#10428 Development credentials for interacting with FAS OIDC service?
Closed: Fixed 3 months ago by kevin. Opened 5 months ago by larsks.

Describe what you would like us to do:

I would like to connect an application to the Fedora Account System (see https://github.com/operate-first/community/issues/109 for the original request). The documentation suggests that I can register with the development OIDC server at https://iddev.fedorainfracloud.org/openidc/ by using oidc-register, but that host doesn't appear to be responding.

Is there another way to acquire development credentials?

When do you need this to be done by? (YYYY/MM/DD)

This isn't particularly time critical; it's a "nice to have".


Metadata Update from @abompard:
- Issue assigned to abompard

5 months ago

Metadata Update from @abompard:
- Issue tagged with: authentication

5 months ago

Unfortunately the iddev server is gone since the switch to IPA (it was hosted outside of our infra for security reasons and connecting it to IPA as a kerberos domain member is hard from outside the infra).

I'm not sure what our policy is as to connecting external applications to the OIDC provider, I think we allow it (and I think we should) but I'm not sure there is a precedent yet, so I'd rather check with @kevin or @mobrien first.

Then we can send you a client id and a secret to authenticate to our staging instance first, and the prod ones when you're ready. There's currently no self-service way to do that.

From my point of view I think this should be encouraged.

I am not sure how the access levels will be provided. Is it a case that everyone with a fedora/centos account will just get the same level of access on login? there will likely be a need for role mappings which may need some extra integration. @abompard would be the likeliest candidate to help there.

@larsks Hey! To add your application to our authentication system, I need the following information items:

  • Main URL (example: https://app.example.com)
  • Redirect URL (example: https://app.example.com/oidc_callback)
  • Contact email address
  • Policy URL (example: https://fedoraproject.org/wiki/Legal:PrivacyPolicy)
  • A preferred way to contact you securely to give you the client id and secret, can I use the GPG key you have set on your Fedora profile?

You can post them here if it's public data or send them to my email: abompard at fedoraproject dot org.

Thanks!

@abompard thanks! The gpg key on my profile is fine.

Main url: https://console-openshift-console.apps.ocp-staging.massopen.cloud/
Redirect URL: https://sso.massopen.cloud/auth/realms/moc-testing/broker/oidc/endpoint
Contact email address: lars@redhat.com

Policy URL: That's a tough one, because there are three organizations involved, and the cluster I'm using for testing is nominally part of the Mass Open Cloud, while the ultimately target for this configuration, once we have things tested out, is the Operate First cluster (with Red Hat involved in both places). I'm not sure either group has a formal privacy policy published, and it will probably have to wait for January for an authoritative answer.

Metadata Update from @mohanboddu:
- Issue tagged with: low-gain, low-trouble, ops

4 months ago

Metadata Update from @mohanboddu:
- Issue priority set to: Waiting on Assignee (was: Needs Review)

4 months ago

So, what is happening here? Did things get sent? Is this done and can be closed?

I guess I will do so, and if it's still not done, please re-open?

Metadata Update from @kevin:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

3 months ago

Login to comment on this ticket.

Metadata
Boards 1
ops Status: Backlog