Accepting OpenID access tokens » History » Revision 1

Revision 1/3 | Next »
Peter Amstutz, 08/05/2020 02:26 PM

Accepting OpenID access tokens¶

For integration, we need a way to accept OpenID access tokens.

Customer wants to use PingFederate but ideally we should be able to support generic OpenID Connect.

https://www.pingidentity.com/developer/en/resources/oauth-2-0-developers-guide.html

https://openid.net/specs/openid-connect-core-1_0.html

The flow here is that the user logs in through the Open ID Connect SSO in another application. That application has the user's access token. The access token will be passed to Arvados. Arvados must identify the user.

It looks like the way to do that is to call back to the UserInfo endpoint. It is unclear if there's a standard path so this might need to be something the admin configures to be able to work with different OpenID Connect providers.

https://openid.net/specs/openid-connect-core-1_0.html#UserInfo

https://docs.pingidentity.com/bundle/pingfederate-101/page/bkn1564003025596.html

Discussion:

Seems like we can either accept the OpenID token directly, check it against the authorization server, and then cache it, or add a new "login" scheme that takes the OpenID token and issues an Arvados token.

Files (0)

Updated by Peter Amstutz over 3 years ago · 1 revisions

Project

General

Profile

Arvados

Wiki

Accepting OpenID access tokens » History » Revision 1

Accepting OpenID access tokens¶