#11990 id.fedoraproject.org OIDC server not accepting https://mbs.fedoraproject.org/oidc/ scope
Closed: Upstream 7 months ago by kevin. Opened 7 months ago by kjtsanaktsidis.

Describe what you would like us to do:


I'm trying to push to my fork of a package on dist-git. I ran

fedpkg clone --anonymous https://src.fedoraproject.org/forks/kjtsanaktsidis/rpms/glibc.git
git checkout -b my_new_branch
fedpkg push

Unfortunately the push fails with

Please visit https://id.fedoraproject.org/openidc/Authorization?scope=openid+https%3A%2F%2Fid.fedoraproject.org%2Fscope%2Fgroups+https%3A%2F%2Fmbs.fedoraproject.org%2Foidc%2Fsubmit-build+https%3A%2F%2Fsrc.fedoraproject.org%2Fpush&response_type=code&client_id=fedpkg&redirect_uri=http%3A%2F%2Flocalhost%3A12345%2F&response_mode=query to grant authorization
127.0.0.1 - - [14/Jun/2024 21:23:41] "GET /?error=invalid_scope&error_description=unknown+scope+https%3A%2F%2Fmbs.fedoraproject.org%2Foidc%2Fsubmit-build+requested HTTP/1.1" 200 47
No token received.
fatal: credential helper '/usr/bin/fedpkg gitcred' told us to quit
Could not execute push: Failed to execute command.

It seems that id.fedoraproject.org is not accepting the "+https%3A%2F%2Fmbs.fedoraproject.org%2Foidc%2Fsubmit-build" scope that fedpkg is asking for, and says it doesn't exist. That scope is listed in https://fedoraproject.org/wiki/Infrastructure/Authentication, so I'm guessing something might have changed on the infrastructure side? If I visit the authorization URL but remove that scope from the URL, I do get redirected to http://localhost:12345/?code=...

Is this something to be fixed in infra? Or should fedpkg be modified to not ask for this scope? If the latter I can open a PR on pargue for fepdkg I suppose.

When do you need this to be done by? (YYYY/MM/DD)


I'm not in a rush, but I guess this is affecting anybody trying to use fedpkg push over HTTPS?


Metadata Update from @zlopez:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: Needs investigation

7 months ago

I don't see any change in OIDC configuration for MBS happening for some time. I'm not sure if the scopes are handled in OIDC configuration or directly somewhere in ipsilon.

I may have removed some config related when we retired the mbs service.

Why are you using mbs credentials? You should be able to just use yours...

I don't actually have any requirement for it, but it's a default scope requested by fedpkg's git credential helper: https://pagure.io/fedpkg/blob/master/f/conf/etc/rpkg/fedpkg.conf#_35

Sounds like I should go open a PR on fedpkg to make it not request this scope - howerver, it would probably be good if requesting this cope continued to work for a while to give people time to update fedpkg?

Yeah, I guess this may have been in there to allow users to submit mbs builds via this...

In any case, if you remove it (ie, apply your PR), you fedpkg push works as expected then?

Yes, after applying that patch I can push with fedpkg to src.fedoraproject.org

Great. Thanks for the debugging and PR!

Metadata Update from @kevin:
- Issue close_status updated to: Upstream
- Issue status updated to: Closed (was: Open)

7 months ago

Log in to comment on this ticket.

Metadata