Project

General

Profile

Feature #16669

Updated by Tom Clegg over 4 years ago

When getting an unrecognized token, add an option to validate the token against an OpenID Connect provider. 

 # Determine if the token is valid & when it expires using the OAuth2 token Introspection endpoint https://tools.ietf.org/html/rfc7662 
 # If valid and not expired, make a call to the UserInfo endpoint of the provider, this will return similar claims as the existing log in process, or an error.    https://openid.net/specs/openid-connect-core-1_0.html#UserInfo 
 # Cache the token in the Arvados database along with the expiration time. 

 If a LoginCluster is configured, the token is checked with the upstream LoginCluster (only change is that this happens for JWT tokens and not just v2 tokens). 

 The endpoint URLs to the Introspection and UserInfo endpoints can be discovered by looking at the "provider configuration" endpoint. 

 https://openid.net/specs/openid-connect-discovery-1_0.html 

 https://docs.pingidentity.com/bundle/pingfederate-101/page/bwm1564003025542.html 


 Additional notes: 

 [[Accepting OpenID access tokens]] https://dev.arvados.org/projects/arvados/wiki/Accepting_OpenID_access_tokens 

Back