How to prepare an authentication provider for login to CI Fuzz Web Interface
To use SSO with GitHub, GitLab, or bitbucket, you need to create an OAuth app. We will use GitHub and bitbucket as examples. For GitLab , it works similarly.
At GitHub, open the developer settings to register a new OAuth application. As Authorization callback URL use:
<my domain> is a placeholder for the server's domain that will run the CI Fuzz Server. GitHub will generate a Client ID and a Client Secret. We will need those later.
In bitbucket cloud (bitbucket.org), go to any workspace, click settings, oauth consumers, add consumer. As the callback url, use:
Port is mandatory, even if it's the default port 443. Give it the email and read permissions in Account.
In bitbucket server on-premise the administrator need to go to settings and select option application links. Then a new application link to the ci-server need to be created.
In the first dialog window you can just continue. In the second dialog window an application name need to be typed in, a generic application need to be selected and the create incoming link checkbox need to be selected.
In the next dialog window, use the following values:
- Consumer Key: "OAuthKey"
- Consumer Name: "CI Fuzz"
- Public Key: The public key from below
For the authentication of the ci-fuzz server a RSA key need to be generated. You can either first do steps 3 to 6 to generate it automatically by starting ci-fuzz server. After start up of ci-fuzz server the files oauth1.pub and oauth1.pcks8 are created in /root/.local/share/code-intelligence. You can also create them manually. To create them manually you can use the following openssl commands:
openssl genrsa -out oauth1.pem 4096
openssl pkcs8 -topk8 -nocrypt -in oauth1.pem -out oauth1.pkcs8
openssl req -newkey rsa:4096 -x509 -key oauth1.pem -out oauth1.cer -days 365
openssl x509 -pubkey -noout -in oauth1.cer -out oauth1.pub
Afterwards they need to be and placed in /root/.local/share/code-intelligence on the ci-fuzz server. The pubic key then can be used in the third dialog window.
Go to Applications in your User Settings. Choose a name, set the Redirect URI and make sure to enable the read_user scope.