Update iddev to use the new account system instead of the old FAS2. This will allow the oidc-register command to work properly for things like elections app local testing.
oidc-register
No rush, as I'm not planning any immediate Elections work. So like... sometime in Q3 2021?
Metadata Update from @abompard: - Issue tagged with: authentication
This issue is, I think, that iddev.fedorainfracloud.org is not in our infra and thus does not have access to IPA. And Ipsilon needs to be enrolled in IPA to use the sssd plugin and authenticate users. Sysadmins, any idea how we could resolve this?
iddev.fedorainfracloud.org
To be clear, if there's another place I could point oidc-register to instead, that's a valid solution for my needs (although I'm not sure what else might use iddev)
Metadata Update from @mohanboddu: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: low-gain, low-trouble, ops
Yeah, we would have to put it on the vpn and enroll it. ;( Which we could do, but meh...
@puiterwijk any other ideas here?
@bcotton i'd also thought i would mention the tinystage:
https://github.com/fedora-infra/tiny-stage
It is a collection of vagrant machines that we set up when developing Fedora Accounts -- it might be useful when working on elections (IIRC, there is an elections machine already made in there). As the base, it makes a freeipa/freeipa-fas instance & ipsilon so you can test auth stuff locally.
The documentation is lacking on it, but i hope to expand it a little, but it might be useful to you.
@kevin @abompard what is the purpose of iddev? the tinystage now pretty easily allows someone to set up ipa / ipsilon / freeipa-fas -- and lets a developer hook into that for testing purposes...
is iddev used to more that that?
iddev was/is for testing development version applications. To have a auth stack to test against thats like staging.
If tinystage can take this over thats great!
Perhaps a demo of tinystage would be good to get more folks knowing about it?
So, I guess here we need @bcotton to try tiny stage and see if it will work for his needs?
and perhaps we should retire iddev entirely and ask folks to just use tinystage?
It's not clear which machine in tiny-stage is supposed to be the target of oidc-register when setting up my local elections dev environment. I've tried several options, but they all complain about the self-signed SSL cert.
@bcotton yeah, for getting tiny-stage to work with oidc register, we had to use the certs.
The elections box in tiny-stage is set up an successfully connects, here is the tasks we run to set it up:
https://github.com/fedora-infra/tiny-stage/blob/main/ansible/roles/elections/tasks/main.yml
We also have a bare-bones oidc box that implements a super-simple oidc client for testing and to demo how to set it up:
https://github.com/fedora-infra/tiny-stage/blob/main/ansible/roles/oidctest/tasks/main.yml
Patrick and I talked about this today and we decided that we would just prefer to retire iddev and have application developers use tiny stage for testing (or staging).
So, we need to decomission that instance, and then update any docs that mention it.
I have retired this instance.
Metadata Update from @kevin: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.