We want to test new tool which uses ODCS to test PRs opened against pungi-fedora, comps or module-defaults repositories. The idea is that there will be jenkins job executed for PRs against these repositories. This Jenkins job will apply the PR in its internal repository and submits ODCS compose to check if the compose still works after applying this PR and sends back a message to PR request.
In order to do that, we need new openidc token for this CCCC service, so it can be authorized to ODCS and submit new compose request.
Please create "cccc-odcs" openidc token and send it somehow to me so I can configure it in the jenkins and use it.
Metadata Update from @mohanboddu: - Issue tagged with: groomed, low-trouble, medium-gain
Metadata Update from @mohanboddu: - Issue priority set to: Waiting on Assignee (was: Needs Review)
There is a template for OIDC token, could you fill it?
Thanks
To help us register your application in our OIDC service, we need a few information from you: Note: all the default values provided here are based on the default choice/ implementation of flask-oidc. If you do not use this library you may have to refer to the documentation of your library. Some generic information first: - What is the application main URL? - Who will be the main contact for the application, or will this be core infrastructure? - What privacy policy will be applicable to the application, or will this be the standard Fedora privacy policy? Some more OIDC specific information then: - Which redirect URI(s) will the application use? - flask-oidc defaults to: ``<APPLICATION_URL>/oidc_callback`` but it's configurable (so double-check) - Does the application need the user names, or will an application-specific pseudonym suffice? - ie: using flask-oidc, do you ever rely on ``OIDC.user_getfield('sub')`` to get the user's username. If not, this question likely does not matter for your application - Which authorization flow does the application use? - flask-oidc: authorization_code - Which token authentication method does the application use? - flask-oidc: client_secret_post - Which response type does the application rely on? - flask-oidc: Code
Metadata Update from @pingou: - Issue priority set to: Waiting on Reporter (was: Waiting on Assignee)
@pingou, I'm not sure this is correct form. I'm asking for openidc service token which I can use to login to ODCS. I'm not developing new application which would be used by real end-users or which end-users would authenticate against.
I think I basically want the same as what happened here: https://pagure.io/fedora-infrastructure/issue/7532.
The form (especially the second part) looks irrelevant to my use-case. I will try to fill it in anyway:
Some generic information first: - What is the application main URL?
The Jenkins job will be running on https://jenkins-fedora-infra.apps.ci.centos.org/job/cccc/. I will ask for this job in another ticket.
Who will be the main contact for the application, or will this be core infrastructure?
jkaluza
What privacy policy will be applicable to the application, or will this be the standard Fedora privacy policy?
I presume standard Fedora privacy policy. But it does not store anything. It simply asks ODCS to generate compose and the openidc token in question is used to login to odcs.
Some more OIDC specific information then: - Which redirect URI(s) will the application use? - flask-oidc defaults to: <APPLICATION_URL>/oidc_callback but it's configurable (so double-check)
<APPLICATION_URL>/oidc_callback
It will not use any redirect URL afaik. It will read the token from file and send it in HTTP request to ODCS.
Does the application need the user names, or will an application-specific pseudonym suffice? ie: using flask-oidc, do you ever rely on OIDC.user_getfield('sub') to get the user's username. If not, this question likely does not matter for your application
OIDC.user_getfield('sub')
No.
Which authorization flow does the application use? flask-oidc: authorization_code Which token authentication method does the application use? flask-oidc: client_secret_post Which response type does the application rely on? flask-oidc: Code
This would be valid if I would use openidc auth workflow. But I only need a client token if I'm right.
So it looks like I confused OIDC token and OIDC secret for apps...
I've followed https://docs.pagure.org/infra-docs/sysadmin-guide/sops/ipsilon.html#generate-an-openid-connect-token and generated the token for @jkaluza. Sorry for the mix up and thus the time it took to process this ticket :(
Let us know if you need anything else!
Metadata Update from @pingou: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.