I think this is a great idea. Logging in into fedora-app should give you access to all four apps. It will considerably improve UX.
I would like to design the screens for this. How do i proceed??

@a2batic

I'd like to contribute to the UI/UX of the login model. This is a rough mockup I came up with(Didn't style it much since the overall style of the application is yet to be decided/revamped)

What do you think about Information Architecture? Should we rearrange some of the things?

FAS uses Ipsilon for authentication. Ipsilon supports Open ID Connect and OAuth.

RFC 8252 has a set of best practices for OpenID/OAuth for client apps.

A possible flow would be to redirect the user to https://id.fedoraproject.org/openidc/Authorization with the proper parameters using the system browser, then instructing OpenID to redirect to the app URI (something like fedora://login?code=<openid_response>)

Infrastructure/Authentication on Fedora Wiki

On receiving the start intent, we can exchange the OpenID response token to get an access token which can then be stored in SecureStorage and used for calling various Fedora APIs that need authentication.

@thelittlewonder,
Your mockup looks nice, but unfortunately, in this scenario, we may have no use of that.

@amitosh do you mean that people should login through openId instead of FAS ?
If not please tell me more about how you would want people to login.

A possible flow would be to redirect the user to https://id.fedoraproject.org/openidc/Authorization with the proper parameters using the system browser, then instructing OpenID to redirect to the app URI (something like fedora://login?code=<openid_response>)

Is it possible to send over the credentials from a native app screen rather than opening a login panel in a system browser pop up?

Your mockup looks nice, but unfortunately, in this scenario, we may have no use of that.

No problem. :laughing:

Just checked with the Fedora infra people, logging in by directly entering a username/password combo in app is not possible.

‎[21:17] ‎<‎amitosh‎>‎ Hello all, we are building an app to show fmn notifications in Android, and from the looks of it, it seems we need openid auth from id.fp.o 
‎[21:17] ‎<‎pingou‎>‎ that or oidc
‎[21:18] ‎<‎pingou‎>‎ well fmn is likely still openid though
‎[21:19] ‎<‎amitosh‎>‎ do you know what grant flows do the oidc endpoint support?
‎[21:20] ‎<‎pingou‎>‎ the infrastructure I guess
‎[21:21] ‎<‎amitosh‎>‎ It is possible to do a "password" grant flow?
‎[21:21] ‎<‎pingou‎>‎ ?
‎[21:23] ‎<‎amitosh‎>‎ pingou: https://medium.com/@robert.broeckelmann/when-to-use-which-oauth2-grants-and-oidc-flows-ec6a5c00d864
‎[21:23] ‎<‎amitosh‎>‎ Resource Owner Password Credential Grant
‎[21:24] ‎<‎pingou‎>‎ puiterwijk: ^
‎[21:24] ‎<‎puiterwijk‎>‎ We do not support resource owner password credential grant
‎[21:24] ‎<‎puiterwijk‎>‎ So, no.
‎[21:24] ‎<‎puiterwijk‎>‎ You will need to use token flows
‎[21:25] ‎<‎pingou‎>‎ (and have fmn ported to oidc)
‎[21:26] ‎<‎puiterwijk‎>‎ The password flow basically beats the purpose of OIDC, where the user only enters their password at the IdP login screen, so I'm also not open to implementing it
‎[21:27] ‎<‎puiterwijk‎>‎ amitosh: do note that I have a WIP android app I intend to finish at some point to allow people to add a Fedora account at the system level, after which apps can easily use it
‎[21:27] ‎<‎amitosh‎>‎ hmm, understood. But what about client apps?
‎[21:27] ‎<‎fm-apps‎>‎ github.issue.comment -- centos-ci commented on issue #2209 on fedora-infra/bodhi https://github.com/fedora-infra/bodhi/pull/2209#issuecomment-373073860
‎[21:28] ‎<‎puiterwijk‎>‎ amitosh: what about them?
‎[21:29] ‎<‎amitosh‎>‎ puiterwijk: Nevermind, you already answered it

Maybe only from FAS credentials is a good idea since users can do nothing with their Google, FB or other accounts on fedoraproject.org

PR42:
https://pagure.io/Fedora-app/pull-request/42

I have implemented a login based on OpenID.
Can anyone check with actual FAS Credentials and let me know if it works or not?

@amitosh, thats very useful, Thanks, we can ask @pingou for helping out if we get stuck somewhere.

@ashutoshpw, sure, will review your PR.