Accepting OpenID access tokens » History » Revision 2
Revision 1 (Peter Amstutz, 08/05/2020 02:26 PM) → Revision 2/3 (Peter Amstutz, 08/05/2020 05:55 PM)
h1. Accepting OpenID access tokens
For integration, we need a way to accept OpenID access tokens.
Customer wants to use PingFederate but ideally we should be able to support generic OpenID Connect.
https://www.pingidentity.com/developer/en/resources/oauth-2-0-developers-guide.html
https://openid.net/specs/openid-connect-core-1_0.html
The flow here is that the user logs in through the Open ID Connect SSO in another application. That application has the user's access token. The access token will be passed to Arvados. Arvados must identify the user.
It looks like the way to do that is to call back to the UserInfo endpoint. It is unclear if there's a standard path so this might need to be something the admin configures to be able to work with different OpenID Connect providers.
https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
https://docs.pingidentity.com/bundle/pingfederate-101/page/bkn1564003025596.html
Discussion:
Seems like we can either accept the OpenID token directly, check it against the authorization server, and then cache it, or add a new "login" scheme that takes the OpenID token and issues an Arvados token.
Open source OpenID servers (for testing):
https://github.com/gluufederation
https://github.com/wso2
https://www.ory.sh/