#9872 FAS OIDC keys for forum.mojefedora.cz
Opened a month ago by frantisekz. Modified 11 days ago

Describe what you would like us to do:


I'd like to enable login with fas on forum.mojefedora.cz . It's a Discourse instance for Czech Fedora Community. I'd need:
- openid client secret
- openid client id (if that's up to me, let's use forum.mojefedora.cz)
- openid scopes: openid email
- path to .well-known/openid-configuration

Thanks!

When do you need this to be done by? (YYYY/MM/DD)


No need to hurry :)


Metadata Update from @mohanboddu:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: low-gain, low-trouble, ops

a month ago

I'll send you the client secret over gpg-encrypted email.

The scopes are asked by the client upon login, so that's on your side :)

Is there a way you could test this against staging? That would allow to test this without touching production which is still frozen.

Also, do you have a GPG key? Could you link it to your FAS account?

Also, do you have a GPG key? Could you link it to your FAS account?

Added, hopefully managed to do that right :)

Is there a way you could test this against staging? That would allow to test this without touching production which is still frozen.

Sure, we can start with stg.

The secrets have been created and deployed in staging and sent to @frantisekz.

Waiting on his feedback

Metadata Update from @pingou:
- Issue assigned to pingou
- Issue priority set to: Waiting on Reporter (was: Waiting on Assignee)

17 days ago

The secrets have been created and deployed in staging and sent to @frantisekz.

Waiting on his feedback

Thanks, it seems it should work once there is a correct redirect_uri, which should be (I guess without &response_type=code&scope=openid&state= at the end):

https://forum.mojefedora.cz/auth/oidc/callback

Now, it's ending with bad request, invalid redirect_uri. Can you change this ipsilon side?

Thanks!

Can you change this ipsilon side?

It has been done :)

Can you change this ipsilon side?

It has been done :)

Thanks, damned openid though :/

I've set up following in the discourse instance:

It is somehow failing with "(oidc) Authentication failure! invalid_credentials: OAuth2::Error, invalid_client: client authentication error {"error": "invalid_client", "error_description": "client authentication error"}" (after the redirect from ipsilon, so I guess there would be nothing to see in ipsilon logs).

@pingou , do you see there anything badly set up? Can somebody take a look, how is https://discussion.fedoraproject.org/ configured?

Thanks!

Did you try with an empty client id?

Did you try with an empty client id?

Unfortunately, that ends with:

(oidc) Authentication failure! invalid_request: OmniAuth::Strategies::OAuth2::CallbackError, invalid_request | missing required argument client_id

openid connect client id: forum-mojefedora-cz

I set that up on our ipsilon/stg instance.

Can you try again see if that makes a difference?

openid connect client id: forum-mojefedora-cz

I set that up on our ipsilon/stg instance.

Can you try again see if that makes a difference?

Tried right now, failed the same way :(

@mattdm can you please take a look (if you can) how is oauth set up on ask.fpo.org, so I can make sure I've set everything right?

I know it's a lot of text, screenshot would work for me just fine (just make sure to hide secret key :) ).

It should be on this url: https://ask.fedoraproject.org//admin/site_settings/category/all_results?filter=plugin%3Adiscourse-oauth2-basic

I'd need these:

  • oauth2 authorize url
  • oauth2 authorize signup url
  • oauth2 token url
  • oauth2 token url method
  • oauth2 callback user id path
  • oauth2 callback user info paths

if oauth2 fetch user details:

  • oauth2 user json url
  • oauth2 user json url method
  • oauth2 json user id path
  • oauth2 json username path
  • oauth2 json name path
  • oauth2 json email path
  • oauth2 json email verified path
  • oauth2 json avatar path

true/false checkboxes:

  • oauth2 send auth header
  • oauth2 send auth body
  • oauth2 authorize options
  • oauth2 scope

Thanks a lot upfront!

Login to comment on this ticket.

Metadata
Boards 1
ops Status: In Progress