Bug 2235532

Summary: Remove Fedora IDP from relogin options.
Product: [Community] Bugzilla Reporter: Jeff Fearn 🐞 <jfearn>
Component: User InterfaceAssignee: The Bugzilla Team 🤖 <bugbot>
Status: CLOSED UPSTREAM QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 5.0CC: aurelien, kevin
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2025-06-03 00:34:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jeff Fearn 🐞 2023-08-28 23:40:12 UTC 
Description of problem:
Fedora have made it so you can no longer embed the login so this will no longer function with the relogin process.

Version-Release number of selected component (if applicable):
5.0.4

How reproducible:
Easy

Steps to Reproduce:
1.  Login with Fedora SSO
2. Try to relogin using Fedora SSO

Actual results:
Fedora SSO refuses to connect

Expected results:
Fedora SSO is not available via the relogin process.

Additional info:
The point of the relogin process is to make it so users can reauthenticate without losing any content entered in to the current page. As we can't do that without using an iframe to process the SSO request we can no longer offer this to Fedora SSO users.
Comment 1 Kevin Fenzi 2023-08-31 17:39:49 UTC 
Odd. I am not aware of any changes in this area in the fedora SSO. 

When did it last work as you expect?

Also adding abompard here in case he can think of any change in this area.
Comment 2 Aurelien Bompard 2023-09-01 06:27:48 UTC 
Yeah I don't think we've changed anything about that recently. Looking at ansible and ipsilon code, it looks like this option has been there since 2017 at least. Has it ever worked? I suppose we could set an exception for BZ.
Comment 3 Jeff Fearn 🐞 2023-09-06 00:37:10 UTC 
We did test this, so it was working. I only use it when I'm testing changes to it so I don't know when it stopped working.
Comment 4 Jeff Fearn 🐞 2023-10-19 01:27:14 UTC 
So do we want to remove it from the relogin or grant it an exception
Comment 5 Aurelien Bompard 2023-11-16 08:49:50 UTC 
Unfortunately Ipsilon does not have an allow list for iframes yet. It's not hard to add, but it'll need to go through the code-PR-review-release cycle.
Comment 6 Jeff Fearn 🐞 2023-11-21 02:16:57 UTC 
Is there a ticket in another system we can link to?
Comment 7 Aurelien Bompard 2023-11-23 15:31:55 UTC 
There is, it's https://pagure.io/ipsilon/
Comment 8 Kevin Fenzi 2024-10-22 16:30:46 UTC 
I think this dropped off our radar... 

Aurelien: what was the status here? were we going to try and add allow list for iframes here?

I think it would be nice to have this working...
Comment 9 Jeff Fearn 🐞 2024-10-29 03:34:12 UTC 
There doesn't appear to be an ipsilon issue for this, so I will keep this open for now, but I won't disable it for now either.

The only issue I could find upstream [1] concludes that the way to prevent XSS is to use 'deny', IMO the correct way to prevent XSS is to set 'sameorigin'. It does seem to make it possible to disable it per endpoint ... not sure that is actually desirable, as changing deny to sameorigin for endpoints would be better than just disabling the protection.

1: https://pagure.io/ipsilon/issue/15
Comment 10 Aurelien Bompard 2024-12-11 12:13:20 UTC 
This should let us configure the domains allowed to use (i)frames: https://pagure.io/ipsilon/pull-request/412
Using "sameorigin" would not work because the domains are differente (redhat.com for BZ, fedoraproject.org for Ipsilon).

I'll try to get that patch in our prod instance in the next days, after some testing.
Comment 11 Jeff Fearn 🐞 2025-04-14 00:34:09 UTC 
@aurelien any update on this? This is the last open bug for this product so it'd be nice to close it :)