action #89023
openMigrate from OpenID to OpenID Connect for authentication
0%
Description
Motivation¶
Since our standard authentication mechanism, OpenID, is now deprecated in favour of the OAuth 2.0 based OpenID Connect, we should migrate openQA sooner or later too. Fortunately most of the hard work has already been done in Mojolicious::Plugin::OAuth2, which natively supports OpenID Connect (and which we already use for OAuth 2.0). There is some custom code required for retrieving identity information for logged in users though, but that has already been implemented in LegalDB, which used to use the same OpenID authentication code as openQA. So it should be possible to copy most of it.
Acceptance criteria¶
- AC1: OpenID Connect authentication support has been added to openQA.
- AC2: OpenID Connect authentication has been deployed for O3.
- AC3: OpenID Connect authentication has been deployed for OSD.
Suggestions¶
- Register openQA with https://id.opensuse.org for app keys and secrets, O3 and OSD need separate accounts because of hardcoded redirect URIs (contact Bernhard)
- Copy authentication code from LegalDB (https://github.com/openSUSE/cavil/commit/24b08a5e1eeda5be3cc91ea97e974f1d70cd29b0)
- Make sure all identity information required by openQA is available, or request additions from the maintainers
Updated by kraih over 3 years ago
Migration guide from OpenID 2.0 to OpenID Connect. https://openid.net/specs/openid-connect-migration-1_0.html
Updated by kraih over 3 years ago
The Ipsilon documentation is really bad, but the OpenID Connect test might be enough to figure out the URLs. https://pagure.io/ipsilon/blob/master/f/tests/openidc.py
Updated by okurz over 3 years ago
- Category set to Feature requests
- Target version set to future
I assume the "Observation" section in the ticket description is rather "Motivation", right?
Updated by mkittler over 3 years ago
Apparently OpenID Connect is already activated in ipsilon and smelt uses it: https://gitlab.suse.de/tools/smelt/-/commit/9428004d6a279c26bddd87fff0e99f7dc47f10b2#12ec8689d9458e264dba06e5ba0ab093ed87043f_595_605
@kraih said:
@bmwiedemann still has to configure something to allow O3 and OSD access (no idea what), but he'll do that later today.
Updated by kraih over 3 years ago
Apparently OpenID Connect does not yet "just work" with Mojolicious::Plugin::OAuth2 and requires some manual additions to the workflow. https://github.com/convos-chat/convos/commit/80308a7b6fb240dd4f93c743c8a132e2b532114c
There is a fair chance that it will get added as a native feature soon though. If this ever becomes a higher priority i could probably finish the Mojolicious::Plugin::OAuth2 patch too.
Updated by livdywan over 3 years ago
- Description updated (diff)
okurz wrote:
I assume the "Observation" section in the ticket description is rather "Motivation", right?
Yes, thanks for catching that.
Updated by okurz about 2 years ago
- Related to action #116971: Migrate from OpenID to OpenID Connect for authentication added
Updated by kraih about 2 years ago
- Subject changed from Use new openID Connect support for ipsilon to Migrate from OpenID to OpenID Connect for authentication
- Description updated (diff)