Create OpenID Connect client
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	CCicalese_WMF
	Nov 7 2023, 7:25 PM

Description

I'm working on a project (Catalyst ephemeral testing environment prototype) where we'd like to authenticate with idp.wikimedia.org using OpenID Connect. I see from https://idp.wikimedia.org/oidc/.well-known/openid-configuration that it is enabled.

Please configure a client that we can use for this effort. The redirect URL can initially be set to "https://catalyst-auth.wmcloud.org", however this will change (probably relatively soon).

Thank you!

Details

	Subject	Repo	Branch	Lines +/-
	P:idp:services add Catalyst OIDC service	operations/puppet	production	+6 -0

Customize query in gerrit

Related Objects

Mentioned In: T363983: [toolforge] Investigate authentication
T353586: Update redirect URL for 'catalyst' OpenID Connect client on idp.wmcloud.org

Event Timeline

CCicalese_WMF created this task.Nov 7 2023, 7:25 PM

CCicalese_WMF updated the task description. (Show Details)Nov 9 2023, 10:58 PM

CCicalese_WMF updated the task description. (Show Details)

Change 973287 had a related patch set uploaded (by Slyngshede; author: Slyngshede):

[operations/puppet@production] P:idp:services add Cicalese OIDC service

https://gerrit.wikimedia.org/r/973287

gerritbot added a project: Patch-For-Review.Nov 10 2023, 7:31 AM

I'm creating a new client ID for the service, naming it "catalyst". I'll email the secret when the new service has been reviewed.

SLyngshede-WMF changed the task status from Open to In Progress.Nov 10 2023, 7:57 AM

SLyngshede-WMF claimed this task.

@CCicalese_WMF We also have idp.wmcloud.org, it depends a little on the target audience for the service.

Could you provide a little more info on who will be using the service, so we can better determine where it should go?

idp.wmcloud.org would be fine as well. I was not aware of its existence. The Catalyst prototype is being developed on WMCS, so perhaps that is more appropriate. As long as we can authenticate with a Wikimedia developer account using OpenID Connect and query the groups that the user is a member of, we should be good. That appears to be the case for both IdPs. There appear to be more attributes available from idp.wmcloud.org, but both seem to provide the group information we need initially.

Do you need us to limit which groups can authenticate or is the service, or is it open to everyone with a developer account?

It can be open to all everyone with a developer account at this point.

Thank you!

CCicalese_WMF updated the task description. (Show Details)Nov 10 2023, 2:41 PM

I was thinking about the redirect URL. If you could please set it to https://catalyst-auth.wmcloud.org, that's probably a better guess about what we will eventually want it to be. I've updated the task description to reflect that.

catalyst:
  id: 5
  service_class: 'OidcRegisteredService'
  service_id: 'https://catalyst-auth\.wmcloud\.org(/.*)?'
  profile_format: 'FLAT'

SLyngshede-WMF added a project: Cloud-Services.Nov 13 2023, 10:30 AM

The Cloud-Services project tag is not intended to have any tasks. Please check the list on https://phabricator.wikimedia.org/project/profile/832/ and replace it with a more specific project tag to this task. Thanks!

SLyngshede-WMF edited projects, added Cloud-VPS; removed Cloud-Services.Nov 13 2023, 10:31 AM

taavi claimed this task.Nov 13 2023, 10:31 AM

taavi added a project: cloud-services-team.