Hello packagers,
Fedora Copr now supports Fedora OpenID Connect [1]. You can try this new login method on the Fedora Copr page [2] using the "OIDC login" button.
If you encounter any unexpected issues, please let us know by creating an issue at https://github.com/fedora-copr/copr/issues
Thank you
[1] - https://fedoraproject.org/wiki/Infrastructure/Authentication#OpenID_Connect_... [2] - https://copr.fedorainfracloud.org/
Jiri Kyjovsky
Associate Software Engineer, CPT
Red Hat https://www.redhat.com
Brno, Czech Republic
Copr was AFAIK the last Fedora service to switch to OIDC and now that it is done, the Fedora Infra team will aim to sunset the previous login method. Therefore, I recommend everybody to try the new OIDC login to make sure it works for you while we still have the old method as a fallback.
https://pagure.io/fedora-infrastructure/issue/10241
Jakub
On Mon, Feb 24, 2025 at 2:40 PM Jiri Kyjovsky jkyjovsk@redhat.com wrote:
Hello packagers,
Fedora Copr now supports Fedora OpenID Connect [1]. You can try this new login method on the Fedora Copr page [2] using the "OIDC login" button.
If you encounter any unexpected issues, please let us know by creating an issue at https://github.com/fedora-copr/copr/issues
Thank you
[1] - https://fedoraproject.org/wiki/Infrastructure/Authentication#OpenID_Connect_... [2] - https://copr.fedorainfracloud.org/
Jiri Kyjovsky
Associate Software Engineer, CPT
Red Hat https://www.redhat.com
Brno, Czech Republic
On Tue, Feb 25, 2025 at 09:47:50AM +0100, Jakub Kadlcik via copr-devel wrote:
Copr was AFAIK the last Fedora service to switch to OIDC and now that it is done, the Fedora Infra team will aim to sunset the previous login method. Therefore, I recommend everybody to try the new OIDC login to make sure it works for you while we still have the old method as a fallback.
Yeah.
I wonder if it would be possible after you are sure OIDC is working well to drop the other login buttons? It's a bit confusing to see several login buttons (how do you decide what to use?) and it's a bit bad for support too (I can't login! How did you try, which button did you press?).
kevin --
Jakub
On Mon, Feb 24, 2025 at 2:40 PM Jiri Kyjovsky jkyjovsk@redhat.com wrote:
Hello packagers,
Fedora Copr now supports Fedora OpenID Connect [1]. You can try this new login method on the Fedora Copr page [2] using the "OIDC login" button.
If you encounter any unexpected issues, please let us know by creating an issue at https://github.com/fedora-copr/copr/issues
Thank you
[1] - https://fedoraproject.org/wiki/Infrastructure/Authentication#OpenID_Connect_... [2] - https://copr.fedorainfracloud.org/
Jiri Kyjovsky
Associate Software Engineer, CPT
Red Hat https://www.redhat.com
Brno, Czech Republic
-- _______________________________________________ copr-devel mailing list -- copr-devel@lists.fedorahosted.org To unsubscribe send an email to copr-devel-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/copr-devel@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Am Di., 25. Feb. 2025 um 20:56 Uhr schrieb Kevin Fenzi via copr-devel copr-devel@lists.fedorahosted.org:
On Tue, Feb 25, 2025 at 09:47:50AM +0100, Jakub Kadlcik via copr-devel wrote:
Copr was AFAIK the last Fedora service to switch to OIDC and now that it is done, the Fedora Infra team will aim to sunset the previous login method. Therefore, I recommend everybody to try the new OIDC login to make sure it works for you while we still have the old method as a fallback.
Yeah.
I wonder if it would be possible after you are sure OIDC is working well to drop the other login buttons? It's a bit confusing to see several login buttons (how do you decide what to use?) and it's a bit bad for support too (I can't login! How did you try, which button did you press?).
Without trying, I would have merely guessed that "OIDC" is what I know otherwise as open ID. Especially because of the C, which seems to denote an implementation detail.
Naming matters ...
... and login via Fedora open ID works, fwiw.
Michael
I wonder if it would be possible after you are sure OIDC is working well to drop the other login buttons?
Sure, it doesn't make any sense to keep the old login button. Especially since you want to sunset that auth method completely.
But now that I think about, we maybe made a mistake when introducing the login. We should have changed the default "log in" button to OIDC and introduce a new "legacy log in" or something like that, as a fallback until we are sure everything works.
Now we are stuck with "OIDC login" button or we get people confused when renaming it to "log in".
