From Fedora Project Wiki
(Add src.fp.o push)
(Use wikitable style and added pagure.io scopes)
Line 63: Line 63:
Availability: Development, Staging, Production.
Availability: Development, Staging, Production.


{|
{|class="wikitable"
! Scope ID !! Claims provided
! Scope ID !! Claims provided
|-  
|-  
Line 78: Line 78:
Availability: Development, Staging, Production.
Availability: Development, Staging, Production.


{|
{|class="wikitable"
! Scope ID !! Summary
! Scope ID !! Summary
|-  
|-  
Line 93: Line 93:
Availability: Development
Availability: Development


{|
{|class="wikitable"
! Scope ID !! Summary
! Scope ID !! Summary
|-  
|-  
Line 107: Line 107:
Availability: Staging, Production
Availability: Staging, Production


{|
{|class="wikitable"
! Scope ID !! Summary
! Scope ID !! Summary
|-  
|-  
Line 119: Line 119:
Availability: Development, Staging
Availability: Development, Staging


{|
{|class="wikitable"
! Scope ID !! Summary
! Scope ID !! Summary
|-  
|-  
Line 131: Line 131:
Availability: Staging, Production
Availability: Staging, Production


{|
{|class="wikitable"
! Scope ID !! Summary
! Scope ID !! Summary
|-  
|-  
Line 144: Line 144:
Availability: Development,Staging,Production
Availability: Development,Staging,Production


{|
{|class="wikitable"
! Scope ID !! Summary
! Scope ID !! Summary
|-  
|-  
Line 161: Line 161:
Availability:
Availability:


{|
{|class="wikitable"
! Scope ID !! Summary
! Scope ID !! Summary
|-  
|-  
Line 188: Line 188:
Availability: Staging, Production
Availability: Staging, Production


{|
{|class="wikitable"
! Scope ID !! Summary
! Scope ID !! Summary
|-  
|-  
Line 200: Line 200:
Availability: Staging,Production
Availability: Staging,Production


{|
{|class="wikitable"
! Scope ID !! Summary
! Scope ID !! Summary
|-  
|-  
Line 212: Line 212:
Availability: Staging,Production
Availability: Staging,Production


{|
{|class="wikitable"
! Scope ID !! Summary
! Scope ID !! Summary
|-  
|-  
| push || Perform git pushes
| push || Perform git pushes
|}
=== pagure.io ===
Base namespace: <nowiki>https://pagure.io/oidc/</nowiki>
Availability: Development
{| class="wikitable"
|-
! Scope ID !! Summary
|-
| pull_request_merge || Permission to merge a pull-request
|-
| pull_request_close || Permission to close a pull-request
|-
| pull_request_comment || Permission to comment a pull-request
|-
| pull_request_flag || Permission to flag a pull-request with a CI status
|-
| pull_request_subscribe || Permission to subscribe a user to a pull-request
|-
| pull_request_create || Permission to create a pull-request
|-
| issue_create || Permission to create an issue
|-
| issue_update || Permission to update an issue
|-
| issue_change_status || Permission to change the status of an issue
|-
| issue_update_milestone || Permission to update the milestone of an issue
|-
| issue_comment || Permission to comment on an issue
|-
| issue_assign || Permission to assign an issue to a user
|-
| issue_subscribe || Permission to subscribe a user to an issue
|-
| issue_update_custom_fields || Permission to update an issue custom fields
|-
| create_project || Permission to create a project
|-
| modify_project || Permission to modify a project
|-
| fork_project || Permission to fork a project
|-
| generate_acls_project || Permission to generate the gitolite ACLs of a project
|-
| commit_flag || Permission to flag a commit with a CI results
|}
|}

Revision as of 12:31, 27 February 2018

OpenID Connect Authentication

Fedora Infrastructure is using OpenID Connect authentication, and this page is used to document the implementation details.

For development purposes, there is https://iddev.fedorainfracloud.org/. For staging and production client secrets please file an Infrastructure ticket.

Terminology

Some basic terminology required to read this page:

  • OpenID Provider (OP): the Ipsilon deployment, this is the part that does user authentication and issues tokens
  • Identity Provider (IdP): see OpenID Provider
  • Relying Party (RP): any application that runs the OpenID Connect protocol.
  • Resource Server: any application that accepts tokens issued by the OpenID Provider.
  • UserInfo: HTTP endpoint provided by Ipsilon to provide information about the user that authorized a token.

Endpoint URLs

Suggested implementations

For Flask, the suggested client is Flask-OIDC, for both clients and resource servers. For other clients, no clients have been suggested at this point, please get in touch if you have suggestions.


