The ASF OAuth system provides committers at the Apache Software Foundation with a focal point for services wishing to make use of authentication without security implications around storing sensitive user data. Many Apache services use it to validate that the user requesting access is a committer within a project in the Apache Software Foundation and has lawful access to the systems in question.

For more information about how OAuth works, see https://oauth.apache.org/api.html

oauth.apache.org runs on idmui-ec2-va.apache.org via the oauth module in p6.

It's a simple Python3 cgi program that queries LDAP for a user's data and returns the data to the OAuth requestor via the API outlined in the oauth API above.

httpd aside, the module is entirely self-contained and requires no secrets to be set up. It uses a sqlite3 db (/var/oauth/states.db) for recording states, set up on first launch of the CGI.

https://github.com/apache/infrastructure-p6/blob/production/modules/oauth/files/origins.yaml controls which origin sites may use the OAuth service.
If a requestor domain is not on that list, it will be denied access to OAuth checks.

In January, 2022 Infra enabled 2FA (two-factor authentication support) on oauth.apache.org (used for sites such as lists.apache.org and cveprocess.apache.org). You can couple a Google Authenticator or other TOTP (Time-based One Time Password apps) to your login process for added security. To enable 2FA, click the 2FA link next time you have to use oauth.apache.org for a login.


Removing/resetting 2FA for users

To wipe/reset a 2FA credential, hop on idmui-ec2-va.apache.org and clear the user's file in /var/oauth/secrets (for instance, the file /var/oauth/secrets/humbedooh is for Humbedooh's 2FA).