Authentication
Fedora applications that require authentication should support Fedora Account System backed by FreeIPA as an identity provider.
Fedora Account System supports fasjson as read-only API, OpenID Connect, OAuth 2.0, and more.
Authentication
All new applications should use OpenID Connect for user authentication.
|
We used to provide OpenID 2.0 support but it is now deprecated and will be dropped. |
OpenID Connect is a discovery layer built on top of OAuth 2.0, so to understand OpenID Connect you should first be familiar with OAuth 2.0 and its various flows, OpenID Connect is not different on the authentication side.
When requesting an access token in OAuth 2.0, clients are allowed to specify the scope of the access token. This scope indicates what the token is allowed to be used for. In most cases, your application should require a scope or scopes of its own so users can issue access tokens that can only be used with a particular application. To do so, consult the Authentication Wiki page.
|
OpenID Connect requires that the "openid" scope is requested. Failing to do so will result in undefined behavior. |
Libraries
Authlib
Authlib is a Python library to build OAuth and OpenID Connect servers and clients. It has integration layers for Flask and Django as protocol servers and clients, as well as client integration layers for Requests, HTTPX, Starlette and FastAPI. As a client app authenticating with OpenID Connect, it is most useful if several authentication providers are to be supported (such as social networks).
Flask-OIDC
Flask-OIDC is a Flask extension that makes using Authlib easier when using Flask with only one authentication provider (such as Fedora’s identity provider).
OAuthLib
OAuthLib is a low-level implementation of OAuth 2.0 with OpenID Connect support. It does not tie itself to a HTTP request framework. Typically, you will only use this library indirectly. If you are investigating this library, note that it is a library for both OAuth clients and OAuth providers. You will be most interested in the OAuth client sub-package.
Requests-OAuthlib
Requests-OAuthlib uses the Requests library with OAuthLib to provide an easy-to-use interface for OAuth 2.0 clients. If you need to add support to an application that doesn’t have an extension for OAuthLib, you should use this library.
Flask-OAuthlib
Flask-OAuthlib is a Flask extension that builds on top of Requests-OAuthlib. It comes with plenty of examples in the examples directory of the repository. Flask applications within Fedora Infrastructure should use this extension unless there is a good reason not to (and that reason is documented here).
Pyramid-OAuthLib
Pyramid-OAuthLib is a Pyramid extension that uses OAuthlib. It does not appear to be actively maintained, but it is a reasonable starting point for our few Pyramid applications.
Mozilla-Django-OIDC
Mozilla-Django-OIDC is a Django extension for OpenID Connect.
Flow
This is a schema of a classic OpenID Connect authentication flow.
FASJSON
The account data is stored in FreeIPA, but it is made available to users and applications through FASJSON as a REST API with JSON responses.
Authentication to FASJSON is done using Kerberos keytabs for applications, and a Kerberos ticket for users.
Here is the flow of a request to FASJSON, explaining how it proxies the queries to IPA.
Want to help? Learn how to contribute to Fedora Docs ›