X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/341fd46d3a5188f3ce312aefc5599796c9d825d4..e3ac3dafe5432c81a294403e1996c306a93d48f8:/doc/api/tokens.html.textile.liquid diff --git a/doc/api/tokens.html.textile.liquid b/doc/api/tokens.html.textile.liquid index c9321ae1df..99c5f58a21 100644 --- a/doc/api/tokens.html.textile.liquid +++ b/doc/api/tokens.html.textile.liquid @@ -34,9 +34,10 @@ h3. Direct username/password authentication h3. Using an OpenID Connect access token -On a cluster that uses OpenID Connect or Google as a login provider, or defers to a LoginCluster that does so, clients may present an access token instead of an Arvados API token. +A cluster that uses OpenID Connect as a login provider can be configured to accept OIDC access tokens as well as Arvados API tokens (this is disabled by default; see @Login.OpenIDConnect.AcceptAccessToken@ in the "default config.yml file":{{site.baseurl}}/admin/config.html). # The client obtains an access token from the OpenID Connect provider via some method outside of Arvados. # The client presents the access token with an Arvados API request (e.g., request header @Authorization: Bearer xxxxaccesstokenxxxx@). +# Depending on configuration, the API server decodes the access token (which must be a signed JWT) and confirms that it includes the required scope (see @Login.OpenIDConnect.AcceptAccessTokenScope@ in the "default config.yml file":{{site.baseurl}}/admin/config.html). # The API server uses the provider's UserInfo endpoint to validate the presented token. # If the token is valid, it is cached in the Arvados database and accepted in subsequent API calls for the next 10 minutes. @@ -72,6 +73,8 @@ Each entry in scopes consists of a @request_method@ and @request_path@. The @re As a special case, a scope of @["all"]@ allows all resources. This is the default if no scope is given. +A valid token is always allowed to issue a request to "@GET /arvados/v1/api_client_authorizations/current@":{{ site.baseurl }}/api/methods/api_client_authorizations.html#current regardless of its scopes. + Using scopes is also described on the "Securing API access with scoped tokens":{{site.baseurl}}/admin/scoped-tokens.html page of the admin documentation. h3. Scope examples @@ -79,7 +82,7 @@ h3. Scope examples A scope of @GET /arvados/v1/collections@ permits listing collections. * Requests with different methods, such as creating a new collection using @POST /arvados/v1/collections@, will be rejected. -* Requests to access other resources, such as @GET /arvados/v1/groups@, will be rejected. +* Requests to access other resources, such as @GET /arvados/v1/groups@, will be rejected (except "@GET /arvados/v1/api_client_authorizations/current@":{{ site.baseurl }}/api/methods/api_client_authorizations.html#current, which is always allowed). * Be aware that requests for specific records, such as @GET /arvados/v1/collections/962eh-4zz18-xi32mpz2621o8km@ will also be rejected. This is because the scope @GET /arvados/v1/collections@ does not end in @/@ A scope of @GET /arvados/v1/collections/@ (with @/@ suffix) will permit access to individual collections.