq2ruyj+Vjund94RJQd4LG2u9hnvJrTgunKAaax7ancBYlDrNYxA0g==",
+      "dev": true
+    },
     "node_modules/@types/debug": {
       "version": "4.1.7",
       "resolved": "https://registry.npmjs.org/@types/debug/-/debug-4.1.7.tgz",
@@ -35330,6 +35338,12 @@
         "@types/node": "*"
       }
     },
+    "@types/cookie": {
+      "version": "0.5.1",
+      "resolved": "https://registry.npmjs.org/@types/cookie/-/cookie-0.5.1.tgz",
+      "integrity": "sha512-COUnqfB2+ckwXXSFInsFdOAWQzCCx+a5hq2ruyj+Vjund94RJQd4LG2u9hnvJrTgunKAaax7ancBYlDrNYxA0g==",
+      "dev": true
+    },
     "@types/debug": {
       "version": "4.1.7",
       "resolved": "https://registry.npmjs.org/@types/debug/-/debug-4.1.7.tgz",
diff --git a/spiffworkflow-frontend/package.json b/spiffworkflow-frontend/package.json
index 8b65b945..515d191a 100644
--- a/spiffworkflow-frontend/package.json
+++ b/spiffworkflow-frontend/package.json
@@ -34,6 +34,7 @@
     "bpmn-js": "^9.3.2",
     "bpmn-js-properties-panel": "^1.10.0",
     "bpmn-js-spiffworkflow": "sartography/bpmn-js-spiffworkflow#main",
+    "cookie": "^0.5.0",
     "craco": "^0.0.3",
     "date-fns": "^2.28.0",
     "diagram-js": "^8.5.0",
@@ -102,6 +103,7 @@
   },
   "devDependencies": {
     "@cypress/grep": "^3.1.0",
+    "@types/cookie": "^0.5.1",
     "@typescript-eslint/eslint-plugin": "^5.30.5",
     "@typescript-eslint/parser": "^5.30.6",
     "cypress": "^12",
diff --git a/spiffworkflow-frontend/src/index.tsx b/spiffworkflow-frontend/src/index.tsx
index 7a602be6..42eddc02 100644
--- a/spiffworkflow-frontend/src/index.tsx
+++ b/spiffworkflow-frontend/src/index.tsx
@@ -20,7 +20,7 @@ const doRender = () => {
   );
 };
 
-UserService.getAuthTokenFromParams();
+UserService.loginIfNeeded();
 doRender();
 
 // If you want to start measuring performance in your app, pass a function
diff --git a/spiffworkflow-frontend/src/routes/AuthenticationList.tsx b/spiffworkflow-frontend/src/routes/AuthenticationList.tsx
index a0d15101..3fdb748b 100644
--- a/spiffworkflow-frontend/src/routes/AuthenticationList.tsx
+++ b/spiffworkflow-frontend/src/routes/AuthenticationList.tsx
@@ -42,7 +42,7 @@ export default function AuthenticationList() {
                   row.id
                 }?redirect_url=${redirectUrl}/${
                   row.id
-                }?token=${UserService.getAuthToken()}`}
+                }?token=${UserService.getAccessToken()}`}
               >
                 {row.id}
               </a>
diff --git a/spiffworkflow-frontend/src/routes/ProcessGroupList.tsx b/spiffworkflow-frontend/src/routes/ProcessGroupList.tsx
index 4c0f5d9a..5ba8563a 100644
--- a/spiffworkflow-frontend/src/routes/ProcessGroupList.tsx
+++ b/spiffworkflow-frontend/src/routes/ProcessGroupList.tsx
@@ -72,7 +72,6 @@ export default function ProcessGroupList() {
     console.log('document.cookie', document.cookie);
     return (
       <>
-        {document.cookie}
         <ProcessBreadcrumb hotCrumbs={[['Process Groups']]} />
         <Can I="POST" a={targetUris.processGroupListPath} ability={ability}>
           <Button kind="secondary" href="/admin/process-groups/new">
diff --git a/spiffworkflow-frontend/src/services/HttpService.ts b/spiffworkflow-frontend/src/services/HttpService.ts
index 4d31f1b4..b6080248 100644
--- a/spiffworkflow-frontend/src/services/HttpService.ts
+++ b/spiffworkflow-frontend/src/services/HttpService.ts
@@ -11,7 +11,7 @@ const HttpMethods = {
 const getBasicHeaders = (): object => {
   if (UserService.isLoggedIn()) {
     return {
-      Authorization: `Bearer ${UserService.getAuthToken()}`,
+      Authorization: `Bearer ${UserService.getAccessToken()}`,
     };
   }
   return {};
diff --git a/spiffworkflow-frontend/src/services/UserService.ts b/spiffworkflow-frontend/src/services/UserService.ts
index f3917f85..c90c2900 100644
--- a/spiffworkflow-frontend/src/services/UserService.ts
+++ b/spiffworkflow-frontend/src/services/UserService.ts
@@ -1,4 +1,5 @@
 import jwt from 'jwt-decode';
+import cookie from 'cookie';
 import { BACKEND_BASE_URL } from '../config';
 
 // NOTE: this currently stores the jwt token in local storage
@@ -10,6 +11,14 @@ import { BACKEND_BASE_URL } from '../config';
 // Some explanation:
 // https://dev.to/nilanth/how-to-secure-jwt-in-a-single-page-application-cko
 
+const getCookie = (key: string) => {
+  const parsedCookies = cookie.parse(document.cookie);
+  if (key in parsedCookies) {
+    return parsedCookies[key];
+  }
+  return null;
+};
+
 // const getCurrentLocation = (queryParams: string = window.location.search) => {
 const getCurrentLocation = () => {
   const queryParamString = '';
@@ -24,24 +33,25 @@ const doLogin = () => {
   console.log('URL', url);
   window.location.href = url;
 };
+
+// Use access_token for now since it seems to work but if we need the
+// id token then set that in a cookie in backend as well
 const getIdToken = () => {
-  return localStorage.getItem('jwtIdToken');
+  return getCookie('access_token');
 };
 
 const doLogout = () => {
   const idToken = getIdToken();
-  localStorage.removeItem('jwtAccessToken');
-  localStorage.removeItem('jwtIdToken');
   const redirectUrl = `${window.location.origin}`;
   const url = `${BACKEND_BASE_URL}/logout?redirect_url=${redirectUrl}&id_token=${idToken}`;
   window.location.href = url;
 };
 
-const getAuthToken = () => {
-  return localStorage.getItem('jwtAccessToken');
+const getAccessToken = () => {
+  return getCookie('access_token');
 };
 const isLoggedIn = () => {
-  return !!getAuthToken();
+  return !!getAccessToken();
 };
 
 const getUserEmail = () => {
@@ -62,25 +72,8 @@ const getPreferredUsername = () => {
   return null;
 };
 
-// FIXME: we could probably change this search to a hook
-// and then could use useSearchParams here instead
-const getAuthTokenFromParams = () => {
-  const queryParams = new URLSearchParams(window.location.search);
-  const accessToken = queryParams.get('access_token');
-  const idToken = queryParams.get('id_token');
-
-  queryParams.delete('access_token');
-  queryParams.delete('id_token');
-
-  if (accessToken) {
-    localStorage.setItem('jwtAccessToken', accessToken);
-    if (idToken) {
-      localStorage.setItem('jwtIdToken', idToken);
-    }
-    // window.location.href = `${getCurrentLocation(queryParams.toString())}`;
-    console.log('THE PALCE: ', `${getCurrentLocation()}`);
-    window.location.href = `${getCurrentLocation()}`;
-  } else if (!isLoggedIn()) {
+const loginIfNeeded = () => {
+  if (!isLoggedIn()) {
     doLogin();
   }
 };
@@ -93,8 +86,8 @@ const UserService = {
   doLogin,
   doLogout,
   isLoggedIn,
-  getAuthToken,
-  getAuthTokenFromParams,
+  getAccessToken,
+  loginIfNeeded,
   getPreferredUsername,
   getUserEmail,
   hasRole,

