Feature #16669

Updated by Peter Amstutz almost 2 years ago

When getting an unrecognized token, add an option to validate the token against an OpenID Connect provider.

# Attempt to decode the token as an OAuth2 access token https://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-12
# If valid, check to see if the token has expired
# If not expired, make a call to the UserInfo endpoint of the provider, this will return similar claims as the existing log in process, or an error. https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
# Cache the token in the Arvados database along with the expiration time.

If a LoginCluster is configured, the token is checked with the upstream LoginCluster (only change is that this happens for JWT tokens and not just v2 tokens).

Additional notes:

https://dev.arvados.org/projects/arvados/wiki/Accepting_OpenID_access_tokens

Back