Project

General

Profile

Actions

Feature #17772

open

use subject identifier (username etc) in "identity_url" instead of "email" for login

Added by Peter Amstutz over 3 years ago. Updated almost 2 years ago.

Status:
New
Priority:
Normal
Assigned To:
-
Category:
Login
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Story points:
-
Release:
Release relationship:
Auto

Description

(formally: OIDC support "sub" claim)

We should prefer to use the "sub" claim to identify users (this is the way OIDC is supposed to work), and only identify users by "email" as an optional backup strategy.

This also affects PAM and other login methods.

In Arvados:

  • Come up with a custom internal URL scheme to identify users that will be used for identity_url. This is the provider type, host, and subject (username or however the user is uniquely identified).

oidc://

google://

ldap://

pam://

etc

the host part identifies the provider

the path part is the subject from the provider (URL encoded)

put this in the identity_url field of the user

When logging in, it searches for identity_url. If found, but the email address has changed, it updates the email address.

  • Add flag to specify if it should use user email as a fallback.

If the fallback is disabled, if the identity_url is not found, the user cannot log in.

If the fallback is enabled, if the identity_url is not found, it searches by email address. If found, the user logs in, and it update identity_url.

  • Add an additional flag for "fallback only on empty identity_url"

If the fallback is disabled, if the identity_url is not found, the user cannot log in.

If the fallback is enabled, if the identity_url is not found, it searches by email address. If found and the identity_url is blank, then the user logs in, and it update identity_url.

Actions #1

Updated by Peter Amstutz over 3 years ago

  • Description updated (diff)
Actions #2

Updated by Peter Amstutz over 3 years ago

  • Target version changed from 2021-06-23 sprint to 2021-07-07 sprint
Actions #3

Updated by Peter Amstutz over 3 years ago

  • Description updated (diff)
  • Target version changed from 2021-07-07 sprint to 2021-07-21 sprint
Actions #4

Updated by Peter Amstutz over 3 years ago

  • Description updated (diff)
Actions #5

Updated by Peter Amstutz over 3 years ago

  • Description updated (diff)
Actions #6

Updated by Peter Amstutz over 3 years ago

  • Target version changed from 2021-07-21 sprint to 2021-08-04 sprint
Actions #7

Updated by Peter Amstutz over 3 years ago

  • Target version changed from 2021-08-04 sprint to 2021-08-18 sprint
Actions #8

Updated by Peter Amstutz over 3 years ago

  • Target version changed from 2021-08-18 sprint to 2021-09-01 sprint
Actions #9

Updated by Peter Amstutz over 3 years ago

  • Subject changed from OIDC support "sub" claim to use subject identifier (username etc) in "identity_url" instead of "email" for login
  • Description updated (diff)
Actions #10

Updated by Peter Amstutz over 3 years ago

  • Target version changed from 2021-09-01 sprint to 2021-09-15 sprint
Actions #11

Updated by Peter Amstutz over 3 years ago

  • Target version changed from 2021-09-15 sprint to 2021-09-29 sprint
Actions #12

Updated by Peter Amstutz over 3 years ago

  • Target version changed from 2021-09-29 sprint to 2021-10-13 sprint
Actions #13

Updated by Peter Amstutz about 3 years ago

  • Target version changed from 2021-10-13 sprint to 2021-10-27 sprint
Actions #14

Updated by Peter Amstutz about 3 years ago

  • Target version changed from 2021-10-27 sprint to 2021-11-10 sprint
Actions #15

Updated by Peter Amstutz about 3 years ago

  • Target version changed from 2021-11-10 sprint to 2021-11-24 sprint
Actions #16

Updated by Peter Amstutz about 3 years ago

  • Target version deleted (2021-11-24 sprint)
Actions #17

Updated by Lucas Di Pentima almost 2 years ago

  • Release set to 60
Actions

Also available in: Atom PDF