Hubs: OIDC authentication

roles/hubs/tasks/main.yml

@@ -37,15 +37,31 @@
   notify: "hubs configuration change"
 
 
-- name: Configure application to authenticate with iddev.fedorainfracloud.org
+- name: Configure application to authenticate with the OIDC provider (dev)
-  command:
+  block:
-    oidc-register
+  - dnf: name=python3-flask-oidc state=present
-    --output-file {{ hubs_conf_dir }}/client_secrets.json
+  - command:
-    https://{{ hubs_oidc_url }}/ {{ hubs_url }}
+      oidc-register
-  args:
+      --output-file {{ hubs_conf_dir }}/client_secrets.json
-    creates: "{{ hubs_conf_dir }}/client_secrets.json"
+      https://{{ hubs_oidc_url }}/ {{ hubs_url }}
+    args:
+      creates: "{{ hubs_conf_dir }}/client_secrets.json"
+  notify: "hubs configuration change"
+  when: inventory_hostname == 'hubs-dev.fedorainfracloud.org'
 
-- name: Set permissions on the oidc credentials file
+
+- name: Configure application to authenticate with the OIDC provider
+  template:
+    src: oidc_client_secrets.json
+    dest: "{{ hubs_conf_dir }}/client_secrets.json"
+    owner: root
+    group: "{{ main_user }}"
+    mode: 0640
+  notify: "hubs configuration change"
+  when: inventory_hostname != 'hubs-dev.fedorainfracloud.org'
+
+
+- name: Fix the permissions on the OIDC secrets file
   file:
     path: "{{ hubs_conf_dir }}/client_secrets.json"
     owner: root

roles/hubs/templates/oidc_client_secrets.json

@@ -0,0 +1,13 @@
+{
+    "web": {
+        "client_id": "hubs",
+        "auth_uri": "https://id.stg.fedoraproject.org/openidc/Authorization",
+        "issuer": "https://id.stg.fedoraproject.org/openidc/",
+        "client_secret": "{{ hubs_stg_oidc_secret }}",
+        "token_uri": "https://id.stg.fedoraproject.org/openidc/Token",
+        "userinfo_uri": "https://id.stg.fedoraproject.org/openidc/UserInfo",
+        "redirect_uris": [
+            "https://hubs.stg.fedoraproject.org/oidc_callback"
+        ]
+    }
+}