[ARVADOS] updated: 2.1.0-819-g74e92e7fe

Git user git at public.arvados.org
Wed May 19 20:23:28 UTC 2021

Summary of changes:
 doc/api/tokens.html.textile.liquid | 8 ++++++++
 1 file changed, 8 insertions(+)

       via  74e92e7fe4f0b9561432a5b706a294c0f10eeff6 (commit)
      from  1b606b2933ddad031dbf17a689fee1b312b6c091 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

commit 74e92e7fe4f0b9561432a5b706a294c0f10eeff6
Author: Tom Clegg <tom at curii.com>
Date:   Wed May 19 16:22:54 2021 -0400

    17680: Add OIDC access token section to "tokens" page.
    Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at curii.com>

diff --git a/doc/api/tokens.html.textile.liquid b/doc/api/tokens.html.textile.liquid
index 49d9b5544..c9321ae1d 100644
--- a/doc/api/tokens.html.textile.liquid
+++ b/doc/api/tokens.html.textile.liquid
@@ -32,6 +32,14 @@ h3. Direct username/password authentication
 # The API server receives the username and password, authenticates them with the upstream provider (such as LDAP or PAM), and responds with the @api_client_authorization@ object for the new API token.
 # The web application receives the authorization token in the response and uses it to access the API server on the user's behalf.
+h3. Using an OpenID Connect access token
+On a cluster that uses OpenID Connect or Google as a login provider, or defers to a LoginCluster that does so, clients may present an access token instead of an Arvados API token.
+# The client obtains an access token from the OpenID Connect provider via some method outside of Arvados.
+# The client presents the access token with an Arvados API request (e.g., request header @Authorization: Bearer xxxxaccesstokenxxxx@).
+# The API server uses the provider's UserInfo endpoint to validate the presented token.
+# If the token is valid, it is cached in the Arvados database and accepted in subsequent API calls for the next 10 minutes.
 h3. Diagram



More information about the arvados-commits mailing list