Feature #16669

Updated by Peter Amstutz almost 2 years ago

When getting an unrecognized token, add an option to validate the token against an OpenID Connect provider.

# Determine Attempt to decode the token as an OAuth2 access token https://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-12
# If valid, check to see
if the token is valid & when it expires using the Token introspection endpoint https://tools.ietf.org/html/rfc7662 has expired
# If valid and not expired, make a call to the UserInfo endpoint of the provider, this will return similar claims as the existing log in process, or an error. https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
# Cache the token in the Arvados database along with the expiration time.

If a LoginCluster is configured, the token is checked with the upstream LoginCluster (only change is that this happens for JWT tokens and not just v2 tokens).

It appears the paths to the Introspection and UserInfo endpoints can be discovered by looking at the "provider configuration" endpoint.

https://openid.net/specs/openid-connect-discovery-1_0.html

https://docs.pingidentity.com/bundle/pingfederate-101/page/bwm1564003025542.html

Additional notes:

https://dev.arvados.org/projects/arvados/wiki/Accepting_OpenID_access_tokens

Back