#7679 OIDC client_id and client_secret for elections
Closed: Fixed a month ago by puiterwijk. Opened 2 months ago by pingou.

  • Describe what you need us to do:
    Elections has been ported to openid-connect, as such it needs in its client_secret.json a client_id and a client_secret.
    Could you please look at generating them?
    (Having a SOP for this would be great as it would have allowed me to do them without bothering anyone else :))

  • When do you need this? (YYYY/MM/DD)
    When possible

  • When is this no longer needed or useful? (YYYY/MM/DD)
    When elections is deprecated or we move to another authentication protocol

  • If we cannot complete your request, what is the impact?
    We cannot move forward with porting elections to openshift :)


NB: while only staging will be useful for now, I figure we might just as well create both stg and prod instances :)

To issue a client ID for web applications, we need answers to the following questions:

  • Which redirect URI(s) will the application use?
  • What is the application main URL?
  • Who will be the main contact for the application, or will this be core infrastructure?
  • What privacy policy will be applicable to the application, or will this be the standard Fedora privacy policy?
  • Does the application need the user names, or will an application-specific pseudonym suffice?
  • Which authorization flow does the application use? [1]
  • Which token authentication method does the application use? [1]

For the items marked with [1], please consult your library's documentation and usage.

Which redirect URI(s) will the application use?

This is already set in the client_secrets.json

What is the application main URL?

elections.stg.fedoraproject.org in stg

Who will be the main contact for the application, or will this be core infrastructure?

It's the elections app, nothing new

What privacy policy will be applicable to the application, or will this be the standard Fedora privacy policy?

It's the elections app, nothing new

Does the application need the user names, or will an application-specific pseudonym suffice?

Here are the scopes asked: OIDC_SCOPES = ['openid', 'email', 'profile', 'fedora']

Which authorization flow does the application use? [1]

It uses flask-oidc

Which token authentication method does the application use? [1]

It uses flask-oidc

Which redirect URI(s) will the application use?

This is already set in the client_secrets.json

To be complete here is its value https://elections{{env_suffix}}.fedoraproject.org/oidc_callback

The client ID and secret are in elections_oidc_client_id and elections_oidc_client_secret respectively.
For the record, the flask-oidc doc provides the technical answers: https://flask-oidc.readthedocs.io/en/latest/#manual-client-registration

Metadata Update from @puiterwijk:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

a month ago

The client ID and secret are in elections_oidc_client_id and elections_oidc_client_secret respectively.

They do not mention stg in their name, do we want to use the same variable names for stg and for prod?

Nah, no real need to. Since the staging setup should be using the staging IdP etc.
The secret itself should probably be different, but the client ID doesn't have to be.
(but if you feel strongly, feel free to do so)

The secret itself should probably be different, but the client ID doesn't have to be.

Thanks, I'll renamed the client secret only then :)

Login to comment on this ticket.

Metadata