Feature #17468: [controller] Skip repetitive OIDC UserInfo calls if access token validates as an ID token - Arvados

Actions

Copy link

Feature #17468

open

[controller] Skip repetitive OIDC UserInfo calls if access token validates as an ID token

Added by Tom Clegg about 3 years ago. Updated 2 months ago.

Status:

New

Priority:

Normal

Assigned To:

Category:

Target version:

Future

Story points:

1.0

Release:

Postponed

Release relationship:

Auto

Description

When we accept an OIDC access token in lieu of an Arvados token for an API call, if the OIDC provider is configured to issue access tokens that are signed JWTs with email/name/exp values, the call we make to the UserInfo API is redundant.

We should check whether the incoming token is a JWT, passes validation, and has the exp/name/email claims we need, and if so

skip the call to UserInfo
when caching the token in memory/postgres, use the token's embedded expiry time instead of our default TTL

Related issues

History
Property changes

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Arvados

Custom queries

Feature #17468

[controller] Skip repetitive OIDC UserInfo calls if access token validates as an ID token

Updated by Tom Clegg about 3 years ago

Updated by Tom Clegg about 3 years ago

Updated by Tom Clegg about 3 years ago

Updated by Peter Amstutz almost 3 years ago

Updated by Peter Amstutz about 1 year ago

Updated by Peter Amstutz 2 months ago