Native login implementation¶

Background: sso-provider is a Rails app that provides an OAuth2 interface to OAuth2, LDAP, and local password database backends. It has some problems:

high maintenance cost
high admin cost (install/upgrade/troubleshoot)
unnecessary extra steps in login flow

Proposal:

Implement the backends in arvados-controller (instead of proxying to RailsAPI and redirecting to sso-provider)
During transition phase, continue to support sso-provider as a backend

Development/release roadmap:

Add Google (OpenID Connect) backend as an alternative to sso-provider
Add LDAP backend as another alternative
Add password database backend -- or, alternatively, suggest installing an LDAP server
Remove sso-provider backend

Implementation notes:

https://godoc.org/golang.org/x/oauth2/google, https://godoc.org/golang.org/x/oauth2, https://github.com/coreos/go-oidc
https://godoc.org/gopkg.in/ldap.v2
https://github.com/korylprince/go-ad-auth wraps ldap to make ActiveDirectory easier -- perhaps we would offer an ActiveDirectory backend as well as a generic LDAP backend?
Controller will probably need to access the sso-provider's database in order to discover the upstream provider IDs for existing users.

Files (0)

Updated by Tom Clegg about 3 years ago · 4 revisions

Project

General

Profile

Arvados

Wiki

Native login implementation¶