Create Task
Maniphest T15958

Migrate Neon services to Invent authentication
Closed, ResolvedPublic
Actions

Description

Currently there are some Neon services that are using OAuth authentication via Phabricator.

Given that Phabricator will eventually be going away and that Gitlab is taking over authentication for everything i'd like to migrate any Neon services that need authentication over to Gitlab.

Can we please schedule a time for this?

bcooksley created this task.Nov 9 2022, 5:45 PM
Restricted Application added a subscriber: sysadmin. ยท View Herald TranscriptNov 9 2022, 5:45 PM
sitter added a comment.Nov 21 2022, 12:01 PM

This would be easier if you made me gitlab admin :P

We'll try OIDC for jenkins I guess. We'll need a client id and secret

callback https://build.neon.kde.org/securityRealm/finishLogin

bcooksley added a comment.Nov 21 2022, 5:43 PM

OpenID Connect would definitely be preferrable - and will also give you access to information about groups (teams).

Client ID: 1ca094b956f4c8e30e00d0aaf2b23440b7580252adb78cc9539887cb9d971c92
Secret: 26f865682fd4b4c4dd82c6dc32c20c738000c0351447d9003da6cdfdb29c5265

You can use https://invent.kde.org/.well-known/openid-configuration as the automatic configuration endpoint.

sitter added a comment.Nov 22 2022, 12:00 AM

curiously the well known endpoint 403s, but only inside jenkins, curling on spara works just fine

com.google.api.client.http.HttpResponseException: 403 Forbidden
GET https://invent.kde.org/.well-known/openid-configuration
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at invent.kde.org Port 443</address>
</body></html>
sitter added a comment.Nov 22 2022, 12:21 AM

Also happens for the actual oauth flow

Caught unhandled exception with ID 44cc8aac-c8fa-457b-8a3b-5fe8926608ac
com.google.api.client.auth.oauth2.TokenResponseException: 403 Forbidden
POST https://invent.kde.org/oauth/token
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at invent.kde.org Port 443</address>
</body></html>
bcooksley added a comment.Nov 22 2022, 6:21 AM

Sorry, there was a rule in the Apache configuration blocking anything Java from accessing anything on invent.kde.org - as we were being indexed/receiving excessively heavy traffic from a Java client.
I've now tweaked that rule to be a little more specific (that indexer still seems to be hanging around) so it shouldn't hit Neon's Jenkins instance.

sitter added a comment.Nov 22 2022, 10:08 AM

Seems to working well now. I've now moved build.neon to use invent for authentication. Did we have any other applications linked to phabricator?

bcooksley added a comment.Nov 22 2022, 10:19 AM

Based on the above I don't think so.

Do you need any team/etc on Gitlab for use on the Jenkins side?

sitter closed this task as Resolved.Nov 22 2022, 10:22 AM
sitter claimed this task.

Cool. Jenkins is fine as-is ๐Ÿ‘