fedora-infrastructure

Clone
Source Code
GIT

#10241 Port apps to OIDC
Opened 3 years ago by zlopez. Modified 20 hours ago

Open
Close issue as:
Duplicate Fixed Initiative Worthy Insufficient data Invalid Spam Upstream Will Not/Can Not fix Fixed with Explanation

Describe what you would like us to do:

We still have apps that are not yet using OIDC for authentication. It would be nice to add support to them, so we are no longer blocked by this tech debt.

Here is the list of the apps that still needs to be ported:
Apps CPE owns and are critical
pagure (Already implemented, but needs changes in ipsilon. See https://pagure.io/fedora-infrastructure/issue/7377 for more details)
 mirrormanager
bodhi
 noggin
PDC (PDC will be probably retired in future)
 FMN

Apps CPE hosts and are critical
Mailman3 / HK
 OSBS
* MBS

Apps CPE hosts and aren't critical
COPR
 nuancier
* testdays

It's possible that some of them are already ported over to OIDC (especially those we don't host), it needs to be checked.

When do you need this to be done by? (YYYY/MM/DD)

Not urgent.

FWIW, the upstream bodhi ticket is at:

https://github.com/fedora-infra/bodhi/issues/1180

also, not sure about noggin -- it uses neither openid or openid connect

the MBS readme states that it uses OIDC:

https://pagure.io/fm-orchestrator#setting-up-kerberos-ldap-authentication

or is there something i am missing here?

Ok, some of these are not actaully needed, see inline comments

Describe what you would like us to do:

We still have apps that are not yet using OIDC for authentication. It would be nice to add support to them, so we are no longer blocked by this tech debt.

Here is the list of the apps that still needs to be ported:
Apps CPE owns and are critical
pagure (Already implemented, but needs changes in ipsilon. See https://pagure.io/fedora-infrastructure/issue/7377 for more details)
 mirrormanager
bodhi
 noggin

Noggin doesnt use openid or oidc

  • PDC (PDC will be probably retired in future)
  • FMN

Apps CPE hosts and are critical
* Mailman3 / HK

  • OSBS
    OSBS doesnt use openid it seems
  • MBS

MBS uses oidc already apparently

Apps CPE hosts and aren't critical
COPR
 nuancier
* testdays
doenst use openid or oidc

It's possible that some of them are already ported over to OIDC (especially those we don't host), it needs to be checked.

When do you need this to be done by? (YYYY/MM/DD)

Not urgent.
Edited 3 years ago by ryanlerch

Okay, here is the curated list:

OK -- opened a PR for mirrormanager to add OIDC support:

https://github.com/fedora-infra/mirrormanager2/pull/301

[backlog refinement]
Here is the up to date list:
Edited 2 years ago by zlopez

[Backlog refinement]
There is a CPE initiative team working on the rewrite of FMN, which should address this issue as well.

I guess that'd be https://pagure.io/fedora-qa/testdays-web ?

And maybe bba should be added to the list?

blockerbugs (I am planning to port it).

Also, is there a plan to drop basic oauth2? I am Maintaining FAS integration on forum.mojefedora.cz, and it's using oauth plugin instead of oidc (I had really hard time getting oidc work there, so I fell back to oauth).

@frantisekz I don't know about any deadline for dropping basic oauth2, at least not for now.

Here is the up to date list:

Pagure is still sadly blocked. ;(

There's OIDC support in pagure, but ipsilon doesn't support variable scopes that we need to enable it.
As far as I know.

Pagure is still sadly blocked. ;(

There's OIDC support in pagure, but ipsilon doesn't support variable scopes that we need to enable it.
As far as I know.

Wasn't that for the API though? We may be able to migrate the web UI part and
leave the API to using the current API token system. Not ideal, but could work

Yeah, that was the api.

[backlog refinement]
I'm currently working on https://pagure.io/fedora-infrastructure/issue/10372

Metadata Update from @kevin:
- Issue tagged with: blocked
2 years ago

[backlog refinement]
Nuancier is being deprecated now - https://pagure.io/fedora-infrastructure/issue/11371
PDC is being deprecated as initiative
Pagure is being ported to RHEL 9 (this should solve the OIDC issue)
COPR implemented https://github.com/fedora-copr/copr/issues/2422
Mailman 3/HK are being updated which should solve the OIDC support as well

Nuancier is now decommissioned.

FYI, kerneltest is still using openid also. ;)

[Update]
Mailman 3/HK is now authenticating using OIDC.
PDC is decommissioned

[Update]
Currently working on OIDC support for release-monitoring.org.
Pagure is almost ported, only outage is needed
COPR is still missing the support, the change is already merged, but not deployed @frostyx @praiskup Could you look into that?

There's a tracker for this in Copr https://github.com/fedora-copr/copr/issues/3483

The release-monitoring.org is now using OIDC.