On Wed, Feb 26, 2025 at 12:32 PM Michael J Gruber mjg@fedoraproject.org wrote:
Am Di., 25. Feb. 2025 um 20:56 Uhr schrieb Kevin Fenzi via copr-devel copr-devel@lists.fedorahosted.org:
On Tue, Feb 25, 2025 at 09:47:50AM +0100, Jakub Kadlcik via copr-devel
wrote:
Copr was AFAIK the last Fedora service to switch to OIDC and now that
it is
done, the Fedora Infra team will aim to sunset the previous login
method.
Therefore, I recommend everybody to try the new OIDC login to make
sure it
works for you while we still have the old method as a fallback.
Yeah.
I wonder if it would be possible after you are sure OIDC is working well to drop the other login buttons? It's a bit confusing to see several login buttons (how do you decide what to use?) and it's a bit bad for support too (I can't login! How did you try, which button did you press?).
Without trying, I would have merely guessed that "OIDC" is what I know otherwise as open ID. Especially because of the C, which seems to denote an implementation detail.
Naming matters ...
... and login via Fedora open ID works, fwiw.
Michael
But now that I think about, we maybe made a mistake when introducing the login. We should have changed the default "log in" button to OIDC and introduce a new "legacy log in" or something like that, as a fallback until we are sure everything works. Now we are stuck with "OIDC login" button or we get people confused when renaming it to "log in".
I agree that having the OIDC as default and then having some "legacy fallback login" option sounds better. We need to battle-test this more. Luckily, we aren't stuck with this since renaming and repositioning the login buttons is easily hot-fixable.
On Sun, Mar 02, 2025 at 10:44:40AM +0100, Jakub Kadlcik wrote:
I wonder if it would be possible after you are sure OIDC is working well to drop the other login buttons?
Sure, it doesn't make any sense to keep the old login button. Especially since you want to sunset that auth method completely.
But now that I think about, we maybe made a mistake when introducing the login. We should have changed the default "log in" button to OIDC and introduce a new "legacy log in" or something like that, as a fallback until we are sure everything works.
Now we are stuck with "OIDC login" button or we get people confused when renaming it to "log in".
I don't think anyone would be confused if there's just one button that says 'log in'.
The current situation is even more confusing, because theres:
"log in" -> old openid "OIDC login' -> new openid connect "gssapi login' -> kerberos
but... if you login with 'log in' or 'OIDC login' and have a valid kerberos ticket, you get redirected to id.fedoraproject.org, it sees the ticket and just auths you and redirects you back to be logged in.
Or if you log in to something else and still have the secure auth cookie in your browser, id.fedoraproject.org will auth you without having to do anything.
Anyhow, I think it would be much better to have just 'log in' and have it be the OIDC path. Users shouldn't see or care about what OIDC is, or gssapi is, they just want to login. :)
kevin --
On Wed, Feb 26, 2025 at 12:32 PM Michael J Gruber mjg@fedoraproject.org wrote:
Am Di., 25. Feb. 2025 um 20:56 Uhr schrieb Kevin Fenzi via copr-devel copr-devel@lists.fedorahosted.org:
On Tue, Feb 25, 2025 at 09:47:50AM +0100, Jakub Kadlcik via copr-devel
wrote:
Copr was AFAIK the last Fedora service to switch to OIDC and now that
it is
done, the Fedora Infra team will aim to sunset the previous login
method.
Therefore, I recommend everybody to try the new OIDC login to make
sure it
works for you while we still have the old method as a fallback.
Yeah.
I wonder if it would be possible after you are sure OIDC is working well to drop the other login buttons? It's a bit confusing to see several login buttons (how do you decide what to use?) and it's a bit bad for support too (I can't login! How did you try, which button did you press?).
Without trying, I would have merely guessed that "OIDC" is what I know otherwise as open ID. Especially because of the C, which seems to denote an implementation detail.
Naming matters ...
... and login via Fedora open ID works, fwiw.
Michael
I created a ticket for this https://github.com/fedora-copr/copr/issues/3659
IMHO, we should prioritize it.
On Mon, Mar 3, 2025 at 6:38 PM Kevin Fenzi kevin@scrye.com wrote:
On Sun, Mar 02, 2025 at 10:44:40AM +0100, Jakub Kadlcik wrote:
I wonder if it would be possible after you are sure OIDC is working well to drop the other login buttons?
Sure, it doesn't make any sense to keep the old login button. Especially since you want to sunset that auth method completely.
But now that I think about, we maybe made a mistake when introducing the login. We should have changed the default "log in" button to OIDC and introduce a new "legacy log in" or something like that, as a fallback
until
we are sure everything works.
Now we are stuck with "OIDC login" button or we get people confused when renaming it to "log in".
I don't think anyone would be confused if there's just one button that says 'log in'.
The current situation is even more confusing, because theres:
"log in" -> old openid "OIDC login' -> new openid connect "gssapi login' -> kerberos
but... if you login with 'log in' or 'OIDC login' and have a valid kerberos ticket, you get redirected to id.fedoraproject.org, it sees the ticket and just auths you and redirects you back to be logged in.
