fedora-infrastructure

Clone
Source Code
GIT

#12459 OIDC clients for openqa and openqa lab/stg
Closed: Fixed a month ago by adamwill. Opened a month ago by adamwill.

Closed: Fixed
Reopen Issue

To help us register your application in our OIDC service, we need some
information from you:

Note: all the default values provided here are based on the default choice/
implementation of flask-oidc. If you do not use this library you may have to
refer to the documentation of your library.

Some generic information first:
- main URLs: https://openqa.fedoraproject.org and https://openqa.stg.fedoraproject.org
- contacts: @adamwill / qa-tools-sig
- privacy: standard Fedora privacy policy

Some more OIDC specific information then:
- redirect URI: https://open.qa/docs/#_oauth2 says "Use …/login as callback URL" - I guess that's https://openqa.fedoraproject.org/login or https://openqa.stg.fedoraproject.org/login
- Does the application need the user names, or will an application-specific pseudonym suffice?
- I'm not totally sure. The code is https://github.com/os-autoinst/openQA/blob/master/lib/OpenQA/WebAPI/Auth/OAuth2.pm . It looks like the oauth2 properties it uses to get the 'id' and 'nickname' are configurable. In the existing user data as shown in the web UI, usernames (which I guess are the same as the 'id' we're getting here) are e.g. http://adamwill.id.fedoraproject.org/ and nicknames are the FAS username e.g. adamwill. so...we need the oauth2 data to contain a field which is http://(fasname).id.fedoraproject.org and a field which is just (fasname), I guess. Failing that, we'll have to gin up an openQA db query to change all the existing usernames, or I can patch openQA to have an ipsilon path which constructs the correct username/id from the FAS name, or something.
- Which authorization flow does the application use?
- Not sure. The module we're using is https://metacpan.org/pod/Mojolicious::Plugin::OAuth2 , from https://github.com/marcusramberg/Mojolicious-Plugin-OAuth2/blob/0312b87eb49d69fe3587ed58aff61378864684e5/lib/Mojolicious/Plugin/OAuth2.pm#L164 it looks like it's authorization_code .
- Which token authentication method does the application use?
- Not sure. A mock config presumably used in the tests at https://github.com/marcusramberg/Mojolicious-Plugin-OAuth2/blob/0312b87eb49d69fe3587ed58aff61378864684e5/lib/Mojolicious/Plugin/OAuth2/Mock.pm#L227 says token_endpoint_auth_methods_supported":["client_secret_post","private_key_jwt","client_secret_basic"]
- Which response type does the application rely on?
- I think it'll be code .

Sorry for the lack of certainty on some points. I think we may actually need to patch openQA a bit to make it possible to use Mojolicious-Plugin-OAuth2's OpenIDC 'mode', but I can probably handle that.

Metadata Update from @phsmoura:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: medium-gain, medium-trouble, ops
a month ago

Metadata Update from @zlopez:
- Issue assigned to zlopez
a month ago

Created the entry for staging instance in ipsilon and sent the credentials through internal Red Hat channels.

thanks. I have that working now, more or less; could we get a prod one? no need to send me the creds, I can see them.

The entry for production is now added and the change deployed on ipsilon

thanks a lot.

Metadata Update from @adamwill:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)
a month ago

Log in to comment on this ticket.

Metadata

medium-trouble ops medium-gain

None
None
Waiting on Assignee
Boards 1
ops Status: Backlog
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.