From b5584d73f33823bb24fa44489b0858bda6410fc8 Mon Sep 17 00:00:00 2001
From: jasquat <jasquat@users.noreply.github.com>
Date: Wed, 11 Jan 2023 17:29:08 -0500
Subject: [PATCH 05/12] remove unneeded protocol variable w/ burnettk

---
 spiffworkflow-frontend/src/config.tsx | 1 -
 1 file changed, 1 deletion(-)

diff --git a/spiffworkflow-frontend/src/config.tsx b/spiffworkflow-frontend/src/config.tsx
index 79056dd6..d8d30564 100644
--- a/spiffworkflow-frontend/src/config.tsx
+++ b/spiffworkflow-frontend/src/config.tsx
@@ -12,7 +12,6 @@ if (/^\d+\./.test(hostname) || hostname === 'localhost') {
   hostAndPort = `${hostname}:${serverPort}`;
   protocol = 'http';
 }
-protocol = 'http';
 
 let url = `${protocol}://${hostAndPort}/v1.0`;
 console.log('OUR URL', url);

From f3e0e1956ad3358dcee0b6497134ea71dae0995e Mon Sep 17 00:00:00 2001
From: jasquat <jasquat@users.noreply.github.com>
Date: Thu, 12 Jan 2023 08:12:16 -0500
Subject: [PATCH 06/12] pyl

---
 .../src/spiffworkflow_backend/__init__.py     |  3 +-
 .../spiffworkflow_backend/config/default.py   |  6 ++-
 .../routes/health_controller.py               | 10 ++--
 .../routes/process_groups_controller.py       |  8 +--
 .../src/spiffworkflow_backend/routes/user.py  | 49 +++++++++----------
 .../services/authentication_service.py        |  6 +--
 6 files changed, 40 insertions(+), 42 deletions(-)

diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/__init__.py b/spiffworkflow-backend/src/spiffworkflow_backend/__init__.py
index 4ffc2f59..f67dccc0 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/__init__.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/__init__.py
@@ -23,7 +23,8 @@ from spiffworkflow_backend.routes.admin_blueprint.admin_blueprint import admin_b
 from spiffworkflow_backend.routes.openid_blueprint.openid_blueprint import (
     openid_blueprint,
 )
-from spiffworkflow_backend.routes.user import set_new_access_token_in_cookie, verify_token
+from spiffworkflow_backend.routes.user import set_new_access_token_in_cookie
+from spiffworkflow_backend.routes.user import verify_token
 from spiffworkflow_backend.routes.user_blueprint import user_blueprint
 from spiffworkflow_backend.services.authorization_service import AuthorizationService
 from spiffworkflow_backend.services.background_processing_service import (
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py b/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py
index 0032a8a8..763474e0 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py
@@ -29,7 +29,8 @@ CONNECTOR_PROXY_URL = environ.get(
 
 # Open ID server
 OPEN_ID_SERVER_URL = environ.get(
-    "OPEN_ID_SERVER_URL", default="http://localhost:7002/realms/spiffworkflow"
+    "OPEN_ID_SERVER_URL",
+    default="http://localhost:7002/realms/spiffworkflow"
     # "OPEN_ID_SERVER_URL", default="http://localhost:7000/openid"
 )
 
@@ -38,7 +39,8 @@ OPEN_ID_SERVER_URL = environ.get(
 OPEN_ID_CLIENT_ID = environ.get("OPEN_ID_CLIENT_ID", default="spiffworkflow-backend")
 OPEN_ID_CLIENT_SECRET_KEY = environ.get(
     # "OPEN_ID_CLIENT_SECRET_KEY", default="JXeQExm0JhQPLumgHtIIqf52bDalHz0q"
-    "OPEN_ID_CLIENT_SECRET_KEY", default="JXeQExm0JhQPLumgHtIIqf52bDalHz0q"
+    "OPEN_ID_CLIENT_SECRET_KEY",
+    default="JXeQExm0JhQPLumgHtIIqf52bDalHz0q",
 )  # noqa: S105
 
 SPIFFWORKFLOW_BACKEND_LOG_TO_FILE = (
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/health_controller.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/health_controller.py
index 30757e2a..31154e15 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/health_controller.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/health_controller.py
@@ -1,17 +1,15 @@
 """APIs for dealing with process groups, process models, and process instances."""
 import json
-from flask import current_app
 
-import flask.wrappers
 from flask.wrappers import Response
 
 from spiffworkflow_backend.models.process_instance import ProcessInstanceModel
 
 
-def status() -> flask.wrappers.Response:
+def status() -> Response:
     """Status."""
     ProcessInstanceModel.query.filter().first()
-    response = Response(json.dumps({"ok": True}), status=200, mimetype="application/json")
-    # print(f"current_app.config.get('SPIFFWORKFLOW_FRONTEND_URL').replace('http://', ''): {current_app.config.get('SPIFFWORKFLOW_FRONTEND_URL').replace('http://', '')}")
-    response.set_cookie('TEST_COOKIE1', 'HEY', domain=None)
+    response = Response(
+        json.dumps({"ok": True}), status=200, mimetype="application/json"
+    )
     return response
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/process_groups_controller.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/process_groups_controller.py
index 5a593cd5..a548099f 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/process_groups_controller.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/process_groups_controller.py
@@ -1,10 +1,10 @@
 """APIs for dealing with process groups, process models, and process instances."""
 import json
-from flask import current_app
 from typing import Any
 from typing import Optional
 
 import flask.wrappers
+from flask import current_app
 from flask import g
 from flask import jsonify
 from flask import make_response
@@ -90,9 +90,11 @@ def process_group_list(
         },
     }
     # response = make_response(jsonify(response_json), 200)
-    response = Response(json.dumps(response_json), status=200, mimetype="application/json")
+    response = Response(
+        json.dumps(response_json), status=200, mimetype="application/json"
+    )
     current_app.logger.info("SETTING COOKIE")
-    response.set_cookie('TEST_COOKIE', 'HEY1')
+    response.set_cookie("TEST_COOKIE", "HEY1")
     return response
 
 
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
index c1966c3a..499a0eda 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
@@ -7,6 +7,7 @@ from typing import Dict
 from typing import Optional
 from typing import Union
 
+import flask
 import jwt
 from flask import current_app
 from flask import g
@@ -14,17 +15,18 @@ from flask import redirect
 from flask import request
 from flask_bpmn.api.api_error import ApiError
 from werkzeug.wrappers import Response
-# from flask.wrappers import Response
-import flask
 
 from spiffworkflow_backend.models.user import UserModel
-from spiffworkflow_backend.services.authentication_service import TokenExpiredError, AuthenticationService
+from spiffworkflow_backend.services.authentication_service import AuthenticationService
 from spiffworkflow_backend.services.authentication_service import (
     MissingAccessTokenError,
 )
+from spiffworkflow_backend.services.authentication_service import TokenExpiredError
 from spiffworkflow_backend.services.authorization_service import AuthorizationService
 from spiffworkflow_backend.services.user_service import UserService
 
+# from flask.wrappers import Response
+
 # from flask_jwt_extended import set_access_cookies
 
 """
@@ -60,7 +62,7 @@ def verify_token(
         token = request.headers["Authorization"].removeprefix("Bearer ")
 
