= SOP Configure oauth Authentication via IPA/Noggin


== Resources

- [1] https://pagure.io/fedora-infra/ansible/blob/main/f/files/communishift/objects[Example Config from Communishift]


== OIDC Setup
The first step is to request that a secret be created for this environment, please open a ticket with Fedora Infra. Once the secret has been made available we can add it to an Openshift Secret in the cluster like so:

----
oc create secret generic fedoraidp-clientsecret --from-literal=clientSecret=<client-secret> -n openshift-config
----

Next we can update the oauth configuration on the cluster and add the config for ipa/noggin/ipsilon. See the following snippet for inspiration:

----
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
...
  - name: fedoraidp
    login: true
    challenge: false
    mappingMethod: claim
    type: OpenID
    openID:
      clientID: ocp
      clientSecret:
        name: fedoraidp-clientsecret
      extraScopes:
      - email
      - profile
      claims:
        preferredUsername:
        - nickname
        name:
        - name
        email:
        - email
      issuer: https://id.fedoraproject.org
----

This config already exists in the cluster so you need to edit or patch it, you can't just `oc apply -f template.yaml`.