Custom UserInfo fields

Field Summary Scope required (check table below for the namespace of these scopes)
groups List of groups the user is a member of groups
cla List of CLA URIs the user hs signed cla

Scopes

OAuth2/OpenID Connect scopes are specific strings that indicate for what use a particular token was requested. When a token is issued, the user was asked whether or not they consented to the particular set of permissions indicated by the token. For example, only tokens that were requested containing the scope https://release-monitoring.org/oidc/upstream can be used at Anitya for updating upstream project information. A token can contain many possible scopes, all of which have been authorized by the user.

In the Fedora Infrastructure, various applications are defined that specify various possible token scopes. These scopes are recorded here.

Every service will first list it's base namespace, and then the scope ID and a short summary of the scopes. To get the full scope to request, append the scope ID to the base namespace. So for example, to get the group information, this becomes: https://id.fedoraproject.org/scope/groups

The "Availability" line indicates whether this scope is live on the development, staging and production identity provider. A scope might not have progressed further because the application implementing it is only in a certain stage of development. This should only be edited by the infrastructure member that progresses the scope out further.

Registering new scopes

To register a new set of scopes, please feel free to just create a new section and then file a ticket on https://pagure.io/fedora-infrastructure/ to get them added to the development instance.

Also, once the scopes are finalized, please open a second ticket on https://pagure.io/fedora-infrastructure/ to request the scopes be added to the staging/production systems.

To add new scopes to an existing project, add a second table with the new scopes to the relevant section, follow the above process, and then merge the two tables back into one after the scopes are fully deployed.

Standard

These scopes are standardized, and not namespaced.

Availability: Development, Staging, Production.

Scope ID Claims provided
openid - This one is *required* for OpenID Connect requests
profile name, nickname, preferred_nickname, profile, zoneinfo, locale, updated_at
email email

Ipsilon

Base namespace: https://id.fedoraproject.org/scope/

Availability: Development, Staging, Production.

Scope ID Summary
groups Provides the "groups" attribute in the User Info.
cla Providees the "cla" attribute in the User Info.

release-monitoring.org

Base namespace: https://release-monitoring.org/oidc/

Note: release-monitoring.org is used here in the sense of "the upstream project that maintains the Anitya software", and hence these scope names are used regardless of where any given Anitya instance is deployed

Availability: Development

Scope ID Summary
upstream Permission to register new upstream projects for monitoring
downstream Permission to register new distros and new upstream/downstream mappings

mbs.fedoraproject.org

Base namespace: https://mbs.fedoraproject.org/oidc/

Availability: Staging, Production

Scope ID Summary
submit-build Permission to submit new module builds

waiverdb.fedoraproject.org

Base namespace: https://waiverdb.fedoraproject.org/oidc/

Availability: Development, Staging

Scope ID Summary
create-waiver Permission to create new waivers

beaker.qa.fedoraproject.org

Base namespace: https://beaker-project.org/oidc/

Availability: Staging, Production

Scope ID Summary
scope Full access to your beaker account.


pagure.io/odcs

Base namespace: https://pagure.io/odcs/

Availability: Development,Staging,Production

Scope ID Summary
new-compose Permission to create a new compose
renew-compose Permission to renew a compose
delete-compose Permission to delete a compose


github.com/fedora-infra/bodhi

Base namespace: https://github.com/fedora-infra/bodhi/

Availability:

Scope ID Summary
comment Post new comments and votes
create-update Submit new updates
edit-update Edit updates
request-update Request batched or stable
revoke-update Revoke an update
create-override Submit new override
edit-override Edit override
expire-override Expire an override


fedoraproject.org/wiki

Base namespace: https://fedoraproject.org/wiki/

Availability: Staging, Production

Scope ID Summary
api Full API access

pagure.io/freshmaker

Base namespace: https://pagure.io/freshmaker/

Availability: Staging,Production

Scope ID Summary
submit-build Permission to trigger manual rebuilds

src.fedoraproject.org

Base namespace: https://src.fedoraproject.org/

Availability: Staging,Production

Scope ID Summary
push Perform git pushes

pagure.io

Base namespace: https://pagure.io/oidc/

Availability: Development

Scope ID Summary
pull_request_merge Permission to merge a pull-request
pull_request_close Permission to close a pull-request
pull_request_comment Permission to comment a pull-request
pull_request_flag Permission to flag a pull-request with a CI status
pull_request_subscribe Permission to subscribe a user to a pull-request
pull_request_create Permission to create a pull-request
issue_create Permission to create an issue
issue_update Permission to update an issue
issue_change_status Permission to change the status of an issue
issue_update_milestone Permission to update the milestone of an issue
issue_comment Permission to comment on an issue
issue_assign Permission to assign an issue to a user
issue_subscribe Permission to subscribe a user to an issue
issue_update_custom_fields Permission to update an issue custom fields
create_project Permission to create a project
modify_project Permission to modify a project
fork_project Permission to fork a project
generate_acls_project Permission to generate the gitolite ACLs of a project
commit_flag Permission to flag a commit with a CI results