[arvados] updated: 2.6.0-5-ga22c685d9

git repository hosting git at public.arvados.org
Mon Apr 17 18:38:28 UTC 2023 

Summary of changes:
 doc/install/setup-login.html.textile.liquid | 24 +++++++++++++++++-------
 1 file changed, 17 insertions(+), 7 deletions(-)

       via  a22c685d97ceae848267907529406310276a5e39 (commit)
       via  933e687424e67f3a3e3c064016abd295b49c5f98 (commit)
      from  3f8deee8bca244601503ec0434bbb80f0886e370 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.


commit a22c685d97ceae848267907529406310276a5e39
Author: Peter Amstutz <peter.amstutz at curii.com>
Date:   Mon Apr 17 14:37:10 2023 -0400

    20123: Add note about scopes
    
    Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz at curii.com>

diff --git a/doc/install/setup-login.html.textile.liquid b/doc/install/setup-login.html.textile.liquid
index b16170a88..259e47255 100644
--- a/doc/install/setup-login.html.textile.liquid
+++ b/doc/install/setup-login.html.textile.liquid
@@ -68,9 +68,10 @@ Arvados can also be configured to accept provider-issued access tokens as Arvado
     Login:
       OpenIDConnect:
         AcceptAccessToken: true
+	AcceptAccessTokenScope: "arvados"
 {% endcodeblock %}
 
-# If the provider-issued tokens are JWTs, Arvados can optionally check for the scope specified in @Login.OpenIDConnect.AcceptAccessTokenScope@ before attempting to validate them.  Tokens withou the configured the scope will not be accepted by Arvados.  This is the recommended configuration.
+# If the provider-issued tokens are JWTs, and @Login.OpenIDConnect.AcceptAccessTokenScope@ is not empty, Arvados will check that the token contains the configured scope, and reject tokens that do not have the configured scope.  This can be used to control which users or applications are permitted to access your Arvados instance.
 # Tokens are validated by presenting them to the UserInfo endpoint advertised by the OIDC provider.
 # Once validated, a token is cached and accepted without re-checking for up to 10 minutes.
 # A token that fails validation is cached and will not be re-checked for up to 5 minutes.

commit 933e687424e67f3a3e3c064016abd295b49c5f98
Author: Peter Amstutz <peter.amstutz at curii.com>
Date:   Mon Apr 17 14:25:05 2023 -0400

    20123: Make OpenID connect token a proper subsection
    
    Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz at curii.com>

diff --git a/doc/install/setup-login.html.textile.liquid b/doc/install/setup-login.html.textile.liquid
index 0de51eae2..b16170a88 100644
--- a/doc/install/setup-login.html.textile.liquid
+++ b/doc/install/setup-login.html.textile.liquid
@@ -60,13 +60,22 @@ The provider will supply an issuer URL, client ID, and client secret. Add these
         ClientSecret: "zzzzzzzzzzzzzzzzzzzzzzzz"
 {% endcodeblock %}
 
-Arvados can also be configured to accept provider-issued access tokens as Arvados API tokens. This can be useful for integrating third party applications.
-* If the provider-issued tokens are JWTs, Arvados can optionally check them for a specified scope before attempting to validate them. This is the recommended configuration.
-* Tokens are validated by presenting them to the UserInfo endpoint advertised by the OIDC provider.
-* Once validated, a token is cached and accepted without re-checking for up to 10 minutes.
-* A token that fails validation is cached and rejected without re-checking for up to 5 minutes.
-* Validation errors such as network errors and HTTP 5xx responses from the provider's UserInfo endpoint are not cached.
-* The OIDC token cache size is currently limited to 1000 tokens.
+h3. Accepting OpenID bearer tokens as Arvados API tokens
+
+Arvados can also be configured to accept provider-issued access tokens as Arvados API tokens by setting @Login.OpenIDConnect.AcceptAccessToken@ to @true at . This can be useful for integrating third party applications.
+
+{% codeblock as yaml %}
+    Login:
+      OpenIDConnect:
+        AcceptAccessToken: true
+{% endcodeblock %}
+
+# If the provider-issued tokens are JWTs, Arvados can optionally check for the scope specified in @Login.OpenIDConnect.AcceptAccessTokenScope@ before attempting to validate them.  Tokens withou the configured the scope will not be accepted by Arvados.  This is the recommended configuration.
+# Tokens are validated by presenting them to the UserInfo endpoint advertised by the OIDC provider.
+# Once validated, a token is cached and accepted without re-checking for up to 10 minutes.
+# A token that fails validation is cached and will not be re-checked for up to 5 minutes.
+# Network errors and HTTP 5xx responses from the provider's UserInfo endpoint are not cached.
+# The OIDC token cache size is currently limited to 1000 tokens, if the number of distinct tokens used in a 5 minute period is greater than this, tokens may be checked more frequently.
 
 Check the OpenIDConnect section in the "default config file":{{site.baseurl}}/admin/config.html for more details and configuration options.
 

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list