Project

General

Profile

Actions

Feature #17772

open

use subject identifier (username etc) in "identity_url" instead of "email" for login

Added by Peter Amstutz over 3 years ago. Updated 5 days ago.

Status:
New
Priority:
Normal
Assigned To:
-
Category:
Login
Target version:
Story points:
-
Release:
Release relationship:
Auto

Description

(formally: OIDC support "sub" claim)

We should prefer to use the "sub" claim to identify users (this is the way OIDC is supposed to work), and only identify users by "email" as an optional backup strategy.

This also affects PAM and other login methods.

In Arvados:

  • Come up with a custom internal URL scheme to identify users that will be used for identity_url. This is the provider type, host, and subject (username or however the user is uniquely identified).

oidc://

google://

ldap://

pam://

etc

the host part identifies the provider

the path part is the subject from the provider (URL encoded)

put this in the identity_url field of the user

When logging in, it searches for identity_url. If found, but the email address has changed, it updates the email address.

  • Add flag to specify if it should use user email as a fallback.

If the fallback is disabled, if the identity_url is not found, the user cannot log in.

If the fallback is enabled, if the identity_url is not found, it searches by email address. If found, the user logs in, and it update identity_url.

  • Add an additional flag for "fallback only on empty identity_url"

If the fallback is disabled, if the identity_url is not found, the user cannot log in.

If the fallback is enabled, if the identity_url is not found, it searches by email address. If found and the identity_url is blank, then the user logs in, and it update identity_url.

Actions #1

Updated by Peter Amstutz over 3 years ago

  • Description updated (diff)
Actions #2

Updated by Peter Amstutz over 3 years ago

  • Target version changed from 2021-06-23 sprint to 2021-07-07 sprint
Actions #3

Updated by Peter Amstutz over 3 years ago

  • Target version changed from 2021-07-07 sprint to 2021-07-21 sprint
  • Description updated (diff)
Actions #4

Updated by Peter Amstutz over 3 years ago

  • Description updated (diff)
Actions #5

Updated by Peter Amstutz over 3 years ago

  • Description updated (diff)
Actions #6

Updated by Peter Amstutz about 3 years ago

  • Target version changed from 2021-07-21 sprint to 2021-08-04 sprint
Actions #7

Updated by Peter Amstutz about 3 years ago

  • Target version changed from 2021-08-04 sprint to 2021-08-18 sprint
Actions #8

Updated by Peter Amstutz about 3 years ago

  • Target version changed from 2021-08-18 sprint to 2021-09-01 sprint
Actions #9

Updated by Peter Amstutz about 3 years ago

  • Description updated (diff)
  • Subject changed from OIDC support "sub" claim to use subject identifier (username etc) in "identity_url" instead of "email" for login
Actions #10

Updated by Peter Amstutz about 3 years ago

  • Target version changed from 2021-09-01 sprint to 2021-09-15 sprint
Actions #11

Updated by Peter Amstutz about 3 years ago

  • Target version changed from 2021-09-15 sprint to 2021-09-29 sprint
Actions #12

Updated by Peter Amstutz about 3 years ago

  • Target version changed from 2021-09-29 sprint to 2021-10-13 sprint
Actions #13

Updated by Peter Amstutz about 3 years ago

  • Target version changed from 2021-10-13 sprint to 2021-10-27 sprint
Actions #14

Updated by Peter Amstutz almost 3 years ago

  • Target version changed from 2021-10-27 sprint to 2021-11-10 sprint
Actions #15

Updated by Peter Amstutz almost 3 years ago

  • Target version changed from 2021-11-10 sprint to 2021-11-24 sprint
Actions #16

Updated by Peter Amstutz almost 3 years ago

  • Target version deleted (2021-11-24 sprint)
Actions #17

Updated by Peter Amstutz over 1 year ago

  • Release set to 60
Actions #18

Updated by Peter Amstutz 7 months ago

  • Target version set to Future
Actions

Also available in: Atom PDF