We are preparing for devconf announcing easy onboarding via SSO.
We would like to ask for staging crendetials for OIDC (Fedora SSO) for the service to test out the integration.
Here is my GPG key: https://keys.openpgp.org/search?q=3F847E6D957B4C14B13EBB3E5BAAB866857301E2
email: mvadkert@redhat.com
Here's the template for questions we ask about OIDC setup:
To help us register your application in our OIDC service, we need some information from you:
Note: all the default values provided here are based on the default choice/ implementation of flask-oidc. If you do not use this library you may have to refer to the documentation of your library.
Some generic information first: - What is the application main URL? - Who will be the main contact for the application, or will this be core infrastructure? - What privacy policy will be applicable to the application, or will this be the standard Fedora privacy policy?
Some more OIDC specific information then: - Which redirect URI(s) will the application use? - flask-oidc defaults to: <APPLICATION_URL>/oidc_callback but it's configurable (so double-check) - Does the application need the user names, or will an application-specific pseudonym suffice? - ie: using flask-oidc, do you ever rely on OIDC.user_getfield('sub') to get the user's username. If not, this question likely does not matter for your application - Which authorization flow does the application use? - flask-oidc: authorization_code - Which token authentication method does the application use? - flask-oidc: client_secret_post - Which response type does the application rely on? - flask-oidc: Code
<APPLICATION_URL>/oidc_callback
OIDC.user_getfield('sub')
Metadata Update from @zlopez: - Issue priority set to: Waiting on Reporter (was: Needs Review) - Issue tagged with: low-trouble, medium-gain, ops
Here's the template for questions we ask about OIDC setup: To help us register your application in our OIDC service, we need some information from you: Note: all the default values provided here are based on the default choice/ implementation of flask-oidc. If you do not use this library you may have to refer to the documentation of your library.
Ack, we will use FastAPI, but should not be an issue
Some generic information first: - What is the application main URL?
The apps are not yet deployed.
For staging it will be:
https://api.staging.testing-farm.io
For production:
https://api.testing-farm.io
Who will be the main contact for the application, or will this be core infrastructure?
The Testing Farm Team, tft@redhat.com. Fallback contact points mvadkert@redhat.com, jhavlin@redhat.com
What privacy policy will be applicable to the application, or will this be the standard Fedora privacy policy?
I believe so, but we are first time creating such application, so more information would be nice. Currently we will collect this information from the user: Fedora username, Fedora group membership (including CLA status).
Can you share more info on this part pls?
Some more OIDC specific information then: - Which redirect URI(s) will the application use? - flask-oidc defaults to: <APPLICATION_URL>/oidc_callback but it's configurable (so double-check)
https://api.staging.testing-farm.io/login/fedora/callback
For production
https://api.testing-farm.io/login/fedora/callback
Does the application need the user names, or will an application-specific pseudonym suffice? ie: using flask-oidc, do you ever rely on OIDC.user_getfield('sub') to get the user's username. If not, this question likely does not matter for your application
We would like to have access to user names and also the group membership. For the start we will limit the login to our testing-farm group.
testing-farm
Which authorization flow does the application use? flask-oidc: authorization_code
Yes, this is correct. - flask-oidc: authorization_code
Which token authentication method does the application use? flask-oidc: client_secret_post
Yes, this is correct. - flask-oidc: client_secret_post
Which response type does the application rely on? flask-oidc: Code
Yes, this is correct. - flask-oidc: Code
Thank you!
Metadata Update from @zlopez: - Issue assigned to zlopez - Issue priority set to: Waiting on Assignee (was: Waiting on Reporter)
The question is if you saving the information locally, in that case you need to complain with GDPR. If you just using fasjson to retrieve the information then you are OK.
Here is the standard Fedora privacy policy.
@zlopez We need to store the user ID and user name, so we can identify the user and connect it to a request. So I assume we are, and we will need to implement interface to comply?
@mvadkert Are this data stored permanently in some DB or it's just a cache that will be deleted when the request is processed? In first case we need to have a way to delete the personal information if that request is raised by user, in second case it doesn't matter.
@zlopez it needs to be in the DB to provide a good experience.
@zlopez is it enough if we expose an endpoint to our API for you to clean personal information as a solution?
Would look something like:
http DELETE https://api.testing-farm.io/v0.1/users?method=fedora&user=$FEDORA_USERNAME
Is it alright if we anonymize the data e.g. by replacing the username and id with deleted-user-<random_id> in the DB? We would like to keep track of the requests which were created by the users (without preserving the data about the fedora account).
deleted-user-<random_id>
It's not hard to be compliant with GDPR in Fedora infra, we have a guide for that https://docs.fedoraproject.org/en-US/infra/sysadmin_guide/gdpr_sar/#_integrating_an_application_with_our_sar_playbook
That brings another question. Do you need a DB space in our postgres database?
@zlopez no, we have our own database.
@zlopez can you provide feedback to @jhavlin if anonymization is enough to comply?
Seems so: https://www.privacydynamics.io/post/anonymization-for-gdpr-compliance-can-it-be-done/
Also interesting read about database backups:
https://www.itgovernance.eu/blog/en/the-gdpr-how-the-right-to-be-forgotten-affects-backups-2
:)
@mvadkert Anonymization of the data should be enough.
@zlopez we will track the anonymization internally in https://issues.redhat.com/browse/TFT-2532
Can we now get our staging OIDC credentials pls to move forward with implementation?
Metadata Update from @zlopez: - Assignee reset
@kevin howdy, is there anything else you need from us?
@mvadkert You provided everything we need to create OIDC credentials for you. Somebody just need to find time to do it.
thanks for confirmation!
@mvadkert Done, sorry for the delay. The client_secretis available in Ansible as the testing_farm_oidc_secret variable for production and testing_farm_oidc_secret_stg for staging. Please let us know if you need anything else or if it does not work.
client_secret
testing_farm_oidc_secret
testing_farm_oidc_secret_stg
Metadata Update from @abompard: - Issue assigned to abompard
Metadata Update from @abompard: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.