Or if you log in to something else and still have the secure auth cookie in your browser, id.fedoraproject.org will auth you without having to do anything.
Anyhow, I think it would be much better to have just 'log in' and have it be the OIDC path. Users shouldn't see or care about what OIDC is, or gssapi is, they just want to login. :)
kevin
On Wed, Feb 26, 2025 at 12:32 PM Michael J Gruber <mjg@fedoraproject.org
wrote:
Am Di., 25. Feb. 2025 um 20:56 Uhr schrieb Kevin Fenzi via copr-devel copr-devel@lists.fedorahosted.org:
On Tue, Feb 25, 2025 at 09:47:50AM +0100, Jakub Kadlcik via
copr-devel
wrote:
Copr was AFAIK the last Fedora service to switch to OIDC and now
that
it is
done, the Fedora Infra team will aim to sunset the previous login
method.
Therefore, I recommend everybody to try the new OIDC login to make
sure it
works for you while we still have the old method as a fallback.
Yeah.
I wonder if it would be possible after you are sure OIDC is working well to drop the other login buttons? It's a bit confusing to see several login buttons (how do you decide what to use?) and it's a bit bad for support too (I can't login! How did you try, which button did you press?).
Without trying, I would have merely guessed that "OIDC" is what I know otherwise as open ID. Especially because of the C, which seems to denote an implementation detail.
Naming matters ...
... and login via Fedora open ID works, fwiw.
Michael
If I should ask this somewhere else let me know where.
When I click on the OIDC login that takes me to a page to use my FAS login details, and I get logged in, from that I assume that my FAS login is an OIDC login is that right?
From the discussion.fedoraproject.org http://discussion.fedoraproject.org/ I followed the link to change my avatar. When I went to libravatar.org http://libravatar.org/ and tried to login using OIDC it cannot find me. Is that expected? I used my barry@barrys-emacs.org mailto:barry@barrys-emacs.org as my username.
Barry
On 24 Feb 2025, at 13:39, Jiri Kyjovsky via copr-devel copr-devel@lists.fedorahosted.org wrote:
Hello packagers,
Fedora Copr now supports Fedora OpenID Connect [1]. You can try this new login method on the Fedora Copr page [2] using the "OIDC login" button.
If you encounter any unexpected issues, please let us know by creating an issue at https://github.com/fedora-copr/copr/issues
Thank you
[1] - https://fedoraproject.org/wiki/Infrastructure/Authentication#OpenID_Connect_... [2] - https://copr.fedorainfracloud.org/
Jiri Kyjovsky Associate Software Engineer, CPT Red Hat https://www.redhat.com/ Brno, Czech Republic
https://www.redhat.com/-- _______________________________________________ copr-devel mailing list -- copr-devel@lists.fedorahosted.org To unsubscribe send an email to copr-devel-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/copr-devel@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
I was also not sure about this, when integrating the OIDC login with folks from Fedora... but I was assured we (Copr) use OIDC so I hope so :)
On Mon, Mar 3, 2025 at 4:18 AM Barry Scott via copr-devel copr-devel@lists.fedorahosted.org wrote:
If I should ask this somewhere else let me know where.
When I click on the OIDC login that takes me to a page to use my FAS login details, and I get logged in, from that I assume that my FAS login is an OIDC login is that right?
From the discussion.fedoraproject.org I followed the link to change my avatar. When I went to libravatar.org and tried to login using OIDC it cannot find me. Is that expected? I used my barry@barrys-emacs.org as my username.
libravatar login through OpenID works by using <username>.id.fedoraproject.org. For example, I put in https://ngompa.id.fedoraproject.org and it redirects accordingly.
On Mon, Mar 24, 2025 at 11:20:39AM -0400, Neal Gompa via copr-devel wrote:
On Mon, Mar 3, 2025 at 4:18 AM Barry Scott via copr-devel copr-devel@lists.fedorahosted.org wrote:
If I should ask this somewhere else let me know where.
When I click on the OIDC login that takes me to a page to use my FAS login details, and I get logged in, from that I assume that my FAS login is an OIDC login is that right?
From the discussion.fedoraproject.org I followed the link to change my avatar. When I went to libravatar.org and tried to login using OIDC it cannot find me. Is that expected? I used my barry@barrys-emacs.org as my username.
libravatar login through OpenID works by using <username>.id.fedoraproject.org. For example, I put in https://ngompa.id.fedoraproject.org and it redirects accordingly.
yeah, we know about libravatar. Trying to see if it can be moved.
kevin
copr-devel@lists.fedorahosted.org
-
Barry Scott -
Jakub Kadlcik -
Jiri Kyjovsky -
Kevin Fenzi -
Michael J Gruber -
Neal Gompa