Fedora instance: please switch authentication from OpenID to OIDC

[abompard]

Hey folks! The Fedora instance of Copr is currently using OpenID (and GSSAPI) for authentication.
We are looking to remove OpenID from the authentication options, because we'd like to switch the authentication provider from Ipsilon to Keycloak, which only supports OIDC.
If I understand correctly, Copr is already capable of OIDC authentication. Would it be possible to switch Copr's authentication to OIDC? (still with Ipsilon for now)

You'll need the following info:

• provider metadata: https://id.fedoraproject.org/openidc/.well-known/openid-configuration
• client_id: copr
• client_secret: just use the copr_oidc_prod_client_secret and copr_oidc_stg_client_secret ansible variables.

And I'll need the redirect_uri that you're going to use in the OIDC process.

I'm happy to help with the switch, ping me on Matrix (I'm in #buildsys and #infrastructure and #apps)

[praiskup]

Thank you for the report.

Does the removal of OpenID mean removal of GSSAPI?

[abompard]

That seems like a different thing, no? Is there a link between OpenID authentication and GSSAPI authentication in Copr ?
Does your GSSAPI auth go trough Ipsilon?

[praiskup]

Probably it is a different thing? And I hope. :) you will know better than me, that's why I am asking 😅
"plain" GSSAPI is supported both in Copr cli and web-ui separately, plus gssapi is also accepted through Ipsilon (OID).