Blame docs/infra/authentication.md

27793d
# Authentication service for CentOS Infrastructure
27793d
27793d
!!! info
27793d
    CentOS and Fedora merged their previous authentication backend to a new solution based on [(Free)IPA](http://www.freeipa.org), but it's only valid for applications that *are* able to use such new authentication system (see below for explanations)
27793d
27793d
    Worth knowing that majority of infra services described below are managed/hosted by Fedora Infra (while CentOS infra is *consuming* such service
27793d
27793d
27793d
## Authentication platform components
27793d
### IPA servers
27793d
27793d
There are actually 3 IPA servers running on RHEL8 that are used as backend authentication solution.
27793d
These aren't publicly reachable and are managed/hosted by the Fedora Infra team.
27793d
27793d
### Community Portal (noggin)
27793d
27793d
The https://accounts.centos.org community portal is based on [Noggin](https://github.com/fedora-infra/noggin) where people can register is an openshift deployment done by Fedora Infra on the Fedora infra openshift cluster.
27793d
CentOS Infra team though is in charge of the [haproxy](https://github/centos/ansible-role-haproxy) node in front of openshift and routing requests to correct openshift compute nodes from Fedora infra.
27793d
All the needed variables for haproxy are stored in the CentOS ansible inventory, either through group_vars and/or host_vars variables
27793d
1c0ded
Same goes for the TLS certificates used on the haproxy reverse proxy : automatically applied by the ansible role *after* they are renewed through BAU process (see [dedicated TLS](../security/tls.md#how-to-renew-existing-certs) documentation)
27793d
27793d
### Identity Provider (IdP)
27793d
6f32ae
We deploy our own IdP instance, based on [Ipsilon](https://ipsilon-project.org/) that is publicly available on [https://id.centos.org](https://id.centos.org).
27793d
27793d
It's full deployed by the [ipsilon](https://github/centos/ansible-role-ipsilon) Ansible role but needs access through fedora network as it's not directly available from outside
27793d
27793d
It supports the following standard protocols and uses IPA servers backends for users auth/group memberships and that node is properly enrolled in IPA itself (requirement)
27793d
27793d
#### Openid
27793d
27793d
Applications using OpenID can point directly to https://id.centos.org and some applications (like https://blog.centos.org) still rely on openid as auth protocol
27793d
27793d
#### OpenID Connect/Oauth2
27793d
27793d
OpenIDC is preferred over OpenID but needs some configuration at both IdP and Application side : 
27793d
6f32ae
 * on [https://id.centos.org](https://id.centos.org) : login as account with admin right in ipsilon (managed by Ansible inventory), and create new OpenIDC app / client ID / secret / oauth callback (basically original URL callback endpoint)
27793d
 * on the client application side : reflect all client id / secrets / oauth callback
27793d
27793d
#### SAML
27793d
27793d
`unused` so far in CentOS Infra, but still available if needed as Ipsilon supports it
27793d
27793d
### FASJSON
27793d
27793d
[fasjson](https://github.com/fedora-infra/fasjson) API endpoint (available at https://fasjson.fedoraproject.org) permits authenticated users (through kerberos authentication/ticket) to query for users/groups information.
27793d
Same remark as for noggin : deployed/maintained by Fedora infra but *crucial* for the following CentOS services :
27793d
27793d
  * email aliases (computed automatically through fasjson API calls)
27793d
  * CBS koji access based on group memberships
27793d
  * letting users retrieve their TLS certificate to auth against some CentOS Infra services
27793d
27793d
#### TLS/x509 authentication
27793d
27793d
See public [Authentication](https://wiki.centos.org/Authentication) wiki page that covers kerberos/tls (no need to duplicate content here)