Migrate Flask OIDC from oauth2client to something else that is not deprecated.
The Flask OIDC is using oauth2client library for authentication. This library was deprecated in 2018. We want to move your apps to OpenID Connect using the flask-oidc in most cases. And we already have some that are using it. It is a security risk for your apps to use deprecated authentication library. So this will be a security benefit for all apps using flask framework.
The Flask OIDC is migrated to maintained authentication library.
This affects authentication process on every Fedora app using Flask framework.
It would be nice to have security expert on this initiative Authentication expert would be nice as well
As soon as possible, we don't want to use deprecated authentication library in our infra
Metadata Update from @amoloney: - Issue tagged with: In Review
I did quite a bit of work with the authlib library on Bodhi to port it to OIDC, and it already has some support for Flask. I may be able to help with this initiative or with prototyping/scoping.
Issue tagged with: Accepted
A fork of the upstream project has been created with a proof of concept that could be developed further to meet this original request, see:
https://src.fedoraproject.org/rpms/python-flask-oidc/pull-request/2 https://github.com/puiterwijk/flask-oidc/pull/144
However this would mean the CPE team accept maintenance and ownership of this version and be responsible for its upkeep. The team are currently discussing this as an option and weighing it against another option to remove flask-oidc from applications and consume auth-lib as a dependency directly.
As the CPE team are the ones who will ultimately be responsible for this work, whether it is to develop the current branch or do some work to remove flask-oidc, it is appropriate that this is a team discussion first.
The discussion will then be brought to the fedora-infra list for community feedback when we have decided on what we believe is the best course of action in case we are wrong :)
This issue is now moved to the backlog until a decision has been reached and signed off on and requirements are gathered to deliver the project to its end state.
It might be worth considering https://github.com/CZ-NIC/pyoidc .
I've learned about its existence just recently (didn't try it out yet, didn't inspect the architecture of it), but it's developed and maintained by the employees of .cz domain registry with pretty good track record (more about it & some other projects are listed at https://en.wikipedia.org/wiki/CZ.NIC ).
This request has been dropped by CPE as there has been extensive work done by folks on our infra & releng team to rewrite most of the applications CPE maintains to consume AuthLib directly which removes the need to migrate Flask OIDC.
Metadata Update from @amoloney: - Issue untagged with: Accepted - Issue status updated to: Closed (was: Open) - Issue tagged with: Dropped
Log in to comment on this ticket.