Feature #17468

[controller] Skip repetitive OIDC UserInfo calls if access token validates as an ID token

Added by Tom Clegg about 1 year ago. Updated 11 months ago.

Assigned To:
Target version:
Start date:
Due date:
% Done:


Estimated time:
Story points:


When we accept an OIDC access token in lieu of an Arvados token for an API call, if the OIDC provider is configured to issue access tokens that are signed JWTs with email/name/exp values, the call we make to the UserInfo API is redundant.

We should check whether the incoming token is a JWT, passes validation, and has the exp/name/email claims we need, and if so
  • skip the call to UserInfo
  • when caching the token in memory/postgres, use the token's embedded expiry time instead of our default TTL

Related issues

Related to Arvados - Feature #16669: Accept OpenID Connect access tokenResolved09/24/2020


#1 Updated by Tom Clegg about 1 year ago

#2 Updated by Tom Clegg about 1 year ago

  • Description updated (diff)

#3 Updated by Tom Clegg about 1 year ago

  • Story points set to 1.0

#4 Updated by Peter Amstutz 11 months ago

  • Target version deleted (Arvados Future Sprints)

Also available in: Atom PDF