Blocked by #11315.
We are exploring a new CFP system for Flock this year, similar to what DevConf uses. This is hosted in-house by Red Hat and comes at no financial or infrastructure cost to Fedora. However, the system only supports Google and GitHub authentication via OAuth2. There are Fedora community members who use neither platform and they would not be able to submit to our CFP without making a new account.
This purpose of this request is to facilitate collaboration between Fedora Infra and the CFP lead developer to integrate FAS login to the CFP app. Adding FAS as a login option instantly allows any Fedora community member to submit to our CFP (as well as DevConfs and CentOS events) without a Google or GitHub account.
As I understand it, some configuration is needed server-side to allow the app to make an OAuth2 request. Ideally, this request comes from cfp.fedoraproject.org when #11315 is resolved.
cfp.fedoraproject.org
I foresee this as medium trouble, medium gain. If we don't get it in time for this year, we'll be fine. It is foreseeable that we will use this system again though, possibly for release parties. So it is worthwhile to integrate even if we miss Flock.
The forecasted CFP dates for opening is 23 May and closing is 20 June. It would be convenient for the login to be in place when we announce the open CFP at the release party on 2-3 June.
Metadata Update from @zlopez: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: high-gain, medium-trouble, ops
Metadata Update from @zlopez: - Issue tagged with: blocked
Issue #11315 is now resolved. May we move forward here? Is there anything you need from CfP service POV?
Yes. We have a template for oidc auth requests. :) Here's the questions from it:
To help us register your application in our OIDC service, we need a few information from you:
Note: all the default values provided here are based on the default choice/ implementation of flask-oidc. If you do not use this library you may have to refer to the documentation of your library.
Some generic information first: - What is the application main URL? - Who will be the main contact for the application, or will this be core infrastructure? - What privacy policy will be applicable to the application, or will this be the standard Fedora privacy policy?
Some more OIDC specific information then: - Which redirect URI(s) will the application use? - flask-oidc defaults to: <APPLICATION_URL>/oidc_callback but it's configurable (so double-check) - Does the application need the user names, or will an application-specific pseudonym suffice? - ie: using flask-oidc, do you ever rely on OIDC.user_getfield('sub') to get the user's username. If not, this question likely does not matter for your application - Which authorization flow does the application use? - flask-oidc: authorization_code - Which token authentication method does the application use? - flask-oidc: client_secret_post - Which response type does the application rely on? - flask-oidc: Code
<APPLICATION_URL>/oidc_callback
OIDC.user_getfield('sub')
and @ryanlerch or @abompard should be able to hopefully answer any questions you have...
What is the application main URL?
There would be two:
Who will be the main contact for the application, or will this be core infrastructure?
cfp.devconf.info
Hi @jridky, could you answer @kevin's questions above about configuring the FAS login integration for the CFP system? Thank you!
As written above, we need it for two domains:
For application itself @jridky
What privacy policy will be applicable to the application, or will this be the standard Fedora privacy policy?
We'll use Fedora's default.
Some more OIDC specific information then: - Which redirect URI(s) will the application use? - flask-oidc defaults to: <APPLICATION_URL>/oidc_callback but it's configurable (so double-check)
Does the application need the user names, or will an application-specific pseudonym suffice? ie: using flask-oidc, do you ever rely on OIDC.user_getfield('sub') to get the user's username. If not, this question likely does not matter for your application
We don't need FAS user names (in meaning of artificial shortcuts). App need user's full name and email address.
Which authorization flow does the application use? flask-oidc: authorization_code Which token authentication method does the application use? flask-oidc: client_secret_post Which response type does the application rely on? flask-oidc: Code
not sure what to answer to questions above -> the app would rely on https://github.com/steverhoades/oauth2-openid-connect-client implementation of OpenID connect - the README there should provide more info about the flow
A status update: @abompard sent @jridky the OAuth2 client secret. There was a parameter that Aurélien was not sure about (token_endpoint_auth_method that can be client_secret_basic or client_secret_post). It is how the app will request additional data about the logged in user from Ipsilon. @jridky planned to take a look early next week.
token_endpoint_auth_method
client_secret_basic
client_secret_post
I think this is now all done. ;)
If there's anything left, please re-open or file a new issue.
Metadata Update from @kevin: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Yes, I think we are all set. You all are wonderful! Thanks for making this work. :100:
Log in to comment on this ticket.