     # This should never be set here but just in case
-    tld = current_app.config['THREAD_LOCAL_DATA']
+    tld = current_app.config["THREAD_LOCAL_DATA"]
     if hasattr(tld, "new_access_token"):
         tld.new_access_token = None
 
@@ -84,7 +86,7 @@ def verify_token(
                 try:
                     if AuthenticationService.validate_id_or_access_token(token):
                         user_info = decoded_token
-                except (TokenExpiredError) as token_expired_error:
+                except TokenExpiredError as token_expired_error:
                     # Try to refresh the token
                     user = UserService.get_user_by_service_and_service_id(
                         decoded_token["iss"], decoded_token["sub"]
@@ -100,10 +102,13 @@ def verify_token(
                             if auth_token and "error" not in auth_token:
                                 print("SETTING NEW TOKEN")
                                 print(f"auth_token: {auth_token}")
-                                tld.new_access_token = auth_token['access_token']
+                                tld.new_access_token = auth_token["access_token"]
                                 # We have the user, but this code is a bit convoluted, and will later demand
                                 # a user_info object so it can look up the user.  Sorry to leave this crap here.
-                                user_info = {"sub": user.service_id, "iss": user.service}
+                                user_info = {
+                                    "sub": user.service_id,
+                                    "iss": user.service,
+                                }
 
                     if user_info is None:
                         raise ApiError(
@@ -162,8 +167,6 @@ def verify_token(
             g.token = token
             get_scope(token)
             return None
-            # return {"uid": g.user.id, "sub": g.user.id, "scope": scope}
-            # return validate_scope(token, user_info, user_model)
         else:
             raise ApiError(error_code="no_user_id", message="Cannot get a user id")
 
@@ -172,26 +175,17 @@ def verify_token(
     )
 
 
-def set_new_access_token_in_cookie(response: flask.wrappers.Response) -> flask.wrappers.Response:
-    print(f"response: {response.__class__}")
-    tld = current_app.config['THREAD_LOCAL_DATA']
+def set_new_access_token_in_cookie(
+    response: flask.wrappers.Response,
+) -> flask.wrappers.Response:
+    """Set_new_access_token_in_cookie."""
+    tld = current_app.config["THREAD_LOCAL_DATA"]
     if hasattr(tld, "new_access_token") and tld.new_access_token:
-        response.set_cookie('access_token', tld.new_access_token)
+        response.set_cookie("access_token", tld.new_access_token)
+        tld.new_access_token = None
     return response
 
 
-def validate_scope(token: Any) -> bool:
-    """Validate_scope."""
-    print("validate_scope")
-    # token = AuthenticationService.refresh_token(token)
-    # user_info = AuthenticationService.get_user_info_from_public_access_token(token)
-    # bearer_token = AuthenticationService.get_bearer_token(token)
-    # permission = AuthenticationService.get_permission_by_basic_token(token)
-    # permissions = AuthenticationService.get_permissions_by_token_for_resource_and_scope(token)
-    # introspection = AuthenticationService.introspect_token(basic_token)
-    return True
-
-
 def encode_auth_token(sub: str, token_type: Optional[str] = None) -> str:
     """Generates the Auth Token.
 
@@ -235,6 +229,7 @@ def parse_id_token(token: str) -> Any:
     decoded = base64.b64decode(padded)
     return json.loads(decoded)
 
+
 def login_return(code: str, state: str, session_state: str) -> Optional[Response]:
     """Login_return."""
     state_dict = ast.literal_eval(base64.b64decode(state).decode("utf-8"))
@@ -258,8 +253,8 @@ def login_return(code: str, state: str, session_state: str) -> Optional[Response
                     + f"access_token={auth_token_object['access_token']}&"
                     + f"id_token={id_token}"
                 )
-                tld = current_app.config['THREAD_LOCAL_DATA']
-                tld.new_access_token = auth_token_object['access_token']
+                tld = current_app.config["THREAD_LOCAL_DATA"]
+                tld.new_access_token = auth_token_object["access_token"]
                 return redirect(redirect_url)
 
         raise ApiError(
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
index 309dca1e..92480f7b 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
@@ -22,11 +22,11 @@ class MissingAccessTokenError(Exception):
 
 # These could be either 'id' OR 'access' tokens and we can't always know which
 class TokenExpiredError(Exception):
-    pass
+    """TokenExpiredError."""
 
 
 class TokenInvalidError(Exception):
-    pass
+    """TokenInvalidError."""
 
 
 class AuthenticationProviderTypes(enum.Enum):
@@ -144,7 +144,7 @@ class AuthenticationService:
         try:
             decoded_token = jwt.decode(token, options={"verify_signature": False})
         except Exception as e:
-            raise TokenInvalidError('Cannot decode token') from e
+            raise TokenInvalidError("Cannot decode token") from e
 
         if decoded_token["iss"] != cls.server_url():
             valid = False

From d866ec5981cca3c5a7e326f1dea95553af8d964f Mon Sep 17 00:00:00 2001
From: jasquat <jasquat@users.noreply.github.com>
Date: Thu, 12 Jan 2023 10:29:37 -0500
Subject: [PATCH 07/12] logout works now and queryparams are getting passed
 correctly on login now

---
 spiffworkflow-backend/bin/save_all_bpmn.py    |  1 -
 .../routes/process_groups_controller.py       |  9 +---
 .../src/spiffworkflow_backend/routes/user.py  | 53 ++++++++++++-------
 .../services/authentication_service.py        |  4 +-
 .../services/authorization_service.py         | 53 -------------------
 spiffworkflow-frontend/src/helpers.tsx        |  4 +-
 .../src/services/UserService.ts               | 21 ++++----
 7 files changed, 49 insertions(+), 96 deletions(-)

diff --git a/spiffworkflow-backend/bin/save_all_bpmn.py b/spiffworkflow-backend/bin/save_all_bpmn.py
index b7b61628..fd44bb54 100644
--- a/spiffworkflow-backend/bin/save_all_bpmn.py
+++ b/spiffworkflow-backend/bin/save_all_bpmn.py
@@ -9,7 +9,6 @@ def main() -> None:
     """Main."""
     app = create_app()
     with app.app_context():
-        print("HEY")
         failing_process_models = DataSetupService.save_all_process_models()
         for bpmn_errors in failing_process_models:
             print(bpmn_errors)
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/process_groups_controller.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/process_groups_controller.py
index a548099f..2a516f9d 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/process_groups_controller.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/process_groups_controller.py
@@ -4,7 +4,6 @@ from typing import Any
 from typing import Optional
 
 import flask.wrappers
-from flask import current_app
 from flask import g
 from flask import jsonify
 from flask import make_response
@@ -89,13 +88,7 @@ def process_group_list(
             "pages": pages,
         },
     }
-    # response = make_response(jsonify(response_json), 200)
-    response = Response(
-        json.dumps(response_json), status=200, mimetype="application/json"
-    )
-    current_app.logger.info("SETTING COOKIE")
-    response.set_cookie("TEST_COOKIE", "HEY1")
-    return response
+    return make_response(jsonify(response_json), 200)
 
 
 def process_group_show(
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
index 499a0eda..4b2c696f 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
@@ -62,9 +62,7 @@ def verify_token(
         token = request.headers["Authorization"].removeprefix("Bearer ")
 
