Feature #16669

Updated by Tom Clegg over 1 year ago

When getting an unrecognized token, add an option to validate the token against an OpenID Connect provider.

# Determine if the token is valid & when it expires using the OAuth2 token Introspection endpoint https://tools.ietf.org/html/rfc7662
# If valid and not expired, make a call to the UserInfo endpoint of the provider, this will return similar claims as the existing log in process, or an error. https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
# Cache the token in the Arvados database along with the expiration time.

If a LoginCluster is configured, the token is checked with the upstream LoginCluster (only change is that this happens for JWT tokens and not just v2 tokens).

The endpoint URLs to the Introspection and UserInfo endpoints can be discovered by looking at the "provider configuration" endpoint.

https://openid.net/specs/openid-connect-discovery-1_0.html

https://docs.pingidentity.com/bundle/pingfederate-101/page/bwm1564003025542.html

Additional notes:

[[Accepting OpenID access tokens]] https://dev.arvados.org/projects/arvados/wiki/Accepting_OpenID_access_tokens

Back