search

fedora-copr / copr

RPM build system - upstream for https://copr.fedorainfracloud.org/
113 stars 61 forks source link

Fedora instance: please switch authentication from OpenID to OIDC #3483

Open abompard opened 1 month ago

abompard commented 1 month ago

Hey folks! The Fedora instance of Copr is currently using OpenID (and GSSAPI) for authentication. We are looking to remove OpenID from the authentication options, because we'd like to switch the authentication provider from Ipsilon to Keycloak, which only supports OIDC. If I understand correctly, Copr is already capable of OIDC authentication. Would it be possible to switch Copr's authentication to OIDC? (still with Ipsilon for now)

You'll need the following info:

And I'll need the redirect_uri that you're going to use in the OIDC process.

I'm happy to help with the switch, ping me on Matrix (I'm in #buildsys and #infrastructure and #apps)

praiskup commented 1 month ago

Thank you for the report.

Does the removal of OpenID mean removal of GSSAPI?

abompard commented 1 month ago

That seems like a different thing, no? Is there a link between OpenID authentication and GSSAPI authentication in Copr ? Does your GSSAPI auth go trough Ipsilon?

praiskup commented 1 month ago

Probably it is a different thing? And I hope. :) you will know better than me, that's why I am asking :sweat_smile: "plain" GSSAPI is supported both in Copr cli and web-ui separately, plus gssapi is also accepted through Ipsilon (OID).

praiskup commented 4 weeks ago

What is the ETA for killing OpenID in Fedora? Do you have some tracker?

abompard commented 4 weeks ago

Probably it is a different thing? And I hope. :) you will know better than me, that's why I am asking 😅 "plain" GSSAPI is supported both in Copr cli and web-ui separately, plus gssapi is also accepted through Ipsilon (OID).

Yeah so it's independant from Ipsilon/OpenID :-)

What is the ETA for killing OpenID in Fedora? Do you have some tracker?

We haven't decided on that yet, but we would prefer migrating all apps to OIDC as soon as reasonably possible, if they are already capable of it.