Feature #17772

use subject identifier (username etc) in "identity_url" instead of "email" for login

Added by Peter Amstutz 3 months ago. Updated 3 days ago.

Status:
New
Priority:
Normal
Assigned To:
-
Category:
Login
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Story points:
-

Description

(formally: OIDC support "sub" claim)

We should prefer to use the "sub" claim to identify users (this is the way OIDC is supposed to work), and only identify users by "email" as an optional backup strategy.

This also affects PAM and other login methods.

In Arvados:

  • Come up with a custom internal URL scheme to identify users that will be used for identity_url. This is the provider type, host, and subject (username or however the user is uniquely identified).

oidc://

google://

ldap://

pam://

etc

the host part identifies the provider

the path part is the subject from the provider (URL encoded)

put this in the identity_url field of the user

When logging in, it searches for identity_url. If found, but the email address has changed, it updates the email address.

  • Add flag to specify if it should use user email as a fallback.

If the fallback is disabled, if the identity_url is not found, the user cannot log in.

If the fallback is enabled, if the identity_url is not found, it searches by email address. If found, the user logs in, and it update identity_url.

  • Add an additional flag for "fallback only on empty identity_url"

If the fallback is disabled, if the identity_url is not found, the user cannot log in.

If the fallback is enabled, if the identity_url is not found, it searches by email address. If found and the identity_url is blank, then the user logs in, and it update identity_url.

History

#1 Updated by Peter Amstutz 3 months ago

  • Description updated (diff)

#2 Updated by Peter Amstutz 3 months ago

  • Target version changed from 2021-06-23 sprint to 2021-07-07 sprint

#3 Updated by Peter Amstutz 3 months ago

  • Target version changed from 2021-07-07 sprint to 2021-07-21 sprint
  • Description updated (diff)

#4 Updated by Peter Amstutz 3 months ago

  • Description updated (diff)

#5 Updated by Peter Amstutz 3 months ago

  • Description updated (diff)

#6 Updated by Peter Amstutz 2 months ago

  • Target version changed from 2021-07-21 sprint to 2021-08-04 sprint

#7 Updated by Peter Amstutz about 2 months ago

  • Target version changed from 2021-08-04 sprint to 2021-08-18 sprint

#8 Updated by Peter Amstutz about 1 month ago

  • Target version changed from 2021-08-18 sprint to 2021-09-01 sprint

#9 Updated by Peter Amstutz about 1 month ago

  • Description updated (diff)
  • Subject changed from OIDC support "sub" claim to use subject identifier (username etc) in "identity_url" instead of "email" for login

#10 Updated by Peter Amstutz about 1 month ago

  • Target version changed from 2021-09-01 sprint to 2021-09-15 sprint

#11 Updated by Peter Amstutz 17 days ago

  • Target version changed from 2021-09-15 sprint to 2021-09-29 sprint

#12 Updated by Peter Amstutz 3 days ago

  • Target version changed from 2021-09-29 sprint to 2021-10-13 sprint

Also available in: Atom PDF