Blob Blame History Raw
# Authentication service for CentOS Infrastructure

!!! info
    CentOS and Fedora merged their previous authentication backend to a new solution based on [(Free)IPA](http://www.freeipa.org), but it's only valid for applications that *are* able to use such new authentication system (see below for explanations)

    Worth knowing that majority of infra services described below are managed/hosted by Fedora Infra (while CentOS infra is *consuming* such service


## Authentication platform components
### IPA servers

There are actually 3 IPA servers running on RHEL8 that are used as backend authentication solution.
These aren't publicly reachable and are managed/hosted by the Fedora Infra team.

### Community Portal (noggin)

The https://accounts.centos.org community portal is based on [Noggin](https://github.com/fedora-infra/noggin) where people can register is an openshift deployment done by Fedora Infra on the Fedora infra openshift cluster.
CentOS Infra team though is in charge of the [haproxy](https://github/centos/ansible-role-haproxy) node in front of openshift and routing requests to correct openshift compute nodes from Fedora infra.
All the needed variables for haproxy are stored in the CentOS ansible inventory, either through group_vars and/or host_vars variables

Same goes for the TLS certificates used on the haproxy reverse proxy : automatically applied by the ansible role *after* they are renewed through BAU process (see [dedicated TLS](/security/tls/#how-to-renew-existing-certs) documentation)

### Identity Provider (IdP)

We deploy our own IdP instance, based on [Ipsilon](https://ipsilon-project.org/) that is publicly available on [https://id.centos.org](https://id.centos.org).

It's full deployed by the [ipsilon](https://github/centos/ansible-role-ipsilon) Ansible role but needs access through fedora network as it's not directly available from outside

It supports the following standard protocols and uses IPA servers backends for users auth/group memberships and that node is properly enrolled in IPA itself (requirement)

#### Openid

Applications using OpenID can point directly to https://id.centos.org and some applications (like https://blog.centos.org) still rely on openid as auth protocol

#### OpenID Connect/Oauth2

OpenIDC is preferred over OpenID but needs some configuration at both IdP and Application side : 

 * on [https://id.centos.org](https://id.centos.org) : login as account with admin right in ipsilon (managed by Ansible inventory), and create new OpenIDC app / client ID / secret / oauth callback (basically original URL callback endpoint)
 * on the client application side : reflect all client id / secrets / oauth callback

#### SAML

`unused` so far in CentOS Infra, but still available if needed as Ipsilon supports it

### FASJSON

[fasjson](https://github.com/fedora-infra/fasjson) API endpoint (available at https://fasjson.fedoraproject.org) permits authenticated users (through kerberos authentication/ticket) to query for users/groups information.
Same remark as for noggin : deployed/maintained by Fedora infra but *crucial* for the following CentOS services :

  * email aliases (computed automatically through fasjson API calls)
  * CBS koji access based on group memberships
  * letting users retrieve their TLS certificate to auth against some CentOS Infra services

#### TLS/x509 authentication

See public [Authentication](https://wiki.centos.org/Authentication) wiki page that covers kerberos/tls (no need to duplicate content here)