On 7/6/26 13:01, Aurelien Bompard wrote:
FIDO2 tokens support for Noggin was implemented recently; I tried to
find *anyone* from the Fedora AAA team to talk about that work for about
a year, to no result. Even now, when the code is available, I have no
responses.
I have started looking at the PR, but it's very big, and full of sensitive
things that I know nothing about.
I am not working fulltime on Noggin, no one is, and I have had pretty urgent
things to care about recently.
I am considering just blindly merging the PR because I trust the author, but
I'm still a bit reluctant to do that on principle. I know I wouldn't want
another project to blindly merge anything I write, but then I'm not abbra.
Thank you. At this point I'm looking at any comments, even just an
acknowledgement as above is fine. I also do not have a lot of time but
when we know the effort would be supported by infra team, we can plan
something properly.
Note that I also have another PR coming, that implements what Neal was
asking for, account recovery feature based on the existing OTP tokens.
Is there a tooling to automatically provision noggin environments so
that I can create an end to end test to help it getting merged?
I have been working on solving those problems as well. It is a bit
frustrating to see no reaction from Fedora Infrastructure folks, though.
I understand, sorry about that. The people not working on Forgejo right now are
spread pretty thin.
For Ipsilon migration we were originally thinking about moving to
Keycloak but that doesn't solve a problem as Keycloak would need to gain
knowledge about IPA-specific features too. We have done some work on
that (ipa-tuura project) and even merged most of what we have in
Keycloak 26, but it still lacks few critical bits.
Yeah that's also what I found in my experiments.
Then for IPA to IPA trust we need an integrated OAuth2 endpoint in
IPA. This was my focus for past several months and now we have Ahdapa,
https://ahdapa.dev/, which provides all required integration and can be
used by Fedora Infrastructure too. I showed it to nirik at the Flock
this year.
It looks very cool! Do you know if it does SAML2, or if it's planned? We do
need it for some apps (Bugzilla, Gitlab and Zabbix come to mind)
I have no plans for SAML2 yet, we do not need it ourselves. There are
SAML2 SP/RP crates that could be used but my focus for FreeIPA is modern
infra which is most entirely OAuth2.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://forge.fedoraproject.org/infra/tickets/issues/new