Feature #16669
Updated by Peter Amstutz over 3 years ago
When getting an unrecognized token, add an option to validate the token against an OpenID Connect provider. # Determine Attempt to decode the token as an OAuth2 access token https://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-12 # If valid, check to see if the token is valid & when it expires using the Token introspection endpoint https://tools.ietf.org/html/rfc7662 has expired # If valid and not expired, make a call to the UserInfo endpoint of the provider, this will return similar claims as the existing log in process, or an error. https://openid.net/specs/openid-connect-core-1_0.html#UserInfo # Cache the token in the Arvados database along with the expiration time. If a LoginCluster is configured, the token is checked with the upstream LoginCluster (only change is that this happens for JWT tokens and not just v2 tokens). It appears the paths to the Introspection and UserInfo endpoints can be discovered by looking at the "provider configuration" endpoint. https://openid.net/specs/openid-connect-discovery-1_0.html https://docs.pingidentity.com/bundle/pingfederate-101/page/bwm1564003025542.html Additional notes: https://dev.arvados.org/projects/arvados/wiki/Accepting_OpenID_access_tokens