From c56bcba78c2fbccfa1aecf1dee1d9e02cb17f6c0 Mon Sep 17 00:00:00 2001
From: Christian Kellner <christian@kellner.me>
Date: Wed, 2 Feb 2022 15:25:49 +0000
Subject: [PATCH] README.md,HACKING.md: update for SSO/OAuth2

Add documentation how to properly configure and use OAuth2.
---
 HACKING.md | 13 +++++++++++++
 README.md  | 15 +++++++++++++++
 2 files changed, 28 insertions(+)

diff --git a/HACKING.md b/HACKING.md
index 1bf174d..8e6c26d 100644
--- a/HACKING.md
+++ b/HACKING.md
@@ -62,6 +62,19 @@ build via the koji XML RPC.
 sudo  test/copy-creds.sh
 ```
 
+### Run the mock OpenID server
+
+The koji builder plugin needs to be authorized in order to be able
+to start a compose via Composer. The default authentication scheme
+is `OAuth2`. For testing purposes we can use the mock OpenID server
+that is included in the `osbuild-composer-tests` package. A helper
+script is included to start and stop the server with the correct
+parameters.
+
+```sh
+sudo test/run-openid.sh start
+```
+
 ### Run the koji builder
 
 Run the koji builder instance can be started. Here `fg` means that
diff --git a/README.md b/README.md
index ecfcada..8d9bdeb 100644
--- a/README.md
+++ b/README.md
@@ -65,6 +65,21 @@ ssl_cert = /share/worker-crt.pem, /share/worker-key.pem
 # directory containing certificates of trusted CAs.
 ssl_verify = /share/worker-ca.pem
 
+[composer:oauth]
+# Authorization via OAuth2/SSO, as alternative to client side certs.
+# The "Client Credentials Grant" (RFC 6749 section 4.4) flow is used,
+# which requires the client id and secret to be specified as well as
+# the endpoint of where to obtain tokens.
+
+# String that uniquely identifies the client (RFC 6749, 2.2).
+client_id = koji
+
+# Secret corresponding to the client id.
+client_secret = koji
+
+# URL to the endpoint that will provide the token.
+token_url = https://localhost:8081/token
+
 [koji]
 # The URL to the koji hub XML-RPC endpoint
 server = https://koji.fedoraproject.org/kojihub