Project

General

Profile

action #67573

"OpenID Connect" support in openQA

Added by okurz about 1 year ago. Updated about 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Feature requests
Target version:
Start date:
2020-06-02
Due date:
% Done:

0%

Estimated time:
Difficulty:

Description

Motivation

We only support "OpenID" and "Fake" authentication so far. In #66703 we can see the problem with the high reliance on OpenID. A more recent standard is "OpenID Connect". We should research how feasible it is to support that.


Related issues

Related to openQA Project - action #66703: Switch to new SUSE/openSUSE authentication systemResolved2020-05-122020-06-30

History

#1 Updated by okurz about 1 year ago

  • Related to action #66703: Switch to new SUSE/openSUSE authentication system added

#2 Updated by kraih about 1 year ago

If i understand OpenID Connect correctly it's really just OAuth 2.0, which might be rather easy to support with existing Mojolicious plugins.

#3 Updated by mkittler about 1 year ago

That's what cdywan is experimenting with: https://github.com/os-autoinst/openQA/pull/3150

#4 Updated by okurz about 1 year ago

  • Status changed from Workable to Blocked
  • Assignee set to cdywan

Right. So after all as expected it could be the stories align well.

#5 Updated by cdywan about 1 year ago

The difference between OAuth 2.0 and OpenID Connect is that the former provides authorization (am I allowed?), the latter covers authentication (who am I?). So #67576 naturally overlaps with this.

  • Google adheres to the OpenID Connect spec, recognizes/requires openid email scope and provides id_token to avoid calling into Google API to authenticate.
  • Okta also supports id_token.
  • GitHub implements OAuth 2.0 only which is why the authentication requires an extra call into GitHub API and non-standard scopes.

#6 Updated by cdywan about 1 year ago

  • Subject changed from [spike:20h] "OpenID Connect" support in openQA to "OpenID Connect" support in openQA
  • Status changed from Blocked to Workable
  • Assignee deleted (cdywan)

With #67576 implemented, this ticket boils down to adding OpenID Connect-implementing providers.

#7 Updated by okurz about 1 year ago

  • Status changed from Workable to Resolved
  • Assignee set to cdywan

cdywan wrote:

With #67576 implemented, this ticket boils down to adding OpenID Connect-implementing providers.

and that can be done whenever a specific need arises. I would say with the done work we can actually resolve.

Also available in: Atom PDF