     # This should never be set here but just in case
-    tld = current_app.config["THREAD_LOCAL_DATA"]
-    if hasattr(tld, "new_access_token"):
-        tld.new_access_token = None
+    _clear_auth_tokens_from_thread_local_data()
 
     if token:
         user_model = None
@@ -100,9 +98,9 @@ def verify_token(
                                 )
                             )
                             if auth_token and "error" not in auth_token:
-                                print("SETTING NEW TOKEN")
-                                print(f"auth_token: {auth_token}")
+                                tld = current_app.config["THREAD_LOCAL_DATA"]
                                 tld.new_access_token = auth_token["access_token"]
+                                tld.new_id_token = auth_token["id_token"]
                                 # We have the user, but this code is a bit convoluted, and will later demand
                                 # a user_info object so it can look up the user.  Sorry to leave this crap here.
                                 user_info = {
@@ -178,11 +176,24 @@ def verify_token(
 def set_new_access_token_in_cookie(
     response: flask.wrappers.Response,
 ) -> flask.wrappers.Response:
-    """Set_new_access_token_in_cookie."""
+    """Checks if a new token has been set in THREAD_LOCAL_DATA and sets cookies if appropriate.
+
+    It will also delete the cookies if the user has logged out.
+    """
     tld = current_app.config["THREAD_LOCAL_DATA"]
     if hasattr(tld, "new_access_token") and tld.new_access_token:
         response.set_cookie("access_token", tld.new_access_token)
-        tld.new_access_token = None
+
+    # id_token is required for logging out since this gets passed back to the openid server
+    if hasattr(tld, "new_id_token") and tld.new_id_token:
+        response.set_cookie("id_token", tld.new_id_token)
+
+    if hasattr(tld, 'user_has_logged_out') and tld.user_has_logged_out:
+        response.set_cookie("id_token", '', max_age=0)
+        response.set_cookie("access_token", '', max_age=0)
+
+    _clear_auth_tokens_from_thread_local_data()
+
     return response
 
 
@@ -249,12 +260,12 @@ def login_return(code: str, state: str, session_state: str) -> Optional[Response
                     user_model.id, auth_token_object["refresh_token"]
                 )
                 redirect_url = (
-                    f"{state_redirect_url}?"
-                    + f"access_token={auth_token_object['access_token']}&"
-                    + f"id_token={id_token}"
+                    f"{state_redirect_url}"
                 )
                 tld = current_app.config["THREAD_LOCAL_DATA"]
                 tld.new_access_token = auth_token_object["access_token"]
+                tld.new_id_token = auth_token_object["id_token"]
+                print(f"REDIRECT_URL: {redirect_url}")
                 return redirect(redirect_url)
 
         raise ApiError(
@@ -300,6 +311,8 @@ def logout(id_token: str, redirect_url: Optional[str]) -> Response:
     """Logout."""
     if redirect_url is None:
         redirect_url = ""
+    tld = current_app.config["THREAD_LOCAL_DATA"]
+    tld.user_has_logged_out = True
     return AuthenticationService().logout(redirect_url=redirect_url, id_token=id_token)
 
 
@@ -328,15 +341,6 @@ def get_decoded_token(token: str) -> Optional[Dict]:
                 error_code="unknown_token",
                 message="Unknown token type in get_decoded_token",
             )
-    # try:
-    #     # see if we have an open_id token
-    #     decoded_token = AuthorizationService.decode_auth_token(token)
-    # else:
-    #     if 'sub' in decoded_token and 'iss' in decoded_token and 'aud' in decoded_token:
-    #         token_type = 'id_token'
-
-    # if 'token_type' in decoded_token and 'sub' in decoded_token:
-    #     return True
 
 
 def get_scope(token: str) -> str:
@@ -363,3 +367,14 @@ def get_user_from_decoded_internal_token(decoded_token: dict) -> Optional[UserMo
         return user
     user = UserService.create_user(service_id, service, service_id)
     return user
+
+
+def _clear_auth_tokens_from_thread_local_data() -> None:
+    """_clear_auth_tokens_from_thread_local_data."""
+    tld = current_app.config["THREAD_LOCAL_DATA"]
+    if hasattr(tld, "new_access_token"):
+        delattr(tld, "new_access_token")
+    if hasattr(tld, "new_id_token"):
+        delattr(tld, "new_id_token")
+    if hasattr(tld, "user_has_logged_out"):
+        delattr(tld, "user_has_logged_out")
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
index 92480f7b..275be19d 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
@@ -64,9 +64,7 @@ class AuthenticationService:
         openid_config_url = f"{cls.server_url()}/.well-known/openid-configuration"
         print(f"openid_config_url: {openid_config_url}")
         if name not in AuthenticationService.ENDPOINT_CACHE:
-            print("BEFORE")
             response = requests.get(openid_config_url)
-            print("AFTER")
             AuthenticationService.ENDPOINT_CACHE = response.json()
         if name not in AuthenticationService.ENDPOINT_CACHE:
             raise Exception(
@@ -95,6 +93,7 @@ class AuthenticationService:
     @staticmethod
     def generate_state(redirect_url: str) -> bytes:
         """Generate_state."""
+        print(f"REDIRECT_URL_HEY: {redirect_url}")
         state = base64.b64encode(bytes(str({"redirect_url": redirect_url}), "UTF-8"))
         return state
 
@@ -103,6 +102,7 @@ class AuthenticationService:
     ) -> str:
         """Get_login_redirect_url."""
         return_redirect_url = f"{self.get_backend_url()}{redirect_url}"
+        print(f"RETURN_REDIRECT_URL_ONE: {return_redirect_url}")
         login_redirect_url = (
             self.open_id_endpoint_for_name("authorization_endpoint")
             + f"?state={state}&"
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py
index 9abe2597..ba43439e 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py
@@ -412,59 +412,6 @@ class AuthorizationService:
             status_code=403,
         )
 
-    # def refresh_token(self, token: str) -> str:
-    #     """Refresh_token."""
-    #     # if isinstance(token, str):
-    #     #     token = eval(token)
-    #     (
-    #         open_id_server_url,
-    #         open_id_client_id,
-    #         open_id_realm_name,
-    #         open_id_client_secret_key,
-    #     ) = AuthorizationService.get_open_id_args()
-    #     headers = {"Content-Type": "application/x-www-form-urlencoded"}
-    #     request_url = f"{open_id_server_url}/realms/{open_id_realm_name}/protocol/openid-connect/token"
-    #     data = {
-    #         "grant_type": "refresh_token",
-    #         "client_id": "spiffworkflow-frontend",
-    #         "subject_token": token,
-    #         "refresh_token": token,
-    #     }
-    #     refresh_response = requests.post(request_url, headers=headers, data=data)
-    #     refresh_token = json.loads(refresh_response.text)
-    #     return refresh_token
-
-    # def get_bearer_token(self, basic_token: str) -> dict:
-    #     """Get_bearer_token."""
-    #     (
-    #         open_id_server_url,
-    #         open_id_client_id,
-    #         open_id_realm_name,
-    #         open_id_client_secret_key,
-    #     ) = AuthorizationService.get_open_id_args()
-    #
-    #     backend_basic_auth_string = f"{open_id_client_id}:{open_id_client_secret_key}"
-    #     backend_basic_auth_bytes = bytes(backend_basic_auth_string, encoding="ascii")
-    #     backend_basic_auth = base64.b64encode(backend_basic_auth_bytes)
-    #
-    #     headers = {
-    #         "Content-Type": "application/x-www-form-urlencoded",
-    #         "Authorization": f"Basic {backend_basic_auth.decode('utf-8')}",
-    #     }
-    #     data = {
-    #         "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange",
-    #         "client_id": open_id_client_id,
-    #         "subject_token": basic_token,
-    #         "audience": open_id_client_id,
-    #     }
-    #     request_url = f"{open_id_server_url}/realms/{open_id_realm_name}/protocol/openid-connect/token"
-    #
-    #     backend_response = requests.post(request_url, headers=headers, data=data)
-    #     # json_data = json.loads(backend_response.text)
-    #     # bearer_token = json_data['access_token']
-    #     bearer_token: dict = json.loads(backend_response.text)
-    #     return bearer_token
-
     @staticmethod
     def decode_auth_token(auth_token: str) -> dict[str, Union[str, None]]:
         """Decode the auth token.
diff --git a/spiffworkflow-frontend/src/helpers.tsx b/spiffworkflow-frontend/src/helpers.tsx
index 8b91367d..0bfe66d7 100644
--- a/spiffworkflow-frontend/src/helpers.tsx
+++ b/spiffworkflow-frontend/src/helpers.tsx
@@ -208,10 +208,10 @@ export const refreshAtInterval = (
   timeout: number,
   func: Function
 ) => {
-  const intervalRef = setInterval(() => func(), interval * 1000);
+  const intervalRef = setInterval(() => func(), interval * 100000);
   const timeoutRef = setTimeout(
     () => clearInterval(intervalRef),
-    timeout * 1000
+    timeout * 100000
   );
   return () => {
     clearInterval(intervalRef);
diff --git a/spiffworkflow-frontend/src/services/UserService.ts b/spiffworkflow-frontend/src/services/UserService.ts
index c90c2900..23266c3e 100644
--- a/spiffworkflow-frontend/src/services/UserService.ts
+++ b/spiffworkflow-frontend/src/services/UserService.ts
@@ -19,25 +19,24 @@ const getCookie = (key: string) => {
   return null;
 };
 
