The Fedora Infrastructure Team is announcing the end of OpenID in Fedora Account System (FAS). This will occur on 20th May 2025.
Why the change?
OpenID is being replaced by OpenIDConnect (OIDC) in most of the modern web and most of the Fedora infrastructure is already using OIDC as the default authentication method. OIDC offers better security by handling both authentication and authorization. It also allows us to have more control over services that are using Fedora Account System (FAS) for authentication.
What will change for you?
With the End Of Life of OpenID we will switch to OIDC for everything and no longer support authentication with OpenID.
If your web or service is already using OIDC for authentication nothing will change for you. If you are still using OpenID open a ticket on Fedora Infrastructure issue tracker and we will help you with migration to OIDC.
For users using FAS as authentication option there should be no change at all.
How to check if a service you maintain is using OpenID?
You may quickly check if your service is using OpenID for FAS authentication by looking at where you are redirected when logging in with FAS.
If you are redirected to https://id.fedoraproject.org/openidc/Authorization you are already using OIDC and you can just ignore this announcement.
If you are being redirected to https://id.fedoraproject.org/openid you are still using the OpenID authentication method. You should open a ticket on Fedora Infrastructure issue tracker so we can help you with migration.
What will happen now?
We will be reaching out directly to services we identify as using OpenID. But since we don’t have control over OpenID authentication, we can’t identify everyone.
If you are interested in following this work feel free to watch this ticket.
Mark McIntyre
I was not redirected to either site when I logged into accounts.fedoraproject.org. I’m not sure what that means.
If I try to hit those links directly once I’m logged into my Fedora account, the OIDC link gives me a 400 bad request error with missing redirect_url as the reason. The OpenID link takes me to a page that says there is nothing to authenticate.
I’m not sure how to interpret these responses based on the post.
Gregory Bartholomew
Unless you run the server at accounts.fedoraproject.org, you probably don’t need to worry about that one.
This post is really meant for developers more than the typical end user. It is questionable whether this should have been published on Fedora Magazine, but the author said he wanted the information to be broadcast everywhere.
So basically, unless you know this is important to you, it probably isn’t.
Michal Konečný
If you are just user that is logging using fedora account system this doesn’t affect you in any way. That is even mentioned in the article itself.
The article is meant for owners of apps/services that are using Fedora account system as third party login option. But as the OpenID could be used by anyone we decided to publish it in Fedora magazine as that has broader reach than community blog or mailing lists.
Vaibhav Sunder
What did RedHat French do? Do they use OID? I bought an annual membership at Pid, I still don’t know how to use it to create an Ood to connect to Gits. Best wishes for ahead,