#316 OIDC: Update scopes
Closed: Fixed 4 years ago Opened 5 years ago by puiterwijk.

Currently, default_config uses the (now deprecated) scope of "fedora" to get group and CLA information on a user.
Please update this to use the scopes as registered on https://fedoraproject.org/wiki/Infrastructure/Authentication.

Timezone information should now be in the standard "profile" scope as documented on that same page.

These new registered scopes are currently live in development, staging and production, and my plan is to fully remove the "fedora" scope when this ticket gets closed.

If I understand correctly, we should replace the fedora scope with both groups and cla in the config file. Is it correct? Is there anything else we need to do?

Correct. As far as I know that should be it.

When I try that, the openid provider returns an error on the callback endoint: error_description=unknown+scope+groups+requested&error=invalid_scope

For development we are using https://iddev.fedorainfracloud.org/ as the provider.

This is the one that's literally in the documentation as an example:

Every service will first list it's base namespace, and then the scope ID and a short summary of the scopes. To get the full scope to request, append the scope ID to the base namespace. So for example, to get the group information, this becomes: https://id.fedoraproject.org/scope/groups

Indeed, it works much better with the prefix :-)
We're also requesting the "openid" scope, is it OK? I don't see it in the wiki page.

Ah, thanks for pointing out I was missing that in the documentation.
That is a required scope yes :).

Given that your pull request is merged, I'm going to remove the scope from all our instances in the coming week.

Metadata Update from @abompard:
- Issue assigned to abompard
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

4 years ago

Login to comment on this ticket.