fedora-infrastructure

Clone
Source Code
GIT

#12490 FedoraQA - Testdays - OIDC setup
Closed: Fixed 5 days ago by zlopez. Opened a month ago by jskladan.

Closed: Fixed
Reopen Issue

Describe what you would like us to do:

We want to add OIDC authentication to the testdays app, and thus we need the app to be registered with the OIDC server, and to set ansible variables holding the OIDC tokens/data.
We expect the client_secrets.json file template to look like this (in tact with our other apps using OIDC): 

{
    "web": {
        "auth_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/Authorization",
        "client_id": "{{ (env == 'production')|ternary(testdays_oidc_client_id, testdays_oidc_client_id_stg) }}",
        "client_secret": "{{ (env == 'production')|ternary(testdays_oidc_secret, testdays_oidc_secret_stg) }}",
        "issuer": "https://id{{env_suffix}}.fedoraproject.org/openidc/",
        "redirect_uris": [
            "https://testdays{{env_suffix}}.fedoraproject.org/flask_oidc/authorize"
        ],
        "token_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/Token",
        "userinfo_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/UserInfo"
    }
}

Expected redirects:
- https://testdays.fedoraproject.org/flask_oidc/authorize for Production
- https://testdays.stg.fedoraproject.org/flask_oidc/authorize for Staging

Expected ansible variables:
- testdays_oidc_client_id
- testdays_oidc_client_id_stg
- testdays_oidc_secret
- testdays_oidc_secret_stg

When do you need this to be done by? (YYYY/MM/DD)

Before the next Fedora release cycle. Hopefully sooner :)

Metadata Update from @zlopez:
- Issue assigned to zlopez
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: high-gain, low-trouble, ops
a month ago

I created https://pagure.io/fedora-infra/ansible/pull-request/2569 for the staging entries and filled out the entry for production and added the variables to ansible private.

As we are currently in freeze, I would wait with deploying the change till the freeze is over.

I'm also not sure about the contact. I used qa-tools-sig@lists.fedoraproject.org as this was already used on other QA entry (OpenQA). Let me know if that needs to be changed.

Thank you, we'll keep this open untill we deploy (after the freeze). Not sure about the contact either, but I'm guessing whatever works for OpenQA is fine for the other stuff too.

I'm also not sure about the contact. I used qa-tools-sig@lists.fedoraproject.org as this was already used on other QA entry (OpenQA). Let me know if that needs to be changed.

That email address is fine, keep it, thanks.

As we are out of freeze now, I will deploy this today.

The changes should be now deployed for both staging and production. Let me know if it's working for you.

@jskladan Could you confirm that this is working for you?

I can log in with FAS on https://testdays.stg.fedoraproject.org , works fine. We don't have a production deployment yet.

@lbrabec Anything to add? Can we close this?

It seems that all is fine.

Closing as fixed, feel free to re-open if you find that something is not working as it should.

Metadata Update from @zlopez:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)
5 days ago

Log in to comment on this ticket.

Metadata

low-trouble ops high-gain

None
None
Waiting on Assignee
Boards 1
ops Status: Backlog
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.