From 01f1baf0b5cdeadc13fdf1705e1ff83b1b54e99d Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Feb 07 2017 13:29:19 +0000 Subject: Document adding new OpenIDC scopes Signed-off-by: Patrick Uiterwijk --- diff --git a/ipsilon.rst b/ipsilon.rst index 6ff8c58..a1c4d70 100644 --- a/ipsilon.rst +++ b/ipsilon.rst @@ -17,6 +17,8 @@ Contents 3. Known Issues 4. ReStarting 5. Configuration +6. Common actions + 6.1. Registering OpenID Connect Scopes Contact Information =================== @@ -52,3 +54,27 @@ Configuration ================ Configuration is handled by the ipsilon.yaml playbook in Ansible. This can also be used to reconfigure application, if that becomes nessecary. + +Common actions +============== +This section describes some common configuration actions. + +OpenID Connect Scope Registration +--------------------------------- +As documented on https://fedoraproject.org/wiki/Infrastructure/Authentication, application developers can request their own scopes. +When a request for this comes in, look in ansible/roles/ipsilon/files/oidc_scopes/ and copy an example module. +Copy this to a new file, so we have a file per scope set. +Fill in the information: + - name is an Ipsilon-internal name. This should not include any spaces + - display_name is the name that is displayed to the category of scopes to the user + - scopes is a dictionary with the full scope identifier (with namespace) as keys. + The values are dicts with the following keys: + display_name: The complete display name for this scope. This is what the user gets shown to accept/reject + claims: A list of additional "claims" (pieces of user information) an application will get when the user + consents to this scope. For most scopes, this will be the empty list. +In ansible/roles/ipsilon/tasks/main.yml, add the name of the new file (without .py) to the with_items of + "Copy OpenID Connect scope registrations"). +To enable, open ansible/roles/ipsilon/templates/configuration.conf, and look for the lines starting with + "openidc enabled extensions". +Add the name of the plugin (in the "name" field of the file) to the environment this scopeset has been requested for. +Run the ansible ipsilon.yml playbook.