chore: precommit

install and run pre-commit

README.md

@@ -17,4 +17,4 @@ Devhub docs are generated using [mkdocs](https://www.mkdocs.org/getting-started/
 
 _If you get a dependency issue, e.g 'No module named '\_ctypes', you may have been missing dependencies when python was installed. Install the dependencies, in this case `sudo apt-get install libffi-dev`, update python. If using asdf, you can reinstall the python version in the .tool-version file._
 
-Then run `mkdocs serve` to see the site locally.
+Then run `mkdocs serve` to see the site locally.

catalog-info.yaml

@@ -9,4 +9,4 @@ metadata:
 spec:
   type: documentation
   lifecycle: production
-  owner: "citz"
+  owner: "citz"

mkdocs.yml

@@ -1,5 +1,5 @@
 site_name: BC Gov Common Hosted Single Sign-on
 docs_dir: wiki
 
-plugins: 
-- techdocs-core
+plugins:
+- techdocs-core

wiki/Additional-Help.md

@@ -12,4 +12,3 @@ Within RocketChat if you see someone asking questions or have issues for which y
 <p align="Center">
   <img width="800" height="350" src="https://user-images.githubusercontent.com/87393930/134070649-b9ee5e9b-d838-42da-848a-29e89e45d319.png">
 </p>
-

wiki/Alerts-and-Us.md

@@ -7,14 +7,14 @@ Our service, the Pathfinder SSO ensures that our Keycloak server acts as an Open
 
 Specifically, we make use of the Red Hat SSO v 7.6.1.GA
 
-**Other systems we rely on** 
+**Other systems we rely on**
 
 The Pathfinder SSO service is hosted on the Private Cloud Openshift platform in the government data centers in Kamloops and Calgary (DR). There are planned and unplanned outages that impact the infrastructure that our service is hosted in and thus impact the availability of the service.
 
 **Private Cloud Platform as a Service (Platform Services)**
 
 We are a subset of a larger ecosystem of services within BC Government. Our Keycloak server sits on the [BCGov Private Cloud Platform as a Service aka Openshift](https://cloud.gov.bc.ca/private-cloud).
-Planned outages on the Openshift platform have minimal impact on our end user uptime due to the Switchover/GoldDR process (15-30 minutes at most). 
+Planned outages on the Openshift platform have minimal impact on our end user uptime due to the Switchover/GoldDR process (15-30 minutes at most).
 
 The current availability commitments for the Gold/Gold DR Openshift service is 99.95%.
 
@@ -23,7 +23,7 @@ Reference: [Private Cloud Memorandum of Understanding](https://cloud.gov.bc.ca/p
 **BC Government Kamloops and Calgary Data Centers**
 
 It should be noted together with the Private Cloud/Platform Services Team we are reliant on the service levels agreed upon by the
-Province an the Kamloops/Calgary Data Centers. The unplanned outage to the Data Centers are out of our control and impact our Service Level Target. 
+Province an the Kamloops/Calgary Data Centers. The unplanned outage to the Data Centers are out of our control and impact our Service Level Target.
 
 The current availability commitments for the Data Centers are 99.5%.
 
@@ -53,7 +53,7 @@ This is SLA is is based on the highest SLA for the services we rely on.
 #### Service Level Defined
 As of writing (April 2023) we define our service levels as:
 
-•	Our service is available 24/7, except during planned outages within the Kamloops and Calgary data centres. Planned outages are communicated through [RocketChat](https://chat.developer.gov.bc.ca/channel/sso) 
+•	Our service is available 24/7, except during planned outages within the Kamloops and Calgary data centres. Planned outages are communicated through [RocketChat](https://chat.developer.gov.bc.ca/channel/sso)
 
 •	Our regular business hours are weekdays from 9:00 am to 5:00 pm Pacific Time, excluding statutory holidays. Client provisioning questions and requests will be reviewed and handled during normal business hours.  After hours support is provided by the Pathfinder SSO team, and is only available for service outages and other incidents that impact the service
 
@@ -67,11 +67,11 @@ The Pathfinder SSO Team responds to 3 levels or incidents: P1 - Critical, P3 - M
 The team responds to all service incidents through our 24/7 process where our team is alerted of the incident. Our target response times are:
 
 > P1 - Critical - respond within 20mins
-> 
+>
 > P3 - Moderate - respond within 30 mins
-> 
+>
 > P4 - Low - respond within 45 mins
-> 
+>
 
 As a very responsive team, you will see our metrics over the years and that we respond  very quickly [2022 and 2023 Recap of Alerts/Incidents](https://github.com/bcgov/sso-keycloak/wiki/Alerts-and-Us#metrics)
 
@@ -80,11 +80,11 @@ It should be noted that our current version of Redhat SSO does not enable us to
 
 **Change Communications**
 
-When a change occurs on our service, we will provide notification in advance in these ways: 
+When a change occurs on our service, we will provide notification in advance in these ways:
 
 **Minor changes** are announced 24 hours in advance in the [Rocket.Chat #sso channel.](https://chat.developer.gov.bc.ca/channel/sso) An example of a minor change is tied to small bug fixes or other low-impact changes.
 
