Fedora instance: please switch authentication from OpenID to OIDC

Question

Fedora instance: please switch authentication from OpenID to OIDC

Opened this issue 3 months ago · 8 comments

Hey folks! The Fedora instance of Copr is currently using OpenID (and GSSAPI) for authentication.
We are looking to remove OpenID from the authentication options, because we'd like to switch the authentication provider from Ipsilon to Keycloak, which only supports OIDC.
If I understand correctly, Copr is already capable of OIDC authentication. Would it be possible to switch Copr's authentication to OIDC? (still with Ipsilon for now)

You'll need the following info:

provider metadata: https://id.fedoraproject.org/openidc/.well-known/openid-configuration
client_id: copr
client_secret: just use the copr_oidc_prod_client_secret and copr_oidc_stg_client_secret ansible variables.

And I'll need the redirect_uri that you're going to use in the OIDC process.

I'm happy to help with the switch, ping me on Matrix (I'm in #buildsys and #infrastructure and #apps)

Answer 1 · 2024-10-17T11:42:08.000Z

Thank you for the report.

Does the removal of OpenID mean removal of GSSAPI?

Answer 2 · 2024-10-17T12:30:45.000Z

That seems like a different thing, no? Is there a link between OpenID authentication and GSSAPI authentication in Copr ?
Does your GSSAPI auth go trough Ipsilon?

Answer 3 · 2024-10-17T12:49:00.000Z

Probably it is a different thing? And I hope. :) you will know better than me, that's why I am asking 😅
"plain" GSSAPI is supported both in Copr cli and web-ui separately, plus gssapi is also accepted through Ipsilon (OID).

Answer 4 · 2024-10-29T09:06:38.000Z

What is the ETA for killing OpenID in Fedora? Do you have some tracker?

Answer 5 · 2024-10-29T09:25:27.000Z

Probably it is a different thing? And I hope. :) you will know better than me, that's why I am asking 😅 "plain" GSSAPI is supported both in Copr cli and web-ui separately, plus gssapi is also accepted through Ipsilon (OID).

Yeah so it's independant from Ipsilon/OpenID :-)

What is the ETA for killing OpenID in Fedora? Do you have some tracker?

We haven't decided on that yet, but we would prefer migrating all apps to OIDC as soon as reasonably possible, if they are already capable of it.

Answer 6 · 2024-12-06T15:32:46.000Z

I have been pinged in https://pagure.io/fedora-infrastructure/issue/10241 , that seems lika a tracker.

The overall Fedora Copr movement is not a high priority task, though. Do you think we should hurry up?

Answer 7 · 2025-01-09T17:39:05.000Z

Well, the only things left using openid (that we directly know of) are copr and anitya. There's going to be a new anitya release soon and then copr will be the last one. ;)

We want to move all these so we can retire ipsilon and move to keycloak, so sooner would be better for us.

Answer 8 · 2025-01-10T07:43:02.000Z

Seems worth prioritizing, then. We'll triage this on Monday.