FedoraQA - Blockerbugs - OIDC setup #12516

New issue

Open

opened 2025-04-24 15:00:17 +00:00 by lbrabec · 1 comment

lbrabec commented 2025-04-24 15:00:17 +00:00 (Migrated from pagure.io)

Copy link

Describe what you would like us to do:

---

We want to add OIDC authentication to the blockerbugs app, and thus we need the app to be registered with the OIDC server, and to set ansible variables holding the OIDC tokens/data.
We expect the client_secrets.json file template to look like this (in tact with our other apps using OIDC):

{
    "web": {
        "auth_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/Authorization",
        "client_id": "{{ (env == 'production')|ternary(blockerbugs_oidc_client_id, blockerbugs_oidc_client_id_stg) }}",
        "client_secret": "{{ (env == 'production')|ternary(blockerbugs_oidc_secret, blockerbugs_oidc_secret_stg) }}",
        "issuer": "https://id{{env_suffix}}.fedoraproject.org/openidc/",
        "redirect_uris": [
            "https://qa{{env_suffix}}.fedoraproject.org/blockerbugs/authorize"
        ],
        "token_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/Token",
        "userinfo_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/UserInfo"
    }
}

Expected redirects:

• https://qa.fedoraproject.org/blockerbugs/authorize for Production
• https://qa.stg.fedoraproject.org/blockerbugs/authorize for Staging

Expected ansible variables:

• blockerbugs_oidc_client_id
• blockerbugs_oidc_client_id_stg
• blockerbugs_oidc_secret
• blockerbugs_oidc_secret_stg

When do you need this to be done by? (YYYY/MM/DD)

---

Before the next Fedora release cycle. Hopefully sooner :)

# Describe what you would like us to do: ---- We want to add OIDC authentication to the blockerbugs app, and thus we need the app to be registered with the OIDC server, and to set ansible variables holding the OIDC tokens/data. We expect the `client_secrets.json` file template to look like this (in tact with our other apps using OIDC): ``` { "web": { "auth_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/Authorization", "client_id": "{{ (env == 'production')|ternary(blockerbugs_oidc_client_id, blockerbugs_oidc_client_id_stg) }}", "client_secret": "{{ (env == 'production')|ternary(blockerbugs_oidc_secret, blockerbugs_oidc_secret_stg) }}", "issuer": "https://id{{env_suffix}}.fedoraproject.org/openidc/", "redirect_uris": [ "https://qa{{env_suffix}}.fedoraproject.org/blockerbugs/authorize" ], "token_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/Token", "userinfo_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/UserInfo" } } ``` Expected redirects: - `https://qa.fedoraproject.org/blockerbugs/authorize` for Production - `https://qa.stg.fedoraproject.org/blockerbugs/authorize` for Staging Expected ansible variables: - `blockerbugs_oidc_client_id` - `blockerbugs_oidc_client_id_stg` - `blockerbugs_oidc_secret` - `blockerbugs_oidc_secret_stg` # When do you need this to be done by? (YYYY/MM/DD) ---- Before the next Fedora release cycle. Hopefully sooner :)

zlopez commented 2025-04-24 15:10:44 +00:00 (Migrated from pagure.io)

Copy link

Metadata Update from @zlopez:

• Issue assigned to zlopez
• Issue priority set to: Waiting on Assignee (was: Needs Review)
• Issue tagged with: high-gain, low-trouble, ops

**Metadata Update from @zlopez**: - Issue assigned to zlopez - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: high-gain, low-trouble, ops

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

No results found.

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: rootroot/fedora-infrastructure#12516

No description provided.