Cannot Find How to Start Using OIDC As Mentioned by Help Section

[cedricvanrompay-datadog]

Hi,

The PyPI help page says:

PyPI users and projects can use OpenID Connect (OIDC) to delegate publishing authority for a PyPI package to a trusted third party service, eliminating the need to use API tokens or passwords.

Using OIDC to authenticate when publishing is done by registering "providers," which correspond to services with OIDC identities like GitHub Actions. Existing projects can add or remove OIDC providers at any time. OIDC providers can also be created in advance for projects that don't exist yet.

source: https://pypi.org/help/#openid-connect

However I am unable to find where in the admin UI of my PyPI account I can start using OIDC.

Is this feature deprecated or not implemented yet, or am I missing something?

Looking at #12465 it seems to be "not implemented yet" but if that's the case maybe this section of the help page should be removed until the feature is released.

If the feature does exist then maybe the help section could include a bit more info about how to enable it. Currently the help page says OIDC is setup "by registering providers" but does not say how to register an provider.

[woodruffw]

Thanks for the report @cedricvanrompay-datadog! Yes, that feature is currently implemented, but it's behind a feature flag that isn't enabled yet (we're going to enable it very soon).

It looks like I missed that flag while writing the docs; I'm going to fix that in a moment. Sorry for any confusion!

[woodruffw]

#13049 will address this.

[di]

@cedricvanrompay-datadog, Would you be interested in beta-testing this feature once we release it? If so, could you share your PyPI username?

[cedricvanrompay-datadog]

@di I would be interested to try that for my company https://pypi.org/user/Datadog/ ¹

How risky do you think beta-testing this feature is? We cannot afford to have one of our teams not able to publish their package anymore. Can this feature be activated "project by project" and can "the old way of authenticating" be used in parallel for some time?

If this seems too risky I can find someone in my company owning some less-critical PyPI projects on their personal PyPI account and willing to try it out.

But yes we are definitely interested in this feature.

Footnotes

1. same company as @dstufft by the way, sorry Donald that I haven't synced with you earlier but I discovered about this PyPI feature literally yesterday. I'll reach out to you through Slack. ↩

[woodruffw]

How risky do you think beta-testing this feature is? We cannot afford to have one of our teams not able to publish their package anymore. Can this feature be activated "project by project" and can "the old way of authenticating" be used in parallel for some time?

Using this feature won't disable other authentication methods: you can (and probably should!) retain an API token in your CI as a fallback while trialing it.

[di]

And yes, it can be used per-project.