-// const getCurrentLocation = (queryParams: string = window.location.search) => {
-const getCurrentLocation = () => {
-  const queryParamString = '';
-  // if (queryParams) {
-  //   queryParamString = `?${queryParams}`;
-  // }
-  return `${window.location.origin}${window.location.pathname}${queryParamString}`;
+const getCurrentLocation = (queryParams: string = window.location.search) => {
+  let queryParamString = '';
+  if (queryParams) {
+    queryParamString = `${queryParams}`;
+  }
+  return encodeURIComponent(
+    `${window.location.origin}${window.location.pathname}${queryParamString}`
+  );
 };
 
 const doLogin = () => {
   const url = `${BACKEND_BASE_URL}/login?redirect_url=${getCurrentLocation()}`;
-  console.log('URL', url);
   window.location.href = url;
 };
 
-// Use access_token for now since it seems to work but if we need the
-// id token then set that in a cookie in backend as well
+// required for logging out
 const getIdToken = () => {
-  return getCookie('access_token');
+  return getCookie('id_token');
 };
 
 const doLogout = () => {

From b6481c78b2f2ba90f62f607fac2db3d9899ad10b Mon Sep 17 00:00:00 2001
From: jasquat <jasquat@users.noreply.github.com>
Date: Thu, 12 Jan 2023 10:48:42 -0500
Subject: [PATCH 08/12] remove several debug print statements

---
 .../src/spiffworkflow_backend/routes/user.py          | 11 ++++-------
 .../services/authentication_service.py                |  3 ---
 .../services/error_handling_service.py                |  3 ++-
 .../spiffworkflow_backend/services/message_service.py |  1 -
 .../services/service_task_service.py                  |  5 +----
 spiffworkflow-frontend/src/config.tsx                 |  4 ----
 .../src/routes/JsonSchemaFormBuilder.tsx              |  5 -----
 .../src/routes/ProcessGroupList.tsx                   |  7 -------
 .../carbon/BaseInputTemplate/BaseInputTemplate.tsx    |  1 -
 9 files changed, 7 insertions(+), 33 deletions(-)

diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
index 4b2c696f..efe0c3de 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
@@ -188,9 +188,9 @@ def set_new_access_token_in_cookie(
     if hasattr(tld, "new_id_token") and tld.new_id_token:
         response.set_cookie("id_token", tld.new_id_token)
 
-    if hasattr(tld, 'user_has_logged_out') and tld.user_has_logged_out:
-        response.set_cookie("id_token", '', max_age=0)
-        response.set_cookie("access_token", '', max_age=0)
+    if hasattr(tld, "user_has_logged_out") and tld.user_has_logged_out:
+        response.set_cookie("id_token", "", max_age=0)
+        response.set_cookie("access_token", "", max_age=0)
 
     _clear_auth_tokens_from_thread_local_data()
 
@@ -259,13 +259,10 @@ def login_return(code: str, state: str, session_state: str) -> Optional[Response
                 AuthenticationService.store_refresh_token(
                     user_model.id, auth_token_object["refresh_token"]
                 )
-                redirect_url = (
-                    f"{state_redirect_url}"
-                )
+                redirect_url = state_redirect_url
                 tld = current_app.config["THREAD_LOCAL_DATA"]
                 tld.new_access_token = auth_token_object["access_token"]
                 tld.new_id_token = auth_token_object["id_token"]
-                print(f"REDIRECT_URL: {redirect_url}")
                 return redirect(redirect_url)
 
         raise ApiError(
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
index 275be19d..77082a92 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
@@ -62,7 +62,6 @@ class AuthenticationService:
     def open_id_endpoint_for_name(cls, name: str) -> str:
         """All openid systems provide a mapping of static names to the full path of that endpoint."""
         openid_config_url = f"{cls.server_url()}/.well-known/openid-configuration"
-        print(f"openid_config_url: {openid_config_url}")
         if name not in AuthenticationService.ENDPOINT_CACHE:
             response = requests.get(openid_config_url)
             AuthenticationService.ENDPOINT_CACHE = response.json()
@@ -93,7 +92,6 @@ class AuthenticationService:
     @staticmethod
     def generate_state(redirect_url: str) -> bytes:
         """Generate_state."""
-        print(f"REDIRECT_URL_HEY: {redirect_url}")
         state = base64.b64encode(bytes(str({"redirect_url": redirect_url}), "UTF-8"))
         return state
 
@@ -102,7 +100,6 @@ class AuthenticationService:
     ) -> str:
         """Get_login_redirect_url."""
         return_redirect_url = f"{self.get_backend_url()}{redirect_url}"
-        print(f"RETURN_REDIRECT_URL_ONE: {return_redirect_url}")
         login_redirect_url = (
             self.open_id_endpoint_for_name("authorization_endpoint")
             + f"?state={state}&"
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/error_handling_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/error_handling_service.py
index 1e8b38f2..ffdfd26a 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/error_handling_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/error_handling_service.py
@@ -3,6 +3,7 @@ from typing import Any
 from typing import List
 from typing import Union
 
+from flask import current_app
 from flask_bpmn.api.api_error import ApiError
 from flask_bpmn.models.db import db
 
@@ -57,7 +58,7 @@ class ErrorHandlingService:
                 )
             except Exception as e:
                 # hmm... what to do if a notification method fails. Probably log, at least
-                print(e)
+                current_app.logger.error(e)
 
     @staticmethod
     def hanle_sentry_notification(_error: ApiError, _recipients: List) -> None:
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/message_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/message_service.py
index b3d1e831..b659b13e 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/message_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/message_service.py
@@ -42,7 +42,6 @@ class MessageService:
             message_type="receive", status="ready"
         ).all()
         for message_instance_send in message_instances_send:
-            # print(f"message_instance_send.id: {message_instance_send.id}")
             # check again in case another background process picked up the message
             # while the previous one was running
             if message_instance_send.status != "ready":
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/service_task_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/service_task_service.py
index 6fec8b79..674ad54d 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/service_task_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/service_task_service.py
@@ -55,9 +55,6 @@ class ServiceTaskDelegate:
             f"{connector_proxy_url()}/v1/do/{name}", json=params
         )
 
