#11974 Create staging OIDC credentials for Testing Farm UI
Closed: Fixed 7 months ago by abompard. Opened 7 months ago by mvadkert.

We are preparing for devconf announcing easy onboarding via SSO.

We would like to ask for staging crendetials for OIDC (Fedora SSO) for the service to test out the integration.

Here is my GPG key: https://keys.openpgp.org/search?q=3F847E6D957B4C14B13EBB3E5BAAB866857301E2

email: mvadkert@redhat.com


Here's the template for questions we ask about OIDC setup:

To help us register your application in our OIDC service, we need some information from you:

Note: all the default values provided here are based on the default choice/
implementation of flask-oidc. If you do not use this library you may have to
refer to the documentation of your library.

Some generic information first:
- What is the application main URL?
- Who will be the main contact for the application, or will this be core
infrastructure?
- What privacy policy will be applicable to the application, or will this be
the standard Fedora privacy policy?

Some more OIDC specific information then:
- Which redirect URI(s) will the application use?
- flask-oidc defaults to: <APPLICATION_URL>/oidc_callback
but it's configurable (so double-check)
- Does the application need the user names, or will an application-specific
pseudonym suffice?
- ie: using flask-oidc, do you ever rely on OIDC.user_getfield('sub') to
get the user's username. If not, this question likely does not matter for
your application
- Which authorization flow does the application use?
- flask-oidc: authorization_code
- Which token authentication method does the application use?
- flask-oidc: client_secret_post
- Which response type does the application rely on?
- flask-oidc: Code

Metadata Update from @zlopez:
- Issue priority set to: Waiting on Reporter (was: Needs Review)
- Issue tagged with: low-trouble, medium-gain, ops

7 months ago

Here's the template for questions we ask about OIDC setup:

To help us register your application in our OIDC service, we need some information from you:

Note: all the default values provided here are based on the default choice/
implementation of flask-oidc. If you do not use this library you may have to
refer to the documentation of your library.

Ack, we will use FastAPI, but should not be an issue

Some generic information first:
- What is the application main URL?

The apps are not yet deployed.

For staging it will be:

https://api.staging.testing-farm.io

For production:

https://api.testing-farm.io

  • Who will be the main contact for the application, or will this be core
    infrastructure?

The Testing Farm Team, tft@redhat.com.
Fallback contact points mvadkert@redhat.com, jhavlin@redhat.com

  • What privacy policy will be applicable to the application, or will this be
    the standard Fedora privacy policy?

I believe so, but we are first time creating such application, so more information would be nice.
Currently we will collect this information from the user: Fedora username, Fedora group membership (including CLA status).

Can you share more info on this part pls?

Some more OIDC specific information then:
- Which redirect URI(s) will the application use?
- flask-oidc defaults to: <APPLICATION_URL>/oidc_callback
but it's configurable (so double-check)

https://api.staging.testing-farm.io/login/fedora/callback

For production

https://api.testing-farm.io/login/fedora/callback

  • Does the application need the user names, or will an application-specific
    pseudonym suffice?
  • ie: using flask-oidc, do you ever rely on OIDC.user_getfield('sub') to
    get the user's username. If not, this question likely does not matter for
    your application

We would like to have access to user names and also the group membership.
For the start we will limit the login to our testing-farm group.

  • Which authorization flow does the application use?
  • flask-oidc: authorization_code

Yes, this is correct.
- flask-oidc: authorization_code

  • Which token authentication method does the application use?
  • flask-oidc: client_secret_post

Yes, this is correct.
- flask-oidc: client_secret_post

  • Which response type does the application rely on?
  • flask-oidc: Code

Yes, this is correct.
- flask-oidc: Code

Thank you!

Metadata Update from @zlopez:
- Issue assigned to zlopez
- Issue priority set to: Waiting on Assignee (was: Waiting on Reporter)

7 months ago

I believe so, but we are first time creating such application, so more information would be nice.
Currently we will collect this information from the user: Fedora username, Fedora group membership (including CLA status).

The question is if you saving the information locally, in that case you need to complain with GDPR. If you just using fasjson to retrieve the information then you are OK.

Here is the standard Fedora privacy policy.

@zlopez We need to store the user ID and user name, so we can identify the user and connect it to a request. So I assume we are, and we will need to implement interface to comply?

@mvadkert Are this data stored permanently in some DB or it's just a cache that will be deleted when the request is processed? In first case we need to have a way to delete the personal information if that request is raised by user, in second case it doesn't matter.

@zlopez it needs to be in the DB to provide a good experience.

@zlopez is it enough if we expose an endpoint to our API for you to clean personal information as a solution?

Would look something like:

http DELETE https://api.testing-farm.io/v0.1/users?method=fedora&user=$FEDORA_USERNAME

Is it alright if we anonymize the data e.g. by replacing the username and id with deleted-user-<random_id> in the DB? We would like to keep track of the requests which were created by the users (without preserving the data about the fedora account).

That brings another question. Do you need a DB space in our postgres database?

@zlopez no, we have our own database.

@zlopez can you provide feedback to @jhavlin if anonymization is enough to comply?

@mvadkert Anonymization of the data should be enough.

@zlopez we will track the anonymization internally in https://issues.redhat.com/browse/TFT-2532

Can we now get our staging OIDC credentials pls to move forward with implementation?

Metadata Update from @zlopez:
- Assignee reset

7 months ago

@kevin howdy, is there anything else you need from us?

@mvadkert You provided everything we need to create OIDC credentials for you. Somebody just need to find time to do it.

thanks for confirmation!

@mvadkert
Done, sorry for the delay. The client_secretis available in Ansible as the testing_farm_oidc_secret variable for production and testing_farm_oidc_secret_stg for staging.
Please let us know if you need anything else or if it does not work.

Metadata Update from @abompard:
- Issue assigned to abompard

7 months ago

Metadata Update from @abompard:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

7 months ago

Log in to comment on this ticket.

Metadata
Boards 1
ops Status: Backlog