OpenID Connect Authentication
Fedora Infrastructure is moving to OpenID Connect authentication, and this page will be used to document the implementation details.
Currently, production and staging do not yet have Ipsilon releases that contain OpenID Connect services, but application developers can start against the instance at https://iddev.fedorainfracloud.org/, which contains the current Ipsilon master branch.
Terminology
Some basic terminology required to read this page:
- OpenID Provider (OP)/ the Ipsilon deployment, this is the part that does user authentication and issues tokens
- Identity Provider (IdP): see OpenID Provider
- Relying Party (RP): any application that runs the OpenID Connect protocol.
- Resource Server: any application that accepts tokens issued by the OpenID Provider.
- UserInfo: TBD
- ID Token: TBD
Suggested implementations
For Flask, the suggested client is Flask-OIDC, for both clients and resource servers. For other clients, no clients have been suggested at this point, please get in touch if you have suggestions.
Custom UserInfo fields
| Field | Summary | Scope required |
|---|---|---|
| groups | List of groups the user is a member of | groups |
| cla | List of CLA URIs the user hs signed | cla |
Scopes
In the Fedora Infrastructure, various applications are defined that specify various possible token scopes. These scopes are recorded here.
Every service will first list it's base namespace, and then the scope ID and a short summary of the scopes. To get the full scope to request, append the scope ID to the base namespace. So for example, to get the group information, this becomes: https://id.fedoraproject.org/scope/groups
Ipsilon
Base namespace: https://id.fedoraproject.org/scope/
| Scope ID | Summary |
|---|---|
| groups | Provides the "groups" attribute in the User Info. |
| cla | Providees the "cla" attribute in the User Info. |