SOP Configure oauth Authentication via IPA/Noggin

Resources

[1] Example Config from Communishift

OIDC Setup

The first step is to request that a secret be created for this environment, please open a ticket with Fedora Infra. Once the secret has been made available we can add it to an Openshift Secret in the cluster like so:

oc create secret generic fedoraidp-clientsecret --from-literal=clientSecret=<client-secret> -n openshift-config

Next we can update the oauth configuration on the cluster and add the config for ipa/noggin/ipsilon. See the following snippet for inspiration:

apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
...
  - name: fedoraidp
    login: true
    challenge: false
    mappingMethod: claim
    type: OpenID
    openID:
      clientID: ocp
      clientSecret:
        name: fedoraidp-clientsecret
      extraScopes:
      - email
      - profile
      claims:
        preferredUsername:
        - nickname
        name:
        - name
        email:
        - email
      issuer: https://id.fedoraproject.org

This config already exists in the cluster so you need to edit or patch it, you can’t just oc apply -f template.yaml.

Want to help? Learn how to contribute to Fedora Docs ›