Hello.
We are running app: https://vault.ci.fedoraproject.org/
There are different ways to do authentication. For example with github organization. We have Fedora-CI organization in github. Github approach is a bit tedious. Because user must create a token.
I want to try to integrate Fedora oidc for this purpose and look what works better.
Please add an entry for this app:
osci-vault client_name="osci-vault" osci-vault client_secret="XXX <long random string>" osci-vault redirect_uris=["https://vault.ci.fedoraproject.org/ui/vault/auth/oidc/oidc/callback"] osci-vault client_uri="https://vault.ci.fedoraproject.org/" osci-vault ipsilon_internal={"type":"static","client_id":"fedocal","trusted":true} osci-vault contacts=["ci@lists.fedoraproject.org", "admin@fedoraproject.org"] osci-vault client_id=null osci-vault policy_uri="https://fedoraproject.org/wiki/Legal:PrivacyPolicy" osci-vault grant_types="authorization_code" osci-vault response_types="code" osci-vault application_type="web" osci-vault subject_type="pairwise" osci-vault logo_uri=null osci-vault tos_uri=null osci-vault jwks_uri=null osci-vault jwks=null osci-vault sector_identifier_uri=null osci-vault request_uris=[] osci-vault require_auth_time=null osci-vault token_endpoint_auth_method="client_secret_post" osci-vault id_token_signed_response_alg="RS256" osci-vault request_object_signing_alg="none" osci-vault initiate_login_uri=null osci-vault default_max_age=null osci-vault default_acr_values=null osci-vault client_secret_expires_at=0
Please email me client_secret encrypted with:
http://keys.gnupg.net/pks/lookup?op=vindex&fingerprint=on&search=0xFFDFB4A69A82842F
The ref document is : https://fedora-infra-docs.readthedocs.io/en/latest/sysadmin-guide/sops/ipsilon.html#create-openid-connect-secrets-for-apps
Thank you!
If this is only for testing, are you ok if we set it up in staging?
@pingou hi. Yes, for testing purposes staging is OK, as long as it provides necessary functionality and knows about Fedora-users.
Please add this client to staging IDP :
https://id.stg.fedoraproject.org/.well-known/openid-configuration
Metadata Update from @smooge: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: authentication, medium-gain, medium-trouble, ops
My side config is ready. But, since IDP doesn't know about client with the above ID it fails with:
Vault login failed. No code or id_token received.
Please add the above client to prod or stage Ipsilon config.
I think we can add to prod and start use this service. Thank you.
FYI, staging doesn't currently know too many users because we are working on deploying noggin there, and the sync from fas->noggin isn't yet working, so there's only a handfull of accounts.
Hi, please register this app in prod Ipsilon instance. Thank you.
I've added the config to ipsilon in staging, I'm running the ipsilon playbook and I'll send you shortly the client_secret.
You can create new accounts in https://admin.stg.fedoraproject.org/accounts/ and use them to test. If that works and you like the Fedora approach, then we can to prod ipsilon.
Let us know! :)
Email sent and playbook finished running.
I'm going to close this as fixed. Let us know if you need anything else
Metadata Update from @pingou: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Hi, we have successfully integrated vault instance http://vault.ci.fedoraproject.org/ with staging-ipsilon.
Please add the same config to prod-instance. If possible use the same application-key.
Metadata Update from @astepano: - Issue status updated to: Open (was: Closed)
@pingou would you have please time to look this? Thank you.
Oh, sorry I missed your last comment
Metadata Update from @pingou: - Issue assigned to pingou
@astepano the ansible playbook has finished running and should have deployed the new configuration.
Could you check on your end?
@pingou I am so sorry, I forgot to replace:
From:
osci-vault redirect_uris=["https://vault.ci.fedoraproject.org/ui/vault/auth/oidc/oidc/callback"]
to:
osci-vault redirect_uris=["https://vault.ci.fedoraproject.org/ui/vault/auth/oidc/oidc/callback", "http://localhost:8250/oidc/callback"]
The web auth works just fine. But, command-line interface does not.
Please update that redirect_uris. Thank you!
redirect_uris
Hi,
Unfortunately, one client ID with both an https:// and a http://localhost redirect URI is not allowed per the OpenID Connect specifications, so that will have to be two distinct client IDs. This is because the CLI client (application_type native) is assumed to be unable to keep any secrets.
https://
http://localhost
application_type native
So, @pingou, please create a second client ID for the CLI.
Also, I'm not sure if you used the blurb from the original comment, but that one has an error: osci-vault ipsilon_internal={"type":"static","client_id":"fedocal","trusted":true}. The client_id should be osci-vault, and trusted should be false (because it's not run by Fedora Infra themselves, so users should be prompted for permission whether to send their information). If you did fix those before pushing, ignore this comment :).
osci-vault ipsilon_internal={"type":"static","client_id":"fedocal","trusted":true}
client_id
osci-vault
trusted
false
Will do, then the client_secret will be "nosecret" like the other CLI I guess :)
I had fixed the client_id but missed the trusted one.
I'll process/fix this tomorrow
Thanks for your help @puiterwijk !
@astepano alright, the osci-vault-cli client has been enrolled and openshift finished deploying the new config.
Can you test on your side?
Thanks
client_id=osci_vault_cli or client_id=osci-vault-cli "oidc_client_secret": "nosecret"
returns : error_description=Unknown+client+ID
error_description=Unknown+client+ID
from the configuration file:
osci-vault-cli client_name="osci-vault-cli" osci-vault-cli ipsilon_internal={"type":"static","client_id":"osci_vault_cli","trusted":false}
so the client id should be osci_vault_cli.
osci_vault_cli
Oh the client secret is notsecret instead
notsecret
Does this help?
Magic, after a lot of tries it works with:
"oidc_client_id": "osci-vault-cli", "oidc_client_secret": "notsecret",
Thank you :-) Ticket can be closed. :-D
Thanks for the follow up! :)
Login to comment on this ticket.