-**Emergency change**s are announced as soon as possible in advance in the [Rocket.Chat #sso channel.](https://chat.developer.gov.bc.ca/channel/sso)  channel. An emergency change is performed to recover a failed service, prevent a failure or address a security vulnerability. 
+**Emergency change**s are announced as soon as possible in advance in the [Rocket.Chat #sso channel.](https://chat.developer.gov.bc.ca/channel/sso)  channel. An emergency change is performed to recover a failed service, prevent a failure or address a security vulnerability.
 
 **Medium/Major changes** are announced five (5) business days in advance in the [Rocket.Chat #sso channel.](https://chat.developer.gov.bc.ca/channel/sso)  channel. An example of a medium change is an upgrade to the keycloak version number, with limited impacts.
 
@@ -120,7 +120,7 @@ Uptime will calculate the total downtime for the alert
 ![image](https://github.com/bcgov/sso-keycloak/assets/9705602/7892e68c-8534-4f56-87d9-1a42aac60003)
 
 
-### Gold Keycloak SSO Prod End User Access Uptime 
+### Gold Keycloak SSO Prod End User Access Uptime
 | Month | Downtime |
 | -------- | ------- |
 | January 2023 | 41m 6s |
@@ -134,7 +134,7 @@ Uptime will calculate the total downtime for the alert
 | September 2023 | 0 |
 | October 2023 | 0h27m2s |
 
-### Gold KeyCloak SSO Prod and IDIR siteminder Uptime 
+### Gold KeyCloak SSO Prod and IDIR siteminder Uptime
 | Month | Downtime |
 | -------- | ------- |
 | January 2023 | 1h0m18s |
@@ -152,7 +152,7 @@ Uptime will calculate the total downtime for the alert
 ### Incidents
 #### Priority 1 aka Critical Impact to Service -- no end users can log into their apps connected to keycloak
 Pathfinder Team commits to acknowledging issue within 15 -20 mins and resolving as quickly as possible
-##### P1 Stats 
+##### P1 Stats
 | Month      | Number of Alerts | Acknowledge Time | Resolve Time    | Notes |
 | :---        |     :----:   |   :----:   |          ---: |---: |
 | January      |  6 | 2min 11s       | 45m 26s  |  Jan 25 & Jan 24 - OCP Upgrade |
@@ -182,7 +182,7 @@ Pathfinder Team commits to acknowledging issue within 15 -30 mins and resolving
 | September |  1 | 21s       | 21s| Not a real alert, call came in|
 | October|  2 | 45m32s       | 46m03s| Not real alerts, came in from the call system |
 
-#### Priority 4 aka Low Impact to Service -- 
+#### Priority 4 aka Low Impact to Service --
 Pathfinder Team commits to acknowledging issue within 15 -30 mins and resolving as quickly as possible
 ##### P4
 | Month      | Number of Alerts | Acknowledge Time | Resolve Time    | Notes |
@@ -238,5 +238,3 @@ TBD
 | Oct   | 4 | 1m 18s | 1m 18s   |
 | Nov   | 5  | 22m 35s | 36m 9s   |
 | Dec   | 14 | 2m 29s |  2m 49s  |
-
-

wiki/Are-you-part-of-the-GitHub-BC-Gov-Org?.md

@@ -1,14 +1,7 @@
-You have been redirected to this page because your github account is not affiliated with the organization `bcgov`. 
+You have been redirected to this page because your github account is not affiliated with the organization `bcgov`.
 To find out if you are affiliated, go to your github profile and look at the organizations you are associated with. You will not see `bcgov`.
 
 <img height="200" src="https://user-images.githubusercontent.com/56739669/202020559-4ec40037-82a4-4cd3-89e6-127c41a849fc.png" >
 
 
 ### [If you need to be included in this org, please read and follow the instructions here](https://docs.developer.gov.bc.ca/bc-government-organizations-in-github/#organizations-in-github).
-
-
-
-
-
-
-

wiki/CSS-API-Account.md

@@ -35,4 +35,4 @@ A: No, your CSS API Account is used only to manage your team's gold integrations
 A: When the team is deleted, the associated CSS API Account gets deleted automatically
 
 ### Q: Do I need to create an integration before requesting CSS API Account?
-A: You can request CSS API Account even if there are no integrations associated with your team 
+A: You can request CSS API Account even if there are no integrations associated with your team

wiki/CSS-App-My-Teams.md

@@ -1,13 +1,13 @@
 # Overview of My Teams
 We've heard from our clients on the value of our product, the Common Hosted Single Sign On  (CSS) App and a request for a feature to allow others to have access to the integrations you create with our CSS App, so let's talk about the concept of Teams!
 
