Accepting OpenID access tokens

For integration, we need a way to accept OpenID access tokens.

Customer wants to use PingFederate but ideally we should be able to support generic OpenID Connect.

https://www.pingidentity.com/developer/en/resources/oauth-2-0-developers-guide.html

https://openid.net/specs/openid-connect-core-1_0.html

The flow here is that the user logs in through the Open ID Connect SSO in another application. That application has the user's access token. The access token will be passed to Arvados. Arvados must identify the user.

It looks like the way to do that is to call back to the UserInfo endpoint. It is unclear if there's a standard path so this might need to be something the admin configures to be able to work with different OpenID Connect providers.
  • "Note: The OAuth 2.0 specifications do not define a standard mechanism for access token validation. The process described in this section is specific to a PingFederate implementation." -- PingFederate
  • "The UserInfo Endpoint MUST accept Access Tokens as OAuth 2.0 Bearer Token Usage [RFC6750]" -- OpenID Connect

https://openid.net/specs/openid-connect-core-1_0.html#UserInfo

https://docs.pingidentity.com/bundle/pingfederate-101/page/bkn1564003025596.html

Discussion:

Seems like we can either accept the OpenID token directly, check it against the authorization server, and then cache it, or add a new "login" scheme that takes the OpenID token and issues an Arvados token.

Open source OpenID servers (for testing):

https://github.com/gluufederation

https://github.com/wso2

https://www.ory.sh/