Accepting OpenID access tokens » History » Version 2
Peter Amstutz, 08/05/2020 05:55 PM
| 1 | 1 | Peter Amstutz | h1. Accepting OpenID access tokens |
|---|---|---|---|
| 2 | |||
| 3 | For integration, we need a way to accept OpenID access tokens. |
||
| 4 | |||
| 5 | Customer wants to use PingFederate but ideally we should be able to support generic OpenID Connect. |
||
| 6 | |||
| 7 | https://www.pingidentity.com/developer/en/resources/oauth-2-0-developers-guide.html |
||
| 8 | |||
| 9 | https://openid.net/specs/openid-connect-core-1_0.html |
||
| 10 | |||
| 11 | The flow here is that the user logs in through the Open ID Connect SSO in another application. That application has the user's access token. The access token will be passed to Arvados. Arvados must identify the user. |
||
| 12 | |||
| 13 | It looks like the way to do that is to call back to the UserInfo endpoint. It is unclear if there's a standard path so this might need to be something the admin configures to be able to work with different OpenID Connect providers. |
||
| 14 | |||
| 15 | https://openid.net/specs/openid-connect-core-1_0.html#UserInfo |
||
| 16 | |||
| 17 | https://docs.pingidentity.com/bundle/pingfederate-101/page/bkn1564003025596.html |
||
| 18 | |||
| 19 | Discussion: |
||
| 20 | |||
| 21 | Seems like we can either accept the OpenID token directly, check it against the authorization server, and then cache it, or add a new "login" scheme that takes the OpenID token and issues an Arvados token. |
||
| 22 | 2 | Peter Amstutz | |
| 23 | Open source OpenID servers (for testing): |
||
| 24 | |||
| 25 | https://github.com/gluufederation |
||
| 26 | |||
| 27 | https://github.com/wso2 |
||
| 28 | |||
| 29 | https://www.ory.sh/ |