-        if proxied_response.status_code != 200:
-            print("got error from connector proxy")
-
         parsed_response = json.loads(proxied_response.text)
 
         if "refreshed_token_set" not in parsed_response:
@@ -86,7 +83,7 @@ class ServiceTaskService:
             parsed_response = json.loads(response.text)
             return parsed_response
         except Exception as e:
-            print(e)
+            current_app.logger.error(e)
             return []
 
     @staticmethod
diff --git a/spiffworkflow-frontend/src/config.tsx b/spiffworkflow-frontend/src/config.tsx
index d8d30564..36e0ed4e 100644
--- a/spiffworkflow-frontend/src/config.tsx
+++ b/spiffworkflow-frontend/src/config.tsx
@@ -1,6 +1,4 @@
 const { port, hostname } = window.location;
-console.log('START');
-console.log('window.location', window.location);
 let hostAndPort = `api.${hostname}`;
 let protocol = 'https';
 
@@ -14,11 +12,9 @@ if (/^\d+\./.test(hostname) || hostname === 'localhost') {
 }
 
 let url = `${protocol}://${hostAndPort}/v1.0`;
-console.log('OUR URL', url);
 if (process.env.REACT_APP_BACKEND_BASE_URL) {
   url = process.env.REACT_APP_BACKEND_BASE_URL;
 }
-console.log('NO THIS ONE', url);
 
 export const BACKEND_BASE_URL = url;
 
diff --git a/spiffworkflow-frontend/src/routes/JsonSchemaFormBuilder.tsx b/spiffworkflow-frontend/src/routes/JsonSchemaFormBuilder.tsx
index d4a9c2b4..b180ed2a 100644
--- a/spiffworkflow-frontend/src/routes/JsonSchemaFormBuilder.tsx
+++ b/spiffworkflow-frontend/src/routes/JsonSchemaFormBuilder.tsx
@@ -73,11 +73,6 @@ export default function JsonSchemaFormBuilder() {
   };
 
   const onFormFieldTitleChange = (newFormFieldTitle: string) => {
-    console.log('newFormFieldTitle', newFormFieldTitle);
-    console.log(
-      'setFormFieldIdHasBeenUpdatedByUser',
-      formFieldIdHasBeenUpdatedByUser
-    );
     if (!formFieldIdHasBeenUpdatedByUser) {
       setFormFieldId(underscorizeString(newFormFieldTitle));
     }
diff --git a/spiffworkflow-frontend/src/routes/ProcessGroupList.tsx b/spiffworkflow-frontend/src/routes/ProcessGroupList.tsx
index 5ba8563a..7dee4f20 100644
--- a/spiffworkflow-frontend/src/routes/ProcessGroupList.tsx
+++ b/spiffworkflow-frontend/src/routes/ProcessGroupList.tsx
@@ -42,12 +42,6 @@ export default function ProcessGroupList() {
       path: `/process-models?per_page=1000&recursive=true&include_parent_groups=true`,
       successCallback: processResultForProcessModels,
     });
-    HttpService.makeCallToBackend({
-      path: `/status`,
-      successCallback: (result: any) => {
-        console.log(result);
-      },
-    });
   }, [searchParams]);
 
   const processModelSearchArea = () => {
@@ -69,7 +63,6 @@ export default function ProcessGroupList() {
   };
 
   if (processModelAvailableItems) {
-    console.log('document.cookie', document.cookie);
     return (
       <>
         <ProcessBreadcrumb hotCrumbs={[['Process Groups']]} />
diff --git a/spiffworkflow-frontend/src/themes/carbon/BaseInputTemplate/BaseInputTemplate.tsx b/spiffworkflow-frontend/src/themes/carbon/BaseInputTemplate/BaseInputTemplate.tsx
index 9e71b921..aa1c6451 100644
--- a/spiffworkflow-frontend/src/themes/carbon/BaseInputTemplate/BaseInputTemplate.tsx
+++ b/spiffworkflow-frontend/src/themes/carbon/BaseInputTemplate/BaseInputTemplate.tsx
@@ -45,7 +45,6 @@ export default function BaseInputTemplate<
   // Note: since React 15.2.0 we can't forward unknown element attributes, so we
   // exclude the "options" and "schema" ones here.
   if (!id) {
-    console.log('No id for', props);
     throw new Error(`no id for props ${JSON.stringify(props)}`);
   }
   const inputProps = {

From 6ba547576a435f17e312853590e60d19d25abb8d Mon Sep 17 00:00:00 2001
From: jasquat <jasquat@users.noreply.github.com>
Date: Thu, 12 Jan 2023 11:32:52 -0500
Subject: [PATCH 09/12] a little more cleanup w/ burnettk

---
 .../src/spiffworkflow_backend/config/default.py           | 4 +---
 .../src/spiffworkflow_backend/routes/health_controller.py | 8 ++------
 .../src/spiffworkflow_backend/routes/user.py              | 4 ----
 spiffworkflow-frontend/src/helpers.tsx                    | 4 ++--
 4 files changed, 5 insertions(+), 15 deletions(-)

diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py b/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py
index 763474e0..9027347c 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py
@@ -38,9 +38,7 @@ OPEN_ID_SERVER_URL = environ.get(
 # OPEN_ID_SERVER_URL = environ.get("OPEN_ID_SERVER_URL", default="http://localhost:7000/openid")
 OPEN_ID_CLIENT_ID = environ.get("OPEN_ID_CLIENT_ID", default="spiffworkflow-backend")
 OPEN_ID_CLIENT_SECRET_KEY = environ.get(
-    # "OPEN_ID_CLIENT_SECRET_KEY", default="JXeQExm0JhQPLumgHtIIqf52bDalHz0q"
-    "OPEN_ID_CLIENT_SECRET_KEY",
-    default="JXeQExm0JhQPLumgHtIIqf52bDalHz0q",
+    "OPEN_ID_CLIENT_SECRET_KEY", default="JXeQExm0JhQPLumgHtIIqf52bDalHz0q"
 )  # noqa: S105
 
 SPIFFWORKFLOW_BACKEND_LOG_TO_FILE = (
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/health_controller.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/health_controller.py
index 31154e15..2cb4092b 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/health_controller.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/health_controller.py
@@ -1,6 +1,5 @@
 """APIs for dealing with process groups, process models, and process instances."""
-import json
-
+from flask import make_response
 from flask.wrappers import Response
 
 from spiffworkflow_backend.models.process_instance import ProcessInstanceModel
@@ -9,7 +8,4 @@ from spiffworkflow_backend.models.process_instance import ProcessInstanceModel
 def status() -> Response:
     """Status."""
     ProcessInstanceModel.query.filter().first()
-    response = Response(
-        json.dumps({"ok": True}), status=200, mimetype="application/json"
-    )
-    return response
+    return make_response({"ok": True}, 200)
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
index efe0c3de..cc7c9bd4 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
@@ -25,10 +25,6 @@ from spiffworkflow_backend.services.authentication_service import TokenExpiredEr
 from spiffworkflow_backend.services.authorization_service import AuthorizationService
 from spiffworkflow_backend.services.user_service import UserService
 
-# from flask.wrappers import Response
-
-# from flask_jwt_extended import set_access_cookies
-
 """
 .. module:: crc.api.user
    :synopsis: Single Sign On (SSO) user login and session handlers
diff --git a/spiffworkflow-frontend/src/helpers.tsx b/spiffworkflow-frontend/src/helpers.tsx
index 0bfe66d7..8b91367d 100644
--- a/spiffworkflow-frontend/src/helpers.tsx
+++ b/spiffworkflow-frontend/src/helpers.tsx
@@ -208,10 +208,10 @@ export const refreshAtInterval = (
   timeout: number,
   func: Function
 ) => {
-  const intervalRef = setInterval(() => func(), interval * 100000);
+  const intervalRef = setInterval(() => func(), interval * 1000);
   const timeoutRef = setTimeout(
     () => clearInterval(intervalRef),
-    timeout * 100000
+    timeout * 1000
   );
   return () => {
     clearInterval(intervalRef);

