fedora-infrastructure

Clone
Source Code
GIT

#12516 FedoraQA - Blockerbugs - OIDC setup
Closed: Fixed 9 days ago by zlopez. Opened 22 days ago by lbrabec.

Closed: Fixed
Reopen Issue

Describe what you would like us to do:

We want to add OIDC authentication to the blockerbugs app, and thus we need the app to be registered with the OIDC server, and to set ansible variables holding the OIDC tokens/data.
We expect the client_secrets.json file template to look like this (in tact with our other apps using OIDC):

{
    "web": {
        "auth_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/Authorization",
        "client_id": "{{ (env == 'production')|ternary(blockerbugs_oidc_client_id, blockerbugs_oidc_client_id_stg) }}",
        "client_secret": "{{ (env == 'production')|ternary(blockerbugs_oidc_secret, blockerbugs_oidc_secret_stg) }}",
        "issuer": "https://id{{env_suffix}}.fedoraproject.org/openidc/",
        "redirect_uris": [
            "https://qa{{env_suffix}}.fedoraproject.org/blockerbugs/authorize"
        ],
        "token_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/Token",
        "userinfo_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/UserInfo"
    }
}

Expected redirects:
- https://qa.fedoraproject.org/blockerbugs/authorize for Production
- https://qa.stg.fedoraproject.org/blockerbugs/authorize for Staging

Expected ansible variables:
- blockerbugs_oidc_client_id
- blockerbugs_oidc_client_id_stg
- blockerbugs_oidc_secret
- blockerbugs_oidc_secret_stg

When do you need this to be done by? (YYYY/MM/DD)

Before the next Fedora release cycle. Hopefully sooner :)

Metadata Update from @zlopez:
- Issue assigned to zlopez
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: high-gain, low-trouble, ops
22 days ago

The staging OIDC entry could be reviewed here https://pagure.io/fedora-infra/ansible/pull-request/2610

I used qa-tools-sig@lists.fedoraproject.org as a contact e-mail as the same is used for TestDays OIDC entry.

The OIDCs entries together with the requested vars are now deployed. @lbrabec Could you check if everything is working as it should?

Yep, I updated template in ansbile, run playbook and I can see properly generated client_secrets.json. I'll try the functionality later, but feel free to close this issue.

Metadata Update from @zlopez:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)
9 days ago

Feel free to re-open if something doesn't work properly.

Log in to comment on this ticket.

Metadata

high-gain low-trouble ops

None
None
Waiting on Assignee
Boards 1
ops Status: Backlog
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.