#6318 OIDC secrets for www.freeipa.org
Closed: Fixed 3 years ago Opened 3 years ago by mkosek.

I would like to migrate www.freeipa.org authentication from Fedora OpenID authentication to Fedora OpenID Connect authentication (I use mediawiki - OpenIDConnect extension).

I am supposed to fill:

  • URL of the issuer
  • clientID
  • clientsecret

Would it be possible to obtain the registration to Fedora OIDC and these values? I wanted to test/self-service with https://iddev.fedorainfracloud.org/, but it was not working for me.


That is a good idea, please let us know how it goes for you as we're looking at doing the same for our wiki.

For the information you need, please send me a PM on IRC so I can get the info I need to create the clientid for you.

Metadata Update from @puiterwijk:
- Issue assigned to puiterwijk

3 years ago

Reminder for myself - ''return_uri'' for OIDC authentication will be "https://www.freeipa.org/page/Special:PluggableAuthLogin"

Hi Patrick, I had no luck reaching you on IRC or email last week - so let me bump this request here.

@mkosek whats the status here? Did this get taken care of?

This has been taken care of.

Metadata Update from @puiterwijk:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

3 years ago

JFTR, the OpenIDConnect connect credentials you sent to me seemed to be working properly. However, I could not make the Mediawiki OpenIDConnect working reliably:

https://lists.fedoraproject.org/archives/list/freeipa-devel@lists.fedorahosted.org/thread/E5SK6GMPKDNLF5GDVSNHUZPRNSHM44Y5/

so I may need to revert to using plain passwords, at least until we figure out how to make OpenIDConnect working, with wiki.

Me and Patrick worked on the OIDC plugin in FreeIPA and how it could be improved, especially the link between existing user database and new OIDC authentication.

Doing it by mail or user name may not be very reliable, so there was an idea that we could transform current OpenID mapping:

+----------------------------------------------+----------+-----------------------+
| uoi_openid | uoi_user | uoi_user_registration |
+----------------------------------------------+----------+-----------------------+
| http://<fedora_user>.id.fedoraproject.org/ | <userid> | <date> |
...

and adding it to user table for OIDC plugin with following settings:

Proposed updates to wiki db by Patrick:

UPDATE freeipawiki_user SET issuer='https://id.fedoraproject.org/';
UPDATE freeipawiki_user SET subject=(SELECT uoi_openid FROM freeipawiki_user_openid where freeipawiki_user.id=freeipawiki_user_openid.uoi_user);
UPDATE freeipawiki_user SET subject=REPLACE(subject, "http://", "");
UPDATE freeipawiki_user SET subject=REPLACE(subject, "id.fedoraproject.org/", "");

With the migration procedure done to FreeIPA user table, I indeed progressed and was able to properly authenticate to my user account!

I just had to fix couple typos in the migration script (including a bit different issuer):

UPDATE freeipawiki_user SET issuer='https://id.fedoraproject.org/openidc/';
UPDATE freeipawiki_user SET subject=(SELECT uoi_openid FROM freeipawiki_user_openid where freeipawiki_user.user_id=freeipawiki_user_openid.uoi_user);
UPDATE freeipawiki_user SET subject=REPLACE(subject, "http://", "");
UPDATE freeipawiki_user SET subject=REPLACE(subject, "", "");

It seems that the only thing I miss is using a proper user name in case there is no user with issuer&subject pair found. What OIDC plugin did is following entry:

+---------+-----------+----------------+---------------+------------------+-------------------+----------------+----------------------------------+--------------------------+------------------+--------------------------+-------------------+-------------------+----------------+-----------------------+---------+---------------------------------------+
| user_id | user_name | user_real_name | user_password | user_newpassword | user_email | user_touched | user_token | user_email_authenticated | user_email_token | user_email_token_expires | user_registration | user_newpass_time | user_editcount | user_password_expires | subject | issuer |
+---------+-----------+----------------+---------------+------------------+-------------------+----------------+----------------------------------+--------------------------+------------------+--------------------------+-------------------+-------------------+----------------+-----------------------+---------+---------------------------------------+
| 290 | User1 | Martin Kosek | | | mkosek@redhat.com | 20171110193530 | 160516ee51a82595e4ae6aa6364594ba | 20171110193524 | | NULL | 20171110193523 | NULL | 0 | NULL | mkosek | https://id.fedoraproject.org/openidc/ |
+---------+-----------+----------------+---------------+------------------+-------------------+----------------+----------------------------------+--------------------------+------------------+--------------------------+-------------------+-------------------+----------------+-----------------------+---------+---------------------------------------+
1 row in set (0.01 sec)

I am specifically talking about the "User1" part. https://www.mediawiki.org/wiki/Extension:OpenID_Connect is talking about "preferred username was provided by the issuer", so I wonder if there is some Ipsilon/OIDC setting that could let the plugin use Fedora user name as the "preferred username".

Fixed migration script once again:

UPDATE freeipawiki_user SET issuer='https://id.fedoraproject.org/openidc/';
UPDATE freeipawiki_user SET subject=(SELECT uoi_openid FROM freeipawiki_user_openid where freeipawiki_user.user_id=freeipawiki_user_openid.uoi_user);
UPDATE freeipawiki_user SET subject=REPLACE(subject, ".id.fedoraproject.org/", "");
UPDATE freeipawiki_user SET subject=REPLACE(subject, "http://", "");

Login to comment on this ticket.

Metadata