Project

General

Profile

Actions

Idea #20123

closed

OpenID "AcceptAccessToken" feature is mostly undocumented

Added by Peter Amstutz over 1 year ago. Updated about 1 year ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
Documentation
Start date:
04/06/2023
Due date:
Story points:
0.5
Release relationship:
Auto

Description

We have a very handy feature of being able to accept OpenID access tokens and validate them with the upstream provider. We have an OpenID Connect section in the Install Guide, but it basically just points people to the configuration file for details. This section should:

  • briefly explain what OpenID Connect is and how Arvados uses it
  • list popular providers we know it's compatible with (so people searching for "arvados provider name" can find it)
  • explain what configuration settings you must set up, and what their values are
  • if there are optional values, it's okay to continue to direct people to the configuration file reference for those

Subtasks 1 (0 open1 closed)

Task #20278: Review 20123-access-token-docResolvedPeter Amstutz04/06/2023Actions
Actions #1

Updated by Peter Amstutz over 1 year ago

  • Description updated (diff)
Actions #2

Updated by Brett Smith about 1 year ago

  • Story points set to 0.5
  • Target version changed from Future to To be scheduled
  • Description updated (diff)
Actions #3

Updated by Peter Amstutz about 1 year ago

  • Target version changed from To be scheduled to Development 2023-04-12 sprint
Actions #4

Updated by Peter Amstutz about 1 year ago

  • Assigned To set to Tom Clegg
Actions #5

Updated by Tom Clegg about 1 year ago

  • Status changed from New to In Progress

20123-access-token-doc @ 65ceeadb232fd4e5646e7ade0f1d9713af65aafc

I struggled a bit with this explanation. Better suggestions welcome.

Arvados can also be configured to accept provider-issued access tokens as Arvados API tokens. This can be useful for integrating third party applications.

Check the OpenIDConnect section in the default config file for more details and configuration options.

As an aside, wouldn't it be nice if we could link to a specific section of the default config file?

This is the part about accepting access tokens.

        # Accept an OIDC access token as an API token if the OIDC                                  
        # provider's UserInfo endpoint accepts it.                               
        #                                                                              
        # AcceptAccessTokenScope should also be used when enabling       
        # this feature.                                                 
        AcceptAccessToken: false

        # Before accepting an OIDC access token as an API token, first                                         
        # check that it is a JWT whose "scope" value includes this                                                        
        # value. Example: "https://zzzzz.example.com/" (your Arvados                                                        
        # API endpoint).                                                                                                   
        #                                                                                                               
        # If this value is empty and AcceptAccessToken is true, all                                      
        # access tokens will be accepted regardless of scope,                      
        # including non-JWT tokens. This is not recommended.                                                            
        AcceptAccessTokenScope: "" 
Actions #7

Updated by Peter Amstutz about 1 year ago

I feel like this merits a slightly more specific discussion of the implementation, i.e. the token is checked by accessing a particular standard endpoint and getting the expiration time from there (that's what we do right?).

Actions #8

Updated by Tom Clegg about 1 year ago

  • Target version changed from Development 2023-04-12 sprint to Development 2023-04-26 sprint
Actions #9

Updated by Tom Clegg about 1 year ago

20123-access-token-doc @ 3f8deee8bca244601503ec0434bbb80f0886e370
  • updated re cache behavior, UserInfo endpoint, JWT/scope config
  • rebased
Actions #10

Updated by Peter Amstutz about 1 year ago

  • Release set to 62
Actions #11

Updated by Peter Amstutz about 1 year ago

  • Status changed from In Progress to Resolved
Actions

Also available in: Atom PDF