From Fedora Project Wiki
(Add URLs)
Line 14: Line 14:




== URLs ==
== Endpoint URLs ==
* Configuration URL for dynamic configuration: https://id.fedoraproject.org/openidc/.well-known/openid-configuration
* Configuration URL for dynamic configuration: https://id.fedoraproject.org/openidc/.well-known/openid-configuration
* Authorization Endpoint: https://id.fedoraproject.org/openidc/Authorization
* Authorization Endpoint: https://id.fedoraproject.org/openidc/Authorization
Line 20: Line 20:
* UserInfo Endpoint: https://id.fedoraproject.org/openidc/UserInfo
* UserInfo Endpoint: https://id.fedoraproject.org/openidc/UserInfo
* Token Introspection URL: https://id.fedoraproject.org/openidc/TokenInfo
* Token Introspection URL: https://id.fedoraproject.org/openidc/TokenInfo


== Suggested implementations ==
== Suggested implementations ==

Revision as of 13:48, 1 December 2016

OpenID Connect Authentication

Fedora Infrastructure is using OpenID Connect authentication, and this page is used to document the implementation details.

For development purposes, there is https://iddev.fedorainfracloud.org/. For staging and production client secrets please file an Infrastructure ticket.

Terminology

Some basic terminology required to read this page:

  • OpenID Provider (OP)/ the Ipsilon deployment, this is the part that does user authentication and issues tokens
  • Identity Provider (IdP): see OpenID Provider
  • Relying Party (RP): any application that runs the OpenID Connect protocol.
  • Resource Server: any application that accepts tokens issued by the OpenID Provider.
  • UserInfo: TBD
  • ID Token: TBD


Endpoint URLs

Suggested implementations

For Flask, the suggested client is Flask-OIDC, for both clients and resource servers. For other clients, no clients have been suggested at this point, please get in touch if you have suggestions.


Custom UserInfo fields

Field Summary Scope required
groups List of groups the user is a member of groups
cla List of CLA URIs the user hs signed cla


Scopes

In the Fedora Infrastructure, various applications are defined that specify various possible token scopes. These scopes are recorded here.

Every service will first list it's base namespace, and then the scope ID and a short summary of the scopes. To get the full scope to request, append the scope ID to the base namespace. So for example, to get the group information, this becomes: https://id.fedoraproject.org/scope/groups

Ipsilon

Base namespace: https://id.fedoraproject.org/scope/

Scope ID Summary
groups Provides the "groups" attribute in the User Info.
cla Providees the "cla" attribute in the User Info.