X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/3f8deee8bca244601503ec0434bbb80f0886e370..933e687424e67f3a3e3c064016abd295b49c5f98:/doc/install/setup-login.html.textile.liquid?ds=sidebyside diff --git a/doc/install/setup-login.html.textile.liquid b/doc/install/setup-login.html.textile.liquid index 0de51eae2d..b16170a888 100644 --- a/doc/install/setup-login.html.textile.liquid +++ b/doc/install/setup-login.html.textile.liquid @@ -60,13 +60,22 @@ The provider will supply an issuer URL, client ID, and client secret. Add these ClientSecret: "zzzzzzzzzzzzzzzzzzzzzzzz" {% endcodeblock %} -Arvados can also be configured to accept provider-issued access tokens as Arvados API tokens. This can be useful for integrating third party applications. -* If the provider-issued tokens are JWTs, Arvados can optionally check them for a specified scope before attempting to validate them. This is the recommended configuration. -* Tokens are validated by presenting them to the UserInfo endpoint advertised by the OIDC provider. -* Once validated, a token is cached and accepted without re-checking for up to 10 minutes. -* A token that fails validation is cached and rejected without re-checking for up to 5 minutes. -* Validation errors such as network errors and HTTP 5xx responses from the provider's UserInfo endpoint are not cached. -* The OIDC token cache size is currently limited to 1000 tokens. +h3. Accepting OpenID bearer tokens as Arvados API tokens + +Arvados can also be configured to accept provider-issued access tokens as Arvados API tokens by setting @Login.OpenIDConnect.AcceptAccessToken@ to @true@. This can be useful for integrating third party applications. + +{% codeblock as yaml %} + Login: + OpenIDConnect: + AcceptAccessToken: true +{% endcodeblock %} + +# If the provider-issued tokens are JWTs, Arvados can optionally check for the scope specified in @Login.OpenIDConnect.AcceptAccessTokenScope@ before attempting to validate them. Tokens withou the configured the scope will not be accepted by Arvados. This is the recommended configuration. +# Tokens are validated by presenting them to the UserInfo endpoint advertised by the OIDC provider. +# Once validated, a token is cached and accepted without re-checking for up to 10 minutes. +# A token that fails validation is cached and will not be re-checked for up to 5 minutes. +# Network errors and HTTP 5xx responses from the provider's UserInfo endpoint are not cached. +# The OIDC token cache size is currently limited to 1000 tokens, if the number of distinct tokens used in a 5 minute period is greater than this, tokens may be checked more frequently. Check the OpenIDConnect section in the "default config file":{{site.baseurl}}/admin/config.html for more details and configuration options.