Project

General

Profile

Actions
Copy link

Feature #17468

open

[controller] Skip repetitive OIDC UserInfo calls if access token validates as an ID token

Added by Tom Clegg almost 4 years ago. Updated 10 months ago.

Status:
New
Priority:
Normal
Assigned To:
-
Category:
-
Target version:
Future
Story points:
1.0
Release:
Postponed
Release relationship:
Auto

Description

When we accept an OIDC access token in lieu of an Arvados token for an API call, if the OIDC provider is configured to issue access tokens that are signed JWTs with email/name/exp values, the call we make to the UserInfo API is redundant.

We should check whether the incoming token is a JWT, passes validation, and has the exp/name/email claims we need, and if so
  • skip the call to UserInfo
  • when caching the token in memory/postgres, use the token's embedded expiry time instead of our default TTL

Related issues 1 (0 open1 closed)

Related to Arvados - Feature #16669: Accept OpenID Connect access tokenResolvedTom Clegg09/24/2020Actions
Actions
Copy link
 #1

Updated by Tom Clegg almost 4 years ago

Actions
Copy link
 #2

Updated by Tom Clegg almost 4 years ago

  • Description updated (diff)
Actions
Copy link
 #3

Updated by Tom Clegg almost 4 years ago

  • Story points set to 1.0
Actions
Copy link
 #4

Updated by Peter Amstutz over 3 years ago

  • Target version deleted (Arvados Future Sprints)
Actions
Copy link
 #5

Updated by Peter Amstutz almost 2 years ago

  • Release set to 60
Actions
Copy link
 #6

Updated by Peter Amstutz 10 months ago

  • Target version set to Future
Actions
Copy link

Also available in: Atom PDF