action #89023
Updated by kraih about 2 years ago
## Motivation Since our standard authentication mechanism, OpenID, is now deprecated in favour of the OAuth 2.0 based [OpenID Connect](https://openid.net/connect/), we should migrate openQA sooner or later too. Fortunately most of the hard work has already been done in [Mojolicious::Plugin::OAuth2](https://metacpan.org/pod/Mojolicious::Plugin::OAuth2), which natively supports OpenID Connect (and which 1 as we already use for OAuth 2.0). There it currently is some custom code required for retrieving identity information for logged in deprecated. OpenID Connect is what all users though, but that has already been implemented in [LegalDB](https://github.com/openSUSE/cavil/commit/24b08a5e1eeda5be3cc91ea97e974f1d70cd29b0), which used to use the same OpenID authentication code as openQA. So it should be possible to copy most of it. switch to. ## Acceptance criteria Suggestion * **AC1:** OpenID Connect authentication support has been added to openQA. - Use Google-compatible ipsilon profile via OAuth2 * **AC2:** OpenID Connect authentication has been deployed for O3. - See https://ipsilon-project.org/doc/example/google-apps.html * **AC3:** OpenID Connect authentication has been deployed for OSD. ## Suggestions * Register openQA with https://id.opensuse.org for app keys and secrets, O3 and OSD need separate accounts because of hardcoded redirect URIs (contact Bernhard) * Copy authentication code from LegalDB (https://github.com/openSUSE/cavil/commit/24b08a5e1eeda5be3cc91ea97e974f1d70cd29b0) * Make sure all identity information required by openQA is available, or request additions from the maintainers - See https://openid.net/developers/specs/