Idea #20123
closed
OpenID "AcceptAccessToken" feature is mostly undocumented
Added by Peter Amstutz about 1 year ago.
Updated about 1 year ago.
Release relationship:
Auto
Description
We have a very handy feature of being able to accept OpenID access tokens and validate them with the upstream provider. We have an OpenID Connect section in the Install Guide, but it basically just points people to the configuration file for details. This section should:
- briefly explain what OpenID Connect is and how Arvados uses it
- list popular providers we know it's compatible with (so people searching for "arvados provider name" can find it)
- explain what configuration settings you must set up, and what their values are
- if there are optional values, it's okay to continue to direct people to the configuration file reference for those
- Description updated (diff)
- Story points set to 0.5
- Target version changed from Future to To be scheduled
- Description updated (diff)
- Target version changed from To be scheduled to Development 2023-04-12 sprint
- Assigned To set to Tom Clegg
- Status changed from New to In Progress
20123-access-token-doc @ 65ceeadb232fd4e5646e7ade0f1d9713af65aafc
I struggled a bit with this explanation. Better suggestions welcome.
Arvados can also be configured to accept provider-issued access tokens as Arvados API tokens. This can be useful for integrating third party applications.
Check the OpenIDConnect section in the default config file for more details and configuration options.
As an aside, wouldn't it be nice if we could link to a specific section of the default config file?
This is the part about accepting access tokens.
# Accept an OIDC access token as an API token if the OIDC
# provider's UserInfo endpoint accepts it.
#
# AcceptAccessTokenScope should also be used when enabling
# this feature.
AcceptAccessToken: false
# Before accepting an OIDC access token as an API token, first
# check that it is a JWT whose "scope" value includes this
# value. Example: "https://zzzzz.example.com/" (your Arvados
# API endpoint).
#
# If this value is empty and AcceptAccessToken is true, all
# access tokens will be accepted regardless of scope,
# including non-JWT tokens. This is not recommended.
AcceptAccessTokenScope: ""
I feel like this merits a slightly more specific discussion of the implementation, i.e. the token is checked by accessing a particular standard endpoint and getting the expiration time from there (that's what we do right?).
- Target version changed from Development 2023-04-12 sprint to Development 2023-04-26 sprint
- Status changed from In Progress to Resolved
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by