We still have apps that are not yet using OIDC for authentication. It would be nice to add support to them, so we are no longer blocked by this tech debt.
Here is the list of the apps that still needs to be ported: Apps CPE owns and are critical pagure (Already implemented, but needs changes in ipsilon. See https://pagure.io/fedora-infrastructure/issue/7377 for more details) mirrormanager bodhi noggin PDC (PDC will be probably retired in future) FMN
Apps CPE hosts and are critical Mailman3 / HK OSBS * MBS
Apps CPE hosts and aren't critical COPR nuancier * testdays
It's possible that some of them are already ported over to OIDC (especially those we don't host), it needs to be checked.
Not urgent.
FWIW, the upstream bodhi ticket is at:
https://github.com/fedora-infra/bodhi/issues/1180
also, not sure about noggin -- it uses neither openid or openid connect
the MBS readme states that it uses OIDC:
https://pagure.io/fm-orchestrator#setting-up-kerberos-ldap-authentication
or is there something i am missing here?
Ok, some of these are not actaully needed, see inline comments
Describe what you would like us to do: We still have apps that are not yet using OIDC for authentication. It would be nice to add support to them, so we are no longer blocked by this tech debt. Here is the list of the apps that still needs to be ported: Apps CPE owns and are critical pagure (Already implemented, but needs changes in ipsilon. See https://pagure.io/fedora-infrastructure/issue/7377 for more details) mirrormanager bodhi noggin
Here is the list of the apps that still needs to be ported: Apps CPE owns and are critical pagure (Already implemented, but needs changes in ipsilon. See https://pagure.io/fedora-infrastructure/issue/7377 for more details) mirrormanager bodhi noggin
Noggin doesnt use openid or oidc
PDC (PDC will be probably retired in future) FMN Apps CPE hosts and are critical * Mailman3 / HK OSBS OSBS doesnt use openid it seems MBS
Apps CPE hosts and are critical * Mailman3 / HK
MBS uses oidc already apparently
Apps CPE hosts and aren't critical COPR nuancier * testdays doenst use openid or oidc It's possible that some of them are already ported over to OIDC (especially those we don't host), it needs to be checked. When do you need this to be done by? (YYYY/MM/DD) Not urgent.
Apps CPE hosts and aren't critical COPR nuancier * testdays doenst use openid or oidc
Okay, here is the curated list:
OK -- opened a PR for mirrormanager to add OIDC support:
https://github.com/fedora-infra/mirrormanager2/pull/301
PR opened for nuancier here:
https://github.com/fedora-infra/nuancier/pull/136
[backlog refinement] Here is the up to date list:
Bodhi was migrated to OIDC https://github.com/fedora-infra/bodhi/issues/1180
[Backlog refinement] There is a CPE initiative team working on the rewrite of FMN, which should address this issue as well.
testdays
I guess that'd be https://pagure.io/fedora-qa/testdays-web ?
And maybe bba should be added to the list?
blockerbugs (I am planning to port it).
Also, is there a plan to drop basic oauth2? I am Maintaining FAS integration on forum.mojefedora.cz, and it's using oauth plugin instead of oidc (I had really hard time getting oidc work there, so I fell back to oauth).
@frantisekz I don't know about any deadline for dropping basic oauth2, at least not for now.
Here is the up to date list:
Pagure is still sadly blocked. ;(
There's OIDC support in pagure, but ipsilon doesn't support variable scopes that we need to enable it. As far as I know.
Pagure is still sadly blocked. ;( There's OIDC support in pagure, but ipsilon doesn't support variable scopes that we need to enable it. As far as I know.
Wasn't that for the API though? We may be able to migrate the web UI part and leave the API to using the current API token system. Not ideal, but could work
Yeah, that was the api.
[backlog refinement] I'm currently working on https://pagure.io/fedora-infrastructure/issue/10372
Metadata Update from @kevin: - Issue tagged with: blocked
[backlog refinement] Nuancier is being deprecated now - https://pagure.io/fedora-infrastructure/issue/11371 PDC is being deprecated as initiative Pagure is being ported to RHEL 9 (this should solve the OIDC issue) COPR implemented https://github.com/fedora-copr/copr/issues/2422 Mailman 3/HK are being updated which should solve the OIDC support as well
Nuancier is now decommissioned.
FYI, kerneltest is still using openid also. ;)
Login to comment on this ticket.