Bug #17335

OpenID Connect 'prompt' parameter should be configurable

Added by Peter Amstutz 8 months ago. Updated 8 months ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
Login
Target version:
Start date:
02/04/2021
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
Story points:
-
Release relationship:
Auto

Description

When controller redirects the user to the OpenID Connect endpoint, it sets "prompt=select_account". This is supported by Google but with PingFederate it results in a "not supported" error, so the user cannot log in. "prompt" seems to be an optional field in OIDC, so presumably you get default behavior if it isn't explicitly included. The "prompt" value should be configurable, or not added at all when the configuration value is blank.

Suggested behavior:

  • Google login continues to use prompt=select_account
  • OIDC configuration gets an "ExtraParameters" section that allows providing arbitrary parameters that will be set with AuthURLParam().
arvados-controller-f949cc3.gz (16.5 MB) arvados-controller-f949cc3.gz Tom Clegg, 02/05/2021 02:40 PM

Subtasks

Task #17336: Review 17335-oidc-auth-paramsResolvedPeter Amstutz

Associated revisions

Revision 42bf31f0
Added by Tom Clegg 8 months ago

Merge branch '17335-oidc-auth-params'

refs #17335

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <>

Revision 1e7ead1e
Added by Tom Clegg 8 months ago

Merge branch '17335-backport-2.1' into 2.1-dev

refs #17335

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <>

History

#1 Updated by Peter Amstutz 8 months ago

  • Status changed from New to In Progress

#2 Updated by Peter Amstutz 8 months ago

  • Description updated (diff)

#3 Updated by Peter Amstutz 8 months ago

  • Release set to 37

#4 Updated by Peter Amstutz 8 months ago

  • Description updated (diff)

#5 Updated by Peter Amstutz 8 months ago

  • Assigned To changed from Peter Amstutz to Tom Clegg

#6 Updated by Tom Clegg 8 months ago

Named the configs "AuthenticationRequestParameters" to more closely match the relevant openid spec and google docs.

        # Send additional parameters with authentication requests. See
        # https://developers.google.com/identity/protocols/oauth2/openid-connect#authenticationuriparameters
        # for a list of supported parameters.
        AuthenticationRequestParameters:
          # Show the "choose which Google account" page, even if the
          # client is currently logged in to exactly one Google
          # account.
          prompt: select_account

          SAMPLE: "" 
        # Send additional parameters with authentication requests,
        # like {display: page, prompt: consent}. See
        # https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
        # and refer to your provider's documentation for supported
        # parameters.
        AuthenticationRequestParameters:
          SAMPLE: "" 

17335-oidc-auth-params @ 0bcd1ca37a225f37dd52081070c91aa2ba68d49a -- https://ci.arvados.org/view/Developer/job/developer-run-tests/2300/

#8 Updated by Peter Amstutz 8 months ago

Tom Clegg wrote:

Named the configs "AuthenticationRequestParameters" to more closely match the relevant openid spec and google docs.

17335-oidc-auth-params @ 0bcd1ca37a225f37dd52081070c91aa2ba68d49a -- https://ci.arvados.org/view/Developer/job/developer-run-tests/2300/

This LGTM.

#11 Updated by Tom Clegg 8 months ago

  • Status changed from In Progress to Resolved

Also available in: Atom PDF