-Within the CSS App, you can create a team which allows you to add others to your team, manage the integration and manage the CSS API account you've requested. 
+Within the CSS App, you can create a team which allows you to add others to your team, manage the integration and manage the CSS API account you've requested.
 
 ## How do I create a team?
 
-There are two ways to create teams within the CSS app. 
+There are two ways to create teams within the CSS app.
 
-Method 1: Go to my “My Teams” tab, and select the “+Create a New Team” button. 
+Method 1: Go to my “My Teams” tab, and select the “+Create a New Team” button.
 
 Method 2: Go to the “My Projects” tab, select “+Request SSO Integration”, and select “Yes” for creating a project team.
 
@@ -37,11 +37,11 @@ When creating a team, you can assign this team to one integration, or several in
 
 
 #### Managing a team as an Admin
-Users with the **Admin** role can manage teams. 
+Users with the **Admin** role can manage teams.
 
-##### Adding New Team Members: 
+##### Adding New Team Members:
 
-**Admins** can add new users to a Team, and assign users as either Admins or Members. 
+**Admins** can add new users to a Team, and assign users as either Admins or Members.
 
 To add a new Team member, **Admins** must use a government email address, to ensure the user can login to the app. Once an invitation is sent, the new team member have 2 business days to login to the CSS App to be added to the team. If the team member is unable to login within this time period, their invitation link will expire. In this case, Admins can resend the invitation link from the Dashboard, under the “My Teams” tab.
 
@@ -92,4 +92,3 @@ Only an **Admin** can create roles and once the roles are created, Admins and Me
 | Create API Account| **Admin** | N/A |
 | View/Download API Account | **Admin** |  N/A |
 | Delete API Account | **Admin** | N/A |
-

wiki/CSS-App-Valid-Redirect-URI-Format.md

@@ -6,4 +6,4 @@ In CSS app, the allowed URI syntax consists of two parts with `://` in the middl
 - `path`: a minimum of one character is required except for `white spaces` and `#`.
 - For the `dev` and `test` redirect URIs please refer to the regular expression `/^[a-zA-Z][a-zA-Z-\.]*:\/\/\S+/`
 - For `prod` URIs there are additional restrictions on wildcards (*) please refer to the regular expression `/^[a-zA-Z][a-zA-Z-\.]*:\/\/([^*\s]+\/\S*|[^*\s]*[^*\s]$)/`.  This prevents domain level wildcards like `https://www.example.com*` while accepting non-domain level wildcards `https://www.example.com/*`.
-* We made an exception to allow wildcard (*) in the dev, and test environments to satisfy the various development processes.
+* We made an exception to allow wildcard (*) in the dev, and test environments to satisfy the various development processes.

wiki/Creating-a-Role.md

@@ -10,7 +10,7 @@ Roles identify a type or category of user. Admin, user, manager, and employee ar
 
 The CSS App provides the ability to add roles to an integration. This concept is also known as Role-based access control (RBAC), a mechanism that restricts system access.
 
-### Why use roles? 
+### Why use roles?
 
 You can use roles to enable access to specific pages or data to only those users who connect, with efficiency, data security and simplicity under consideration.
 
@@ -26,7 +26,7 @@ You can use roles to enable access to specific pages or data to only those users
 [View a quick video of how to create Roles](https://github.com/bcgov/sso-keycloak/assets/56739669/435f502a-aed8-49de-9ff7-f64dd4a38ff0), or continue reading the instructions below.
 
 
-<!-- video from May 2023 
+<!-- video from May 2023
 [View a quick video of how to create Roles](https://user-images.githubusercontent.com/56739669/231529538-0e1efa5a-51df-401a-99c2-dbc964e8cac6.mp4), or continue reading the instructions below. -->
 
 
@@ -49,7 +49,7 @@ You can use roles to enable access to specific pages or data to only those users
 1. You have the ability to create different roles for each of the different environment(s) in your integration
 1. When you select a role, the right hand side will show users assigned to that role
 1. By deleting a role, you are also removing the role from the users assigned to the role....it’s on our backlog to allow to delete one user at a time
-1. Any Team Member within your integration can create OR delete roles * 
+1. Any Team Member within your integration can create OR delete roles *
 1. Any Team Member within your integration can see all users assigned to role
 
