Project

General

Profile

Actions

Feature #17038

open

[controller] Option to request additional scopes, and verify additional claims, during OpenID Connect auth

Added by Tom Clegg almost 4 years ago. Updated 7 months ago.

Status:
New
Priority:
Normal
Assigned To:
-
Category:
Login
Target version:
Story points:
-
Release:
Release relationship:
Auto

Description

Something like this:

      OpenIDConnect:                                                                                                                                                                                                                 

        # ...

        # Send additional scope values (along with "openid") in order to request additional claims. Space-separated, case sensitive.
        RequestScopes: "profile email" 

        # Verify that the following claims are returned by the provider (and not empty); otherwise, refuse login. Space-separated, case sensitive.
        RequireClaims: "" 

PA comments

my understanding was that the flow was something like this:

  1. client sends user to login, and asks for a list of scopes. We could define scopes associated with arvados clusters as "arvados:clusterid" eg arvados:su92l"
  2. User agrees to the scopes (or not)
  3. List of scopes are stored as part of the token
  4. The consumer of the token can check for a specific scope to see if the user authorized a given action
  • some scopes are special and defined in the spec because they affect the behavior of the OIDC APIs
  • token issuers can restrict the ability to request scopes by client id, so that e.g. mycoolwebsite.com wouldn't be able to get a token that has the "arvados:su92l" scope unless the provider granted permission to do so to mycoolwebsite.com's client id.

We need a new config knob for which scope(s) we require when accepting tokens that were issued for other clients.


Related issues

Related to Arvados - Feature #16669: Accept OpenID Connect access tokenResolvedTom Clegg09/24/2020Actions
Actions #1

Updated by Tom Clegg almost 4 years ago

Actions #2

Updated by Peter Amstutz over 3 years ago

  • Description updated (diff)
Actions #3

Updated by Peter Amstutz over 3 years ago

  • Release set to 39
  • Target version set to 2021-06-09 sprint
Actions #4

Updated by Peter Amstutz over 3 years ago

  • Release deleted (39)
  • Target version deleted (2021-06-09 sprint)
  • Description updated (diff)
Actions #6

Updated by Peter Amstutz over 1 year ago

  • Release set to 60
Actions #7

Updated by Peter Amstutz 7 months ago

  • Target version set to Future
Actions

Also available in: Atom PDF