Project

General

Profile

Actions

action #89023

open

Migrate from OpenID to OpenID Connect for authentication

Added by livdywan almost 4 years ago. Updated about 2 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Feature requests
Target version:
Start date:
2021-02-23
Due date:
% Done:

0%

Estimated time:

Description

Motivation

Since our standard authentication mechanism, OpenID, is now deprecated in favour of the OAuth 2.0 based OpenID Connect, we should migrate openQA sooner or later too. Fortunately most of the hard work has already been done in Mojolicious::Plugin::OAuth2, which natively supports OpenID Connect (and which we already use for OAuth 2.0). There is some custom code required for retrieving identity information for logged in users though, but that has already been implemented in LegalDB, which used to use the same OpenID authentication code as openQA. So it should be possible to copy most of it.

Acceptance criteria

  • AC1: OpenID Connect authentication support has been added to openQA.
  • AC2: OpenID Connect authentication has been deployed for O3.
  • AC3: OpenID Connect authentication has been deployed for OSD.

Suggestions


Related issues 1 (0 open1 closed)

Related to openQA Project (public) - action #116971: Migrate from OpenID to OpenID Connect for authenticationRejected2022-09-21

Actions
Actions #1

Updated by kraih almost 4 years ago

Migration guide from OpenID 2.0 to OpenID Connect. https://openid.net/specs/openid-connect-migration-1_0.html

Actions #2

Updated by kraih almost 4 years ago

The Ipsilon documentation is really bad, but the OpenID Connect test might be enough to figure out the URLs. https://pagure.io/ipsilon/blob/master/f/tests/openidc.py

Actions #3

Updated by okurz almost 4 years ago

  • Category set to Feature requests
  • Target version set to future

I assume the "Observation" section in the ticket description is rather "Motivation", right?

Actions #4

Updated by mkittler almost 4 years ago

Apparently OpenID Connect is already activated in ipsilon and smelt uses it: https://gitlab.suse.de/tools/smelt/-/commit/9428004d6a279c26bddd87fff0e99f7dc47f10b2#12ec8689d9458e264dba06e5ba0ab093ed87043f_595_605

@kraih said:

@bmwiedemann still has to configure something to allow O3 and OSD access (no idea what), but he'll do that later today.

Actions #5

Updated by kraih almost 4 years ago

Apparently OpenID Connect does not yet "just work" with Mojolicious::Plugin::OAuth2 and requires some manual additions to the workflow. https://github.com/convos-chat/convos/commit/80308a7b6fb240dd4f93c743c8a132e2b532114c

There is a fair chance that it will get added as a native feature soon though. If this ever becomes a higher priority i could probably finish the Mojolicious::Plugin::OAuth2 patch too.

Actions #6

Updated by livdywan almost 4 years ago

  • Description updated (diff)

okurz wrote:

I assume the "Observation" section in the ticket description is rather "Motivation", right?

Yes, thanks for catching that.

Actions #7

Updated by okurz about 2 years ago

  • Related to action #116971: Migrate from OpenID to OpenID Connect for authentication added
Actions #8

Updated by kraih about 2 years ago

  • Subject changed from Use new openID Connect support for ipsilon to Migrate from OpenID to OpenID Connect for authentication
  • Description updated (diff)
Actions #9

Updated by kraih about 2 years ago

Updated with new information from LegalDB.

Actions

Also available in: Atom PDF