infra-docs-fpo/modules/sysadmin_guide/pages/sop_configure_oauth_ipa.adoc

= SOP Configure oauth Authentication via IPA/Noggin


== Resources

- [1] https://pagure.io/fedora-infra/ansible/blob/main/f/files/communishift/objects[Example Config from Communishift]


== OIDC Setup
The first step is to request that a secret be created for this environment, please open a ticket with Fedora Infra. Once the secret has been made available we can add it to an Openshift Secret in the cluster like so:

----
oc create secret generic fedoraidp-clientsecret --from-literal=clientSecret=<client-secret> -n openshift-config
----

Next we can update the oauth configuration on the cluster and add the config for ipa/noggin/ipsilon. See the following snippet for inspiration:

----
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
...
  - name: fedoraidp
    login: true
    challenge: false
    mappingMethod: claim
    type: OpenID
    openID:
      clientID: ocp
      clientSecret:
        name: fedoraidp-clientsecret
      extraScopes:
      - email
      - profile
      claims:
        preferredUsername:
        - nickname
        name:
        - name
        email:
        - email
      issuer: https://id.fedoraproject.org
----

This config already exists in the cluster so you need to edit or patch it, you can't just `oc apply -f template.yaml`.
ocp4: reordering header levels 2022-03-03 11:44:45 +00:00			`= SOP Configure oauth Authentication via IPA/Noggin`
SOP configure oauth Signed-off-by: David Kirwan <dkirwan@redhat.com> 2021-09-16 10:38:50 +09:00

ocp4: reordering header levels 2022-03-03 11:44:45 +00:00			`== Resources`
SOP configure oauth Signed-off-by: David Kirwan <dkirwan@redhat.com> 2021-09-16 10:38:50 +09:00
			`- [1] https://pagure.io/fedora-infra/ansible/blob/main/f/files/communishift/objects[Example Config from Communishift]`


ocp4: reordering header levels 2022-03-03 11:44:45 +00:00			`== OIDC Setup`
SOP configure oauth Signed-off-by: David Kirwan <dkirwan@redhat.com> 2021-09-16 10:38:50 +09:00			`The first step is to request that a secret be created for this environment, please open a ticket with Fedora Infra. Once the secret has been made available we can add it to an Openshift Secret in the cluster like so:`

			`----`
			`oc create secret generic fedoraidp-clientsecret --from-literal=clientSecret=<client-secret> -n openshift-config`
			`----`

			`Next we can update the oauth configuration on the cluster and add the config for ipa/noggin/ipsilon. See the following snippet for inspiration:`

			`----`
			`apiVersion: config.openshift.io/v1`
			`kind: OAuth`
			`metadata:`
			`name: cluster`
			`spec:`
			`identityProviders:`
			`...`
			`- name: fedoraidp`
			`login: true`
			`challenge: false`
			`mappingMethod: claim`
			`type: OpenID`
			`openID:`
			`clientID: ocp`
			`clientSecret:`
			`name: fedoraidp-clientsecret`
			`extraScopes:`
			`- email`
			`- profile`
			`claims:`
			`preferredUsername:`
			`- nickname`
			`name:`
			`- name`
			`email:`
			`- email`
			`issuer: https://id.fedoraproject.org`
			`----`

			This config already exists in the cluster so you need to edit or patch it, you can't just `oc apply -f template.yaml`.