OpenID "AcceptAccessToken" feature is mostly undocumented
We have a very handy feature of being able to accept OpenID access tokens and validate them with the upstream provider. We have an OpenID Connect section in the Install Guide, but it basically just points people to the configuration file for details. This section should:
- briefly explain what OpenID Connect is and how Arvados uses it
- list popular providers we know it's compatible with (so people searching for "arvados provider name" can find it)
- explain what configuration settings you must set up, and what their values are
- if there are optional values, it's okay to continue to direct people to the configuration file reference for those
- Status changed from New to In Progress
20123-access-token-doc @ 65ceeadb232fd4e5646e7ade0f1d9713af65aafc
I struggled a bit with this explanation. Better suggestions welcome.
Arvados can also be configured to accept provider-issued access tokens as Arvados API tokens. This can be useful for integrating third party applications.
Check the OpenIDConnect section in the default config file for more details and configuration options.
As an aside, wouldn't it be nice if we could link to a specific section of the default config file?
This is the part about accepting access tokens.
# Accept an OIDC access token as an API token if the OIDC
# provider's UserInfo endpoint accepts it.
# AcceptAccessTokenScope should also be used when enabling
# this feature.
# Before accepting an OIDC access token as an API token, first
# check that it is a JWT whose "scope" value includes this
# value. Example: "https://zzzzz.example.com/" (your Arvados
# API endpoint).
# If this value is empty and AcceptAccessToken is true, all
# access tokens will be accepted regardless of scope,
# including non-JWT tokens. This is not recommended.