OpenID Connect Authentication
Fedora Infrastructure is using OpenID Connect authentication, and this page is used to document the implementation details.
For development purposes, there is https://iddev.fedorainfracloud.org/. For staging and production client secrets please file an Infrastructure ticket.
Terminology
Some basic terminology required to read this page:
- OpenID Provider (OP)/ the Ipsilon deployment, this is the part that does user authentication and issues tokens
- Identity Provider (IdP): see OpenID Provider
- Relying Party (RP): any application that runs the OpenID Connect protocol.
- Resource Server: any application that accepts tokens issued by the OpenID Provider.
- UserInfo: TBD
- ID Token: TBD
Endpoint URLs
- Configuration URL for dynamic configuration: https://id.fedoraproject.org/openidc/.well-known/openid-configuration
- Authorization Endpoint: https://id.fedoraproject.org/openidc/Authorization
- Token Endpoint: https://id.fedoraproject.org/openidc/Token
- UserInfo Endpoint: https://id.fedoraproject.org/openidc/UserInfo
- Token Introspection URL: https://id.fedoraproject.org/openidc/TokenInfo
Suggested implementations
For Flask, the suggested client is Flask-OIDC, for both clients and resource servers. For other clients, no clients have been suggested at this point, please get in touch if you have suggestions.
Custom UserInfo fields
Field | Summary | Scope required |
---|---|---|
groups | List of groups the user is a member of | groups |
cla | List of CLA URIs the user hs signed | cla |
Scopes
In the Fedora Infrastructure, various applications are defined that specify various possible token scopes. These scopes are recorded here.
Every service will first list it's base namespace, and then the scope ID and a short summary of the scopes. To get the full scope to request, append the scope ID to the base namespace. So for example, to get the group information, this becomes: https://id.fedoraproject.org/scope/groups
The "Availability" line indicates whether this scope is live on the development, staging and production identity provider. A scope might not have progressed further because the application implementing it is only in a certain stage of development. This should only be edited by the infrastructure member that progresses the scope out further.
Registering new scopes
To register a new set of scopes, please feel free to just create a new section and then file a ticket on https://pagure.io/fedora-infrastructure/ to get them added to the development instance.
Also, once the scopes are finalized, please open a second ticket on https://pagure.io/fedora-infrastructure/ to request the scopes be added to the staging/production systems.
To add new scopes to an existing project, add a second table with the new scopes to the relevant section, follow the above process, and then merge the two tables back into one after the scopes are fully deployed.
Standard
These scopes are standardized, and not namespaced.
Availability: Development, Staging, Production.
Scope ID | Claims provided |
---|---|
openid | - This one is *required* for OpenID Connect requests |
profile | name, nickname, preferred_nickname, profile, zoneinfo, locale, updated_at |
Ipsilon
Base namespace: https://id.fedoraproject.org/scope/
Availability: Development, Staging, Production.
Scope ID | Summary |
---|---|
groups | Provides the "groups" attribute in the User Info. |
cla | Providees the "cla" attribute in the User Info. |
release-monitoring.org
Base namespace: https://release-monitoring.org/oidc/
Note: release-monitoring.org is used here in the sense of "the upstream project that maintains the Anitya software", and hence these scope names are used regardless of where any given Anitya instance is deployed
Availability: Development
Scope ID | Summary |
---|---|
upstream | Permission to register new upstream projects for monitoring |
downstream | Permission to register new distros and new upstream/downstream mappings |