Feature #16171

Support generic OpenID Connect login provider

Added by Tom Clegg 3 months ago. Updated 1 day ago.

Status:
In Progress
Priority:
Normal
Assigned To:
Category:
Login
Target version:
Start date:
06/01/2020
Due date:
% Done:

0%

Estimated time:
(Total: 0.00 h)
Story points:
-

Description

The current Google login implementation uses OpenID Connect, but it's hardwired to use the Google endpoint, and it uses the Google People API to look up alternate email addresses.

This feature adds config keys to specify an OpenID Connect endpoint as the login provider.

Clusters:
  zzzzz:
    Login:
      OpenIDConnect:
        Enable: true
        Issuer: https://accounts.example.com
        ClientID: aaaaaaaaaaa
        ClientSecret: zzzzzzzzzzzz

There's no user-facing chooser page: only one (Google or generic OIDC endpoint) can be configured at a time.

Implementation:
  • rename googleLoginController to oidcLoginController
  • use client ID/secret from whichever set of config keys (OpenIDConnect or Google) is in play
  • if using OIDC keys, don't attempt the Google People API lookup

Subtasks

Task #16461: Review 16171-oidcIn ProgressPeter Amstutz


Related issues

Related to Arvados Epics - Story #15322: Replace and delete sso-providerIn Progress03/11/202006/03/2020

History

#1 Updated by Tom Clegg 3 months ago

  • Related to Story #15322: Replace and delete sso-provider added

#3 Updated by Peter Amstutz 15 days ago

  • Target version set to 2020-06-03 Sprint

#4 Updated by Peter Amstutz 13 days ago

  • Assigned To set to Tom Clegg

#5 Updated by Tom Clegg 1 day ago

  • Status changed from New to In Progress
  • Description updated (diff)

Also available in: Atom PDF