Story #20123
closed
OpenID "AcceptAccessToken" feature is mostly undocumented
100%
Description
We have a very handy feature of being able to accept OpenID access tokens and validate them with the upstream provider. We have an OpenID Connect section in the Install Guide, but it basically just points people to the configuration file for details. This section should:
- briefly explain what OpenID Connect is and how Arvados uses it
- list popular providers we know it's compatible with (so people searching for "arvados provider name" can find it)
- explain what configuration settings you must set up, and what their values are
- if there are optional values, it's okay to continue to direct people to the configuration file reference for those
Updated by Brett Smith 9 months ago
- Story points set to 0.5
- Target version changed from To be groomed to To be scheduled
- Description updated (diff)
Updated by Peter Amstutz 8 months ago
- Target version changed from To be scheduled to Development 2023-04-12 sprint
Updated by Tom Clegg 8 months ago
- Status changed from New to In Progress
20123-access-token-doc @ 65ceeadb232fd4e5646e7ade0f1d9713af65aafc
I struggled a bit with this explanation. Better suggestions welcome.
Arvados can also be configured to accept provider-issued access tokens as Arvados API tokens. This can be useful for integrating third party applications.
Check the OpenIDConnect section in the default config file for more details and configuration options.
As an aside, wouldn't it be nice if we could link to a specific section of the default config file?
This is the part about accepting access tokens.
# Accept an OIDC access token as an API token if the OIDC
# provider's UserInfo endpoint accepts it.
#
# AcceptAccessTokenScope should also be used when enabling
# this feature.
AcceptAccessToken: false
# Before accepting an OIDC access token as an API token, first
# check that it is a JWT whose "scope" value includes this
# value. Example: "https://zzzzz.example.com/" (your Arvados
# API endpoint).
#
# If this value is empty and AcceptAccessToken is true, all
# access tokens will be accepted regardless of scope,
# including non-JWT tokens. This is not recommended.
AcceptAccessTokenScope: ""
Updated by Peter Amstutz 8 months ago
I feel like this merits a slightly more specific discussion of the implementation, i.e. the token is checked by accessing a particular standard endpoint and getting the expiration time from there (that's what we do right?).
Updated by Tom Clegg 8 months ago
- updated re cache behavior, UserInfo endpoint, JWT/scope config
- rebased
Updated by Peter Amstutz 8 months ago
- Status changed from In Progress to Resolved