Implement OpenID Connect

[Fale]

It would be nice if the CLI client for bodhi would use OpenID Connect instead of asking the password, as for #1179

[bowlofeggs]

I'd like to get this done in time for Fedora 26. @puiterwijk, does fedora.client have what I need to get this done already?

[bowlofeggs]

This PR is a proposal to add OpenID Connect to fedora.client:

fedora-infra/python-fedora#188

Once fedora.client has this and is released to EPEL 7 and Fedora 26, we can add support to Bodhi's client.

[mcepl]

ping? having password in ~/.bash_history (my current state) is stupid.

[bowlofeggs]

@mcepl This feature is not needed to solve that problem - simply don't use the Bodhi CLI's --password flag - it will automatically prompt you for a password if needed.

[mcepl]

Well, then either the password is so simple I can understand it, or secure and then I have to dig it up everytime from some secure store. I would prefer Kerberos (when we have it by the way of id.fedoraproject.org).

[bowlofeggs]

On 02/25/2018 02:07 PM, Matěj Cepl wrote: Well, then either the password is so simple I can understand it, or secure and then I have to dig it up everytime from some secure store. I would prefer Kerberos (when we have it by the way of id.fedoraproject.org).

Bodhi will only prompt you for a password about every 30 days, so IMO it's not a big burden to use a secure store and a complex password. There are not plans to integrate Bodhi with kerberos, but there are plans to integrate it with OpenID Connect.

[mcepl]

There are not plans to integrate Bodhi with kerberos, but there are plans to integrate it with OpenID.

Exactly, which was the question I had from beginning: how are these plans doing? Any ETA?

[bowlofeggs]

@mcepl Unfortunately it's not currently very close to the top of my personal priority list so I can't give an ETA on it. It's not low either, it's just that there are some big features that are planned for Fedora 28 and I'm swamped ☺ Patches are certainly welcome if you or anybody else has the time and inclination to get it working, though it's probably not a simple project and might take some significant time.

One tricky question to figure out will be whether we want to try to make it so the server can do OpenID and OpenID Connect at the same time, or if we are going to switch to only do OpenID Connect. If the latter, that will require us to do something to handle EPEL 6/7 and Fedora < 28 bodhi clients, which might require splitting the Bodhi package into a separate client and server (because Bodhi 3 [included in F28+] is not backwards compatible with Bodhi 2). EPEL 6 will be extra tricky because it is Python 2.6 and Bodhi is about to support Python 3.

[DemiMarie]

@bowlofeggs right now this is a blocker for unattended use of Bodhi

[puiterwijk]

@DemiMarie Unfortunately, @bowlofeggs no longer works on Bodhi. This is now the responsibility of @fedora-infra/bodhi

[bowlofeggs]

Indeed, I now work on other things. You could potentially ask about this in #fedora-apps on Freenode if you don't get an answer here.

[cverna]

I am not really sure when this is going to be implemented, but I don't think soon :(.