From c526b55fbd04f5008662849465620226b2eb8b51 Mon Sep 17 00:00:00 2001
From: jasquat <jasquat@users.noreply.github.com>
Date: Thu, 12 Jan 2023 11:50:11 -0500
Subject: [PATCH 10/12] set the domain for the token cookies w/ burnettk

---
 .../src/spiffworkflow_backend/routes/user.py        | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
index cc7c9bd4..e461def9 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
@@ -2,6 +2,7 @@
 import ast
 import base64
 import json
+import re
 from typing import Any
 from typing import Dict
 from typing import Optional
@@ -177,16 +178,20 @@ def set_new_access_token_in_cookie(
     It will also delete the cookies if the user has logged out.
     """
     tld = current_app.config["THREAD_LOCAL_DATA"]
+    domain_for_frontend_cookie: Optional[str] = re.sub(r"^https?:\/\/", '', current_app.config['SPIFFWORKFLOW_FRONTEND_URL'])
+    if domain_for_frontend_cookie and domain_for_frontend_cookie.startswith('localhost'):
+        domain_for_frontend_cookie = None
+
     if hasattr(tld, "new_access_token") and tld.new_access_token:
-        response.set_cookie("access_token", tld.new_access_token)
+        response.set_cookie("access_token", tld.new_access_token, domain=domain_for_frontend_cookie)
 
     # id_token is required for logging out since this gets passed back to the openid server
     if hasattr(tld, "new_id_token") and tld.new_id_token:
-        response.set_cookie("id_token", tld.new_id_token)
+        response.set_cookie("id_token", tld.new_id_token, domain=domain_for_frontend_cookie)
 
     if hasattr(tld, "user_has_logged_out") and tld.user_has_logged_out:
-        response.set_cookie("id_token", "", max_age=0)
-        response.set_cookie("access_token", "", max_age=0)
+        response.set_cookie("id_token", "", max_age=0, domain=domain_for_frontend_cookie)
+        response.set_cookie("access_token", "", max_age=0, domain=domain_for_frontend_cookie)
 
     _clear_auth_tokens_from_thread_local_data()
 

From f48793c8729ddfaf7b52f7508b054efe210a8960 Mon Sep 17 00:00:00 2001
From: jasquat <jasquat@users.noreply.github.com>
Date: Thu, 12 Jan 2023 15:27:32 -0500
Subject: [PATCH 11/12] added detailed area to process instance show page w/
 burnettk

---
 .../models/process_instance.py                |  4 +-
 .../src/spiffworkflow_backend/routes/user.py  | 24 ++++--
 .../process_instance_report_service.py        |  6 +-
 .../integration/test_process_api.py           | 20 +++--
 .../components/ProcessInstanceListTable.tsx   |  2 +-
 spiffworkflow-frontend/src/interfaces.ts      |  5 ++
 .../src/routes/ProcessInstanceShow.tsx        | 76 ++++++++++++++++++-
 7 files changed, 122 insertions(+), 15 deletions(-)

diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/process_instance.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/process_instance.py
index 31912c30..42a90364 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/models/process_instance.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/process_instance.py
@@ -98,12 +98,14 @@ class ProcessInstanceModel(SpiffworkflowBaseDBModel):
             "status": self.status,
             "start_in_seconds": self.start_in_seconds,
             "end_in_seconds": self.end_in_seconds,
+            "created_at_in_seconds": self.created_at_in_seconds,
+            "updated_at_in_seconds": self.updated_at_in_seconds,
             "process_initiator_id": self.process_initiator_id,
             "bpmn_xml_file_contents": self.bpmn_xml_file_contents,
             "bpmn_version_control_identifier": self.bpmn_version_control_identifier,
             "bpmn_version_control_type": self.bpmn_version_control_type,
             "spiff_step": self.spiff_step,
-            "username": self.process_initiator.username,
+            "process_initiator_username": self.process_initiator.username,
         }
 
     @property
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
index e461def9..5a3aa53d 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py
@@ -178,20 +178,32 @@ def set_new_access_token_in_cookie(
     It will also delete the cookies if the user has logged out.
     """
     tld = current_app.config["THREAD_LOCAL_DATA"]
-    domain_for_frontend_cookie: Optional[str] = re.sub(r"^https?:\/\/", '', current_app.config['SPIFFWORKFLOW_FRONTEND_URL'])
-    if domain_for_frontend_cookie and domain_for_frontend_cookie.startswith('localhost'):
+    domain_for_frontend_cookie: Optional[str] = re.sub(
+        r"^https?:\/\/", "", current_app.config["SPIFFWORKFLOW_FRONTEND_URL"]
+    )
+    if domain_for_frontend_cookie and domain_for_frontend_cookie.startswith(
+        "localhost"
+    ):
         domain_for_frontend_cookie = None
 
     if hasattr(tld, "new_access_token") and tld.new_access_token:
-        response.set_cookie("access_token", tld.new_access_token, domain=domain_for_frontend_cookie)
+        response.set_cookie(
+            "access_token", tld.new_access_token, domain=domain_for_frontend_cookie
+        )
 
     # id_token is required for logging out since this gets passed back to the openid server
     if hasattr(tld, "new_id_token") and tld.new_id_token:
-        response.set_cookie("id_token", tld.new_id_token, domain=domain_for_frontend_cookie)
+        response.set_cookie(
+            "id_token", tld.new_id_token, domain=domain_for_frontend_cookie
+        )
 
     if hasattr(tld, "user_has_logged_out") and tld.user_has_logged_out:
-        response.set_cookie("id_token", "", max_age=0, domain=domain_for_frontend_cookie)
-        response.set_cookie("access_token", "", max_age=0, domain=domain_for_frontend_cookie)
+        response.set_cookie(
+            "id_token", "", max_age=0, domain=domain_for_frontend_cookie
+        )
+        response.set_cookie(
+            "access_token", "", max_age=0, domain=domain_for_frontend_cookie
+        )
 
     _clear_auth_tokens_from_thread_local_data()
 
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/process_instance_report_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/process_instance_report_service.py
index a4b6a9b1..0b75ea61 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/process_instance_report_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/process_instance_report_service.py
@@ -338,7 +338,11 @@ class ProcessInstanceReportService:
             },
             {"Header": "Start", "accessor": "start_in_seconds", "filterable": False},
             {"Header": "End", "accessor": "end_in_seconds", "filterable": False},
-            {"Header": "Username", "accessor": "username", "filterable": False},
+            {
+                "Header": "Started By",
+                "accessor": "process_initiator_username",
+                "filterable": False,
+            },
             {"Header": "Status", "accessor": "status", "filterable": False},
         ]
 
diff --git a/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_process_api.py b/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_process_api.py
index 150d033f..be5722f8 100644
--- a/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_process_api.py
+++ b/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_process_api.py
@@ -232,7 +232,7 @@ class TestProcessApi(BaseTest):
             "process_model_display_name",
             "start_in_seconds",
             "end_in_seconds",
-            "username",
+            "process_initiator_username",
             "status",
             "summary",
             "description",
@@ -3145,7 +3145,7 @@ class TestProcessApi(BaseTest):
         assert response.json["pagination"]["pages"] == 1
         assert response.json["pagination"]["total"] == 1
 