If there are still a number of things not ported over I recommend we drop those non critical items and open specific tickets for those that will be worked on. I fear this could stay open for another 3 years in it's current state.

I think all we are waiting on now is copr deployment... then setting a sunset date and perhaps trying to notify anyone we can identify thats still using it.

Found another one today blockerbugs, they deployment is still accessing https://id.fedoraproject.org/openid/
Edited a month ago by zlopez

Found another one today blockerbugs, they deployment is still accessing https://id.fedoraproject.org/openid/

@kparal ^^^

I've opened a ticket there to track it: https://pagure.io/fedora-qa/blockerbugs/issue/288

What is our expected deadline? 2 weeks? 1 month?

It looks like the COPR one is done ... is that accurate?

@smilner Yes, @abompard help COPR team to move this forward.

Metadata Update from @zlopez:
- Issue untagged with: blocked
a month ago

Here is the plan for moving this forward:

  1. Identify projects that are using openid endpoint on ipsilon
  2. Announce sunset date
  3. Reach to the remaining projects and ask them to migrate (help them with migration if needed)
  4. (After reaching the sunset date) Disable openid on ipsilon

So here are the domains using OpenID for authentication I found in the logs:

We should now decide the sunset date for OpenID and let them know that they should migrate.

Thanks for finding these @zlopez. Is this something that will come up in the next infra meeting to discuss date and communication?

Yeah, we could discuss then. How about a time right around when Fedora 40 goes EOL (but not the exact same day)?

That's roughly 3 months from now. That seems like a reasonable susnet time frame to me!

+1 from me for the F40 EOL time.

Found out that https://lists.pagure.io/ is already using OIDC, somebody was just trying to use openid endpoint with it, but it wouldn't work anymore. So we can ignore that one.

The EOL date for OpenID was decided to be 2025-05-20 on Fedora weekly meeting.

I'm preparing an announcement on Fedora community blog and here is the draft for review https://communityblog.fedoraproject.org/?p=14508&preview=1&_ppp=6a0c6ffb3f

I've written a small parser script for the Ipsilon apache logs and ran it on ipsilon01 to identify which apps still use OpenID, and I'm getting the following results:

abrt.fedoraproject.org 2
copr.fedorainfracloud.org 5269
faf.lab.eng.brq2.redhat.com 1
listat.jyps.fi 33
lists.ncf.ca 471
lists.openldap.org 1148
lists.ovirt.org 8
lists.podman.io 148
openqa.fedoraproject.org 7
openqa.stg.fedoraproject.org 6
retrace.fedoraproject.org 28
retrace03.rdu-cc.fedoraproject.org 2

The second column is the number of time the hostname is using openid. This is on logfiles that date back to March 8th, so about a week ago.

  • Copr is still defaulting to OpenID (if I understand correctly) which explains the high count.
  • We should probably contact the Mailman/HyperKitty instances in this list to ask them to switch the Fedora provider to OIDC.
  • Other apps need to be investigated as well I think.

Thanks for the list, that really helps. I found only the mailing lists in the recent ones. I noticed the COPR, they still have both option and OpenID is really the default. But we can ignore that as they already moved.

I checked quickly abrt.fedoraproject.org and it fails with net::ERR_CERT_COMMON_NAME_INVALID error and the cert itself points to retrace03.rdu-cc.fedoraproject.org, so I assume those two are connected.

I will publish the announcement next week and after that start contacting the projects.

the retrace.fedoraproject.org and abrt.fedoraproject.org should be the same machine... that retrace03.rdu-cc.fedoraproject.org box. We host it, but don't normally manage it. We should make sure it's moved if we can...

CC: @msuchy

I defer my cc to @msrb

The blog post announcement is scheduled for Thursday. After that I will also sent it to Fedora Infra and Devel Announce. So people are aware.

And start contacting the projects.

I saw the Community Blog article. Does this have any impact on Libravatar? I use the Open ID option there to authenticate and log in. I'm wondering if I will lose the ability to log into my Libravatar account because of this?

Yes, it could affect them. ;(

@oliver thoughts?

I checked quickly abrt.fedoraproject.org and it fails with net::ERR_CERT_COMMON_NAME_INVALID error and the cert itself points to retrace03.rdu-cc.fedoraproject.org, so I assume those two are connected.

abrt.fedoraproject.org seems like an alias for retrace.fedoraproject.org, and I didn't even know about it. In any case, abrt.fedoraproject.org doesn't seem to be used, otherwise we would have discovered the problem much earlier (I assume).

Yeah, but retrace is still using openid I guess? at least I don't see any OIDC config for it...

I sent the announcement mails to devel-announce and infra mailing lists as well, so it reaches more people.

Log in to comment on this ticket.

Metadata
None

high-gain high-trouble mini-initiative dev

None
None
Waiting on Assignee
Boards 2
dev Status: Backlog
mini-initative Status: Backlog
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.