Project

General

Profile

Actions

Feature #16669

closed

Accept OpenID Connect access token

Added by Peter Amstutz over 3 years ago. Updated about 3 years ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
-
Target version:
Story points:
-
Release relationship:
Auto

Description

When getting an unrecognized token, add an option to validate the token against an OpenID Connect provider.

  1. Determine if the token is valid & when it expires using the OAuth2 token Introspection endpoint https://tools.ietf.org/html/rfc7662
  2. If valid and not expired, make a call to the UserInfo endpoint of the provider, this will return similar claims as the existing log in process, or an error. https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
  3. Cache the token in the Arvados database along with the expiration time.

If a LoginCluster is configured, the token is checked with the upstream LoginCluster (only change is that this happens for JWT tokens and not just v2 tokens).

The endpoint URLs to the Introspection and UserInfo endpoints can be discovered by looking at the "provider configuration" endpoint.

https://openid.net/specs/openid-connect-discovery-1_0.html

https://docs.pingidentity.com/bundle/pingfederate-101/page/bwm1564003025542.html

Additional notes:

Accepting OpenID access tokens


Subtasks 4 (0 open4 closed)

Task #16757: Review 16669-oidc-access-tokenResolvedTom Clegg09/24/2020Actions
Task #17023: Manual testing federation case on dev clustersResolvedTom Clegg09/24/2020Actions
Task #17294: Review 16669-oidc-access-tokenResolvedTom Clegg09/24/2020Actions
Task #17453: Review 16669-oidc-access-token-fedResolvedPeter Amstutz03/05/2021Actions

Related issues

Related to Arvados - Feature #17037: [controller] Improve use of given_name/family_name fields for generic OpenID Connect providersNewActions
Related to Arvados - Feature #17038: [controller] Option to request additional scopes, and verify additional claims, during OpenID Connect authNewActions
Related to Arvados - Bug #16774: keep-web needs to return user-visible errorsResolvedPeter Amstutz11/20/2020Actions
Related to Arvados Epics - Idea #16360: Keep-web supports S3 compatible interfaceResolved07/01/202004/30/2021Actions
Related to Arvados - Feature #17468: [controller] Skip repetitive OIDC UserInfo calls if access token validates as an ID tokenNewActions
Actions

Also available in: Atom PDF