-    def test_can_get_process_instance_list_with_report_metadata_and_process_initator(
+    def test_can_get_process_instance_list_with_report_metadata_and_process_initiator(
         self,
         app: Flask,
         client: FlaskClient,
@@ -3223,8 +3223,14 @@ class TestProcessApi(BaseTest):
         assert response.json is not None
         assert response.status_code == 200
         assert len(response.json["results"]) == 2
-        assert response.json["results"][0]["username"] == user_one.username
-        assert response.json["results"][1]["username"] == user_one.username
+        assert (
+            response.json["results"][0]["process_initiator_username"]
+            == user_one.username
+        )
+        assert (
+            response.json["results"][1]["process_initiator_username"]
+            == user_one.username
+        )
 
         response = client.get(
             f"/v1.0/process-instances?report_identifier={process_instance_report_dne.identifier}",
@@ -3276,7 +3282,11 @@ class TestProcessApi(BaseTest):
             },
             {"Header": "Start", "accessor": "start_in_seconds", "filterable": False},
             {"Header": "End", "accessor": "end_in_seconds", "filterable": False},
-            {"Header": "Username", "accessor": "username", "filterable": False},
+            {
+                "Header": "Username",
+                "accessor": "process_initiator_username",
+                "filterable": False,
+            },
             {"Header": "Status", "accessor": "status", "filterable": False},
             {"Header": "key1", "accessor": "key1", "filterable": True},
             {"Header": "key2", "accessor": "key2", "filterable": True},
diff --git a/spiffworkflow-frontend/src/components/ProcessInstanceListTable.tsx b/spiffworkflow-frontend/src/components/ProcessInstanceListTable.tsx
index b161d58d..02a6395f 100644
--- a/spiffworkflow-frontend/src/components/ProcessInstanceListTable.tsx
+++ b/spiffworkflow-frontend/src/components/ProcessInstanceListTable.tsx
@@ -1171,7 +1171,7 @@ export default function ProcessInstanceListTable({
       start_in_seconds: 'Start Time',
       end_in_seconds: 'End Time',
       status: 'Status',
-      username: 'Started By',
+      process_initiator_username: 'Started By',
       spiff_step: 'SpiffWorkflow Step',
     };
     const getHeaderLabel = (header: string) => {
diff --git a/spiffworkflow-frontend/src/interfaces.ts b/spiffworkflow-frontend/src/interfaces.ts
index 97ef763c..5025855b 100644
--- a/spiffworkflow-frontend/src/interfaces.ts
+++ b/spiffworkflow-frontend/src/interfaces.ts
@@ -73,8 +73,13 @@ export interface ProcessInstance {
   status: string;
   start_in_seconds: number | null;
   end_in_seconds: number | null;
+  process_initiator_username: string;
   bpmn_xml_file_contents?: string;
   spiff_step?: number;
+  created_at_in_seconds: number;
+  updated_at_in_seconds: number;
+  bpmn_version_control_identifier: string;
+  bpmn_version_control_type: string;
 }
 
 export interface MessageCorrelationProperties {
diff --git a/spiffworkflow-frontend/src/routes/ProcessInstanceShow.tsx b/spiffworkflow-frontend/src/routes/ProcessInstanceShow.tsx
index b32e16fc..a812248a 100644
--- a/spiffworkflow-frontend/src/routes/ProcessInstanceShow.tsx
+++ b/spiffworkflow-frontend/src/routes/ProcessInstanceShow.tsx
@@ -7,12 +7,12 @@ import {
   useSearchParams,
 } from 'react-router-dom';
 import {
+  CaretRight,
   TrashCan,
   StopOutline,
   PauseOutline,
   PlayOutline,
   CaretLeft,
-  CaretRight,
   InProgress,
   Checkmark,
   Warning,
@@ -72,6 +72,7 @@ export default function ProcessInstanceShow({ variant }: OwnProps) {
   const [eventPayload, setEventPayload] = useState<string>('{}');
   const [eventTextEditorEnabled, setEventTextEditorEnabled] =
     useState<boolean>(false);
+  const [displayDetails, setDisplayDetails] = useState<boolean>(false);
 
   const setErrorObject = (useContext as any)(ErrorContext)[1];
 
@@ -280,6 +281,70 @@ export default function ProcessInstanceShow({ variant }: OwnProps) {
     });
   };
 
+  const detailedViewElement = () => {
+    if (!processInstance) {
+      return null;
+    }
+
+    if (displayDetails) {
+      return (
+        <>
+          <Grid condensed fullWidth>
+            <Button
+              kind="ghost"
+              className="button-link"
+              onClick={() => setDisplayDetails(false)}
+              title="Hide Details"
+            >
+              &laquo; Hide Details
+            </Button>
+          </Grid>
+          <Grid condensed fullWidth>
+            <Column sm={1} md={1} lg={2} className="grid-list-title">
+              Updated At:{' '}
+            </Column>
+            <Column sm={3} md={3} lg={3} className="grid-date">
+              {convertSecondsToFormattedDateTime(
+                processInstance.updated_at_in_seconds
+              )}
+            </Column>
+          </Grid>
+          <Grid condensed fullWidth>
+            <Column sm={1} md={1} lg={2} className="grid-list-title">
+              Created At:{' '}
+            </Column>
+            <Column sm={3} md={3} lg={3} className="grid-date">
+              {convertSecondsToFormattedDateTime(
+                processInstance.created_at_in_seconds
+              )}
+            </Column>
+          </Grid>
+          <Grid condensed fullWidth>
+            <Column sm={1} md={1} lg={2} className="grid-list-title">
+              Process model revision:{' '}
+            </Column>
+            <Column sm={3} md={3} lg={3} className="grid-date">
+              {processInstance.bpmn_version_control_identifier} (
+              {processInstance.bpmn_version_control_type})
+            </Column>
+          </Grid>
+        </>
+      );
+    }
+    return (
+      <Grid condensed fullWidth>
+        <Button
+          kind="ghost"
+          className="button-link"
+          onClick={() => setDisplayDetails(true)}
+          title="Show Details"
+        >
+          View Details &raquo;
+        </Button>
+      </Grid>
+    );
+  };
+
   const getInfoTag = () => {
     if (!processInstance) {
       return null;
@@ -316,6 +381,14 @@ export default function ProcessInstanceShow({ variant }: OwnProps) {
 
     return (
       <>
+        <Grid condensed fullWidth>
+          <Column sm={1} md={1} lg={2} className="grid-list-title">
+            Started By:{' '}
+          </Column>
+          <Column sm={3} md={3} lg={3} className="grid-date">
+            {processInstance.process_initiator_username}
+          </Column>
+        </Grid>
         <Grid condensed fullWidth>
           <Column sm={1} md={1} lg={2} className="grid-list-title">
             Started:{' '}
@@ -337,6 +410,7 @@ export default function ProcessInstanceShow({ variant }: OwnProps) {
             </Tag>
           </Column>
         </Grid>
+        {detailedViewElement()}
         <br />
         <Grid condensed fullWidth>
           <Column sm={2} md={2} lg={2}>

From ecfea3f60518e645af7fc0bf5f3b0e21b77444a9 Mon Sep 17 00:00:00 2001
From: jasquat <jasquat@users.noreply.github.com>
Date: Thu, 12 Jan 2023 15:35:05 -0500
Subject: [PATCH 12/12] fixed failing test w/ burnettk

---
 .../tests/spiffworkflow_backend/integration/test_process_api.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_process_api.py b/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_process_api.py
index be5722f8..83ca22b7 100644
--- a/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_process_api.py
+++ b/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_process_api.py
@@ -3283,7 +3283,7 @@ class TestProcessApi(BaseTest):
             {"Header": "Start", "accessor": "start_in_seconds", "filterable": False},
             {"Header": "End", "accessor": "end_in_seconds", "filterable": False},
             {
-                "Header": "Username",
+                "Header": "Started By",
                 "accessor": "process_initiator_username",
                 "filterable": False,
             },