[Pagure] Enable OIDC in staging

Signed-off-by: Michal Konečný <mkonecny@redhat.com>

roles/pagure/tasks/main.yml

@@ -348,6 +348,17 @@
   notify:
   - restart apache
 
+- name: Install client_secrets for ipsilon
+  template: src=client_secrets.json
+            dest=/etc/pagure
+            owner=root group=root mode=0600
+  tags:
+  - config
+  - web
+  - pagure
+  when: env == 'pagure-staging'
+
+
 - name: create the database scheme
   command: /usr/bin/python3 /usr/share/pagure/pagure_createdb.py
   changed_when: "1 != 1"

roles/pagure/templates/client_secrets.json

@@ -0,0 +1,17 @@
+{
+    "web": {
+        "auth_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/Authorization",
+        "client_id": "{{ pagure_oidc_client_id }}",
+{% if env == 'staging' %}
+        "client_secret": "{{ pagure_oidc_client_secret_stg }}",
+{% else %}
+        "client_secret": "{{ pagure_oidc_client_secret }}",
+{% endif %}
+        "issuer": "https://id{{env_suffix}}.fedoraproject.org/openidc/",
+        "redirect_uris": [
+            "https://{{env_suffix}}.pagure.io/login"
+        ],
+        "token_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/Token",
+        "userinfo_uri": "https://id{{env_suffix}}.fedoraproject.org/openidc/UserInfo"
+    }
+}

roles/pagure/templates/pagure.cfg

@@ -196,7 +196,12 @@ DISABLED_PLUGINS = ['IRC']
 # Specify which authentication method to use, defaults to `fas` can be or
 # `local`
 # Default: ``fas``.
+{% if env == 'staging' %}
+PAGURE_AUTH = 'oidc'
+OIDC_CLIENT_SECRETS = "/etc/pagure/client_secrets.json"
+{% else %}
 PAGURE_AUTH = 'openid'
+{% endif %}
 
 # When this is set to True, the session cookie will only be returned to the
 # server via ssl (https). If you connect to the server via plain http, the