Project

General

Profile

Feature #16669

Updated by Peter Amstutz over 3 years ago

When getting an unrecognized token, add an option to validate the token against an OpenID Connect provider. 

 # Attempt to decode the token as an OAuth2 access token https://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-12 
 # If valid, check to see if the token has expired 
 # If not expired, make a call to the UserInfo endpoint of the provider, this will return similar claims as the existing log in process, or an error.    https://openid.net/specs/openid-connect-core-1_0.html#UserInfo 
 # Cache the token in the Arvados database along with the expiration time. 

 If a LoginCluster is configured, the token is checked with the upstream LoginCluster (only change is that this happens for JWT tokens and not just v2 tokens). 

 Additional notes: 

 https://dev.arvados.org/projects/arvados/wiki/Accepting_OpenID_access_tokens 

Back