 ( * ) we've got it in our backlog to configure team admins to handle role management( create/delete roles) and team members to handle user assignment (add/remove users to roles)
@@ -62,7 +62,7 @@ Some client teams require roles to be created for their service accounts. Exampl
 We've heard from clients the need to create roles on service accounts and as a community member in our SHARED/STANDARD service, please keep in mind, that other teams may use the same role names as you. For this reason and for good security posture, your API end point checks should look at the `aud`. **Audience check is required if you have an API for your application and you have a standard integration.**
 
 
-From the wisest of our team member "One final note which is paramount; securing your API endpoints. If you're using the standard realm then you'll have to use a combination of roles (created in CSS), issuer & audience (as well as the public key) to confirm the token is indeed valid for your API. Otherwise, other teams in the same realm would have the ability to make the same call" 
+From the wisest of our team member "One final note which is paramount; securing your API endpoints. If you're using the standard realm then you'll have to use a combination of roles (created in CSS), issuer & audience (as well as the public key) to confirm the token is indeed valid for your API. Otherwise, other teams in the same realm would have the ability to make the same call"
 
 ***
 

wiki/Gold-Custom-Realm-Community-Ways-of-Working.md

@@ -1,2 +1,2 @@
-Please visit our updated material here 
-https://bcgov.github.io/sso-docs/best-practices/gold-way-work
+Please visit our updated material here
+https://bcgov.github.io/sso-docs/best-practices/gold-way-work

wiki/Identity-Provider-Attribute-Mapping.md

@@ -9,4 +9,4 @@
 [Another way to view this from a developer perspective](https://bcgov.github.io/sso-docs/advanced/Custom%20Realms/identity-mappers)
 
 ## Playground
-[Try our playground to see what comes in the payload with your client integration](https://bcgov.github.io/keycloak-example-apps/)
+[Try our playground to see what comes in the payload with your client integration](https://bcgov.github.io/keycloak-example-apps/)

wiki/Our-Partners-and-Useful-Information.md

@@ -23,13 +23,13 @@
 - **Digital Credential**	These are the digital equivalents of physical credentials and used with a secured digital wallet for managing and storing.[reference](https://digital.gov.bc.ca/digital-trust/about/what-are-digital-credentials/)
 
 
-- **GitHub associated with BC Gov Org**	 Allows login of GitHub BC Gov Org member. At the time of writing, production approval for this requires you to obtain an exemption to the IM/IT standards. [IM/IT Standards Frequently Asked Questions](https://www2.gov.bc.ca/gov/content/governments/services-for-government/policies-procedures/im-it-standards/im-it-standards-faqs) 
+- **GitHub associated with BC Gov Org**	 Allows login of GitHub BC Gov Org member. At the time of writing, production approval for this requires you to obtain an exemption to the IM/IT standards. [IM/IT Standards Frequently Asked Questions](https://www2.gov.bc.ca/gov/content/governments/services-for-government/policies-procedures/im-it-standards/im-it-standards-faqs)
 
 
 ## Azure IDIR and IDIR?
-Using Azure IDIR adds the benefit of MFA (multi-factor authentication). This is a step up security-wise from regular IDIR. 
+Using Azure IDIR adds the benefit of MFA (multi-factor authentication). This is a step up security-wise from regular IDIR.
 
-You may have to educate your end users on MFA and please take note if your IDIR is not tied to a gov.bc.ca email address, please use idir_username@gov.bc.ca when prompted for your email. 
+You may have to educate your end users on MFA and please take note if your IDIR is not tied to a gov.bc.ca email address, please use idir_username@gov.bc.ca when prompted for your email.
 
 You can **learn** [here from our IDIR Partner](https://intranet.gov.bc.ca/thehub/ocio/ocio-enterprise-services/information-security-branch/information-security-mfa/mfa-registration)
 
@@ -40,7 +40,7 @@ Also note if you get an error message similar to the one below, please ensure th
 
 ### IDIR and BCeID in the same browser
 
-As we partner with the BC Gov Identity Partners of IDIR and BCeID please note in the same browser, you cannot have one tab logged in with IDIR and another with BCeID. 
+As we partner with the BC Gov Identity Partners of IDIR and BCeID please note in the same browser, you cannot have one tab logged in with IDIR and another with BCeID.
 
 Please use a private browser by either using incognito or clearing your cache.
 
@@ -50,7 +50,7 @@ Please ensure you have tested with an incognito browser as mentioned above. If i
 
 ## Digital Credential Configuration
 
-This defines which credential (or combinations of credentials) will be requested at user authentication. 
+This defines which credential (or combinations of credentials) will be requested at user authentication.
 
 Please work with the DITP team ditp.support@gov.bc.ca to define whether an existing configuration can be used, or a new one should be created for the specific use-case. Additionally, some best practices that need to be implemented at the application level can be found [here](https://github.com/bcgov/vc-authn-oidc/blob/main/docs/BestPractices.md)