I'm trying to push to my fork of a package on dist-git. I ran
fedpkg clone --anonymous https://src.fedoraproject.org/forks/kjtsanaktsidis/rpms/glibc.git git checkout -b my_new_branch fedpkg push
Unfortunately the push fails with
Please visit https://id.fedoraproject.org/openidc/Authorization?scope=openid+https%3A%2F%2Fid.fedoraproject.org%2Fscope%2Fgroups+https%3A%2F%2Fmbs.fedoraproject.org%2Foidc%2Fsubmit-build+https%3A%2F%2Fsrc.fedoraproject.org%2Fpush&response_type=code&client_id=fedpkg&redirect_uri=http%3A%2F%2Flocalhost%3A12345%2F&response_mode=query to grant authorization 127.0.0.1 - - [14/Jun/2024 21:23:41] "GET /?error=invalid_scope&error_description=unknown+scope+https%3A%2F%2Fmbs.fedoraproject.org%2Foidc%2Fsubmit-build+requested HTTP/1.1" 200 47 No token received. fatal: credential helper '/usr/bin/fedpkg gitcred' told us to quit Could not execute push: Failed to execute command.
It seems that id.fedoraproject.org is not accepting the "+https%3A%2F%2Fmbs.fedoraproject.org%2Foidc%2Fsubmit-build" scope that fedpkg is asking for, and says it doesn't exist. That scope is listed in https://fedoraproject.org/wiki/Infrastructure/Authentication, so I'm guessing something might have changed on the infrastructure side? If I visit the authorization URL but remove that scope from the URL, I do get redirected to http://localhost:12345/?code=...
http://localhost:12345/?code=...
Is this something to be fixed in infra? Or should fedpkg be modified to not ask for this scope? If the latter I can open a PR on pargue for fepdkg I suppose.
I'm not in a rush, but I guess this is affecting anybody trying to use fedpkg push over HTTPS?
fedpkg push
Metadata Update from @zlopez: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: Needs investigation
I don't see any change in OIDC configuration for MBS happening for some time. I'm not sure if the scopes are handled in OIDC configuration or directly somewhere in ipsilon.
I may have removed some config related when we retired the mbs service.
Why are you using mbs credentials? You should be able to just use yours...
I don't actually have any requirement for it, but it's a default scope requested by fedpkg's git credential helper: https://pagure.io/fedpkg/blob/master/f/conf/etc/rpkg/fedpkg.conf#_35
Sounds like I should go open a PR on fedpkg to make it not request this scope - howerver, it would probably be good if requesting this cope continued to work for a while to give people time to update fedpkg?
https://pagure.io/fedpkg/pull-request/548 - I opened this.
Yeah, I guess this may have been in there to allow users to submit mbs builds via this...
In any case, if you remove it (ie, apply your PR), you fedpkg push works as expected then?
Yes, after applying that patch I can push with fedpkg to src.fedoraproject.org
Great. Thanks for the debugging and PR!
Metadata Update from @kevin: - Issue close_status updated to: Upstream - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.