fedora-infrastructure

Clone
Source Code
GIT

#9872 FAS OIDC keys for forum.mojefedora.cz
Closed: Fixed 3 years ago by frantisekz. Opened 3 years ago by frantisekz.

Closed: Fixed
Reopen Issue

Describe what you would like us to do:

I'd like to enable login with fas on forum.mojefedora.cz . It's a Discourse instance for Czech Fedora Community. I'd need:
- openid client secret
- openid client id (if that's up to me, let's use forum.mojefedora.cz)
- openid scopes: openid email
- path to .well-known/openid-configuration

Thanks!

When do you need this to be done by? (YYYY/MM/DD)

No need to hurry :)

Metadata Update from @mohanboddu:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: low-gain, low-trouble, ops
3 years ago

I'll send you the client secret over gpg-encrypted email.

The scopes are asked by the client upon login, so that's on your side :)

Is there a way you could test this against staging? That would allow to test this without touching production which is still frozen.

Also, do you have a GPG key? Could you link it to your FAS account?

Also, do you have a GPG key? Could you link it to your FAS account?

Added, hopefully managed to do that right :)

Is there a way you could test this against staging? That would allow to test this without touching production which is still frozen.

Sure, we can start with stg.

The secrets have been created and deployed in staging and sent to @frantisekz.

Waiting on his feedback

Metadata Update from @pingou:
- Issue assigned to pingou
- Issue priority set to: Waiting on Reporter (was: Waiting on Assignee)
3 years ago

The secrets have been created and deployed in staging and sent to @frantisekz.

Waiting on his feedback

Thanks, it seems it should work once there is a correct redirect_uri, which should be (I guess without &response_type=code&scope=openid&state= at the end): 

https://forum.mojefedora.cz/auth/oidc/callback

Now, it's ending with bad request, invalid redirect_uri. Can you change this ipsilon side?

Thanks!

Can you change this ipsilon side?

It has been done :)

Can you change this ipsilon side?

It has been done :)

Thanks, damned openid though :/

I've set up following in the discourse instance:

It is somehow failing with "(oidc) Authentication failure! invalid_credentials: OAuth2::Error, invalid_client: client authentication error {"error": "invalid_client", "error_description": "client authentication error"}" (after the redirect from ipsilon, so I guess there would be nothing to see in ipsilon logs).

@pingou , do you see there anything badly set up? Can somebody take a look, how is https://discussion.fedoraproject.org/ configured?

Thanks!

Did you try with an empty client id?

Did you try with an empty client id?

Unfortunately, that ends with:

(oidc) Authentication failure! invalid_request: OmniAuth::Strategies::OAuth2::CallbackError, invalid_request | missing required argument client_id

openid connect client id: forum-mojefedora-cz

I set that up on our ipsilon/stg instance.

Can you try again see if that makes a difference?

openid connect client id: forum-mojefedora-cz

I set that up on our ipsilon/stg instance.

Can you try again see if that makes a difference?

Tried right now, failed the same way :(

failed the same way

I assume the same way as: https://pagure.io/fedora-infrastructure/issue/9872#comment-730271 ?

failed the same way

I assume the same way as: https://pagure.io/fedora-infrastructure/issue/9872#comment-730271 ?

Yes.

@mattdm can you please take a look (if you can) how is oauth set up on ask.fpo.org, so I can make sure I've set everything right?

I know it's a lot of text, screenshot would work for me just fine (just make sure to hide secret key :) ).

It should be on this url: https://ask.fedoraproject.org//admin/site_settings/category/all_results?filter=plugin%3Adiscourse-oauth2-basic

I'd need these:

  • oauth2 authorize url
  • oauth2 authorize signup url
  • oauth2 token url
  • oauth2 token url method
  • oauth2 callback user id path
  • oauth2 callback user info paths

if oauth2 fetch user details:

  • oauth2 user json url
  • oauth2 user json url method
  • oauth2 json user id path
  • oauth2 json username path
  • oauth2 json name path
  • oauth2 json email path
  • oauth2 json email verified path
  • oauth2 json avatar path

true/false checkboxes:

  • oauth2 send auth header
  • oauth2 send auth body
  • oauth2 authorize options
  • oauth2 scope

Thanks a lot upfront!

@frantisekz Sorry, I missed the ping here earlier. I'll get this to you tomorrow. If I forget, feel free to ping me again. :)

Any news here? or perhaps @puiterwijk knows off hand...

So,

after letting this rot on my todo, I've made it work after some time of tinkering with it.

I am not too sure about "oauth2 json user id path" > sub from the returned json from Ipsilon. Was I right with my guess here? It seems to work well...

If so, can @pingou or @kevin create a production token pretty please?

For future reference if anybody else gets stuck on this:

Screenshot_from_2021-07-14_19-36-22.pngScreenshot_from_2021-07-14_19-36-02.pngScreenshot_from_2021-07-14_19-35-42.png

Done for prod, See oidc.prod in your homedir on batcave01.

Done for prod, See oidc.prod in your homedir on batcave01.

It works! Thanks a lot!

Metadata Update from @frantisekz:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)
3 years ago

Log in to comment on this ticket.

Metadata

ops low-trouble low-gain

None
None
Waiting on Reporter
Boards 1
ops Status: Done
Attachments 1
Screenshot_from_2021-07-14_19-36-22.png
Attached 3 years ago View Comment
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.