From 74e92e7fe4f0b9561432a5b706a294c0f10eeff6 Mon Sep 17 00:00:00 2001 From: Tom Clegg Date: Wed, 19 May 2021 16:22:54 -0400 Subject: [PATCH] 17680: Add OIDC access token section to "tokens" page. Arvados-DCO-1.1-Signed-off-by: Tom Clegg --- doc/api/tokens.html.textile.liquid | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/doc/api/tokens.html.textile.liquid b/doc/api/tokens.html.textile.liquid index 49d9b55446..c9321ae1df 100644 --- a/doc/api/tokens.html.textile.liquid +++ b/doc/api/tokens.html.textile.liquid @@ -32,6 +32,14 @@ h3. Direct username/password authentication # The API server receives the username and password, authenticates them with the upstream provider (such as LDAP or PAM), and responds with the @api_client_authorization@ object for the new API token. # The web application receives the authorization token in the response and uses it to access the API server on the user's behalf. +h3. Using an OpenID Connect access token + +On a cluster that uses OpenID Connect or Google as a login provider, or defers to a LoginCluster that does so, clients may present an access token instead of an Arvados API token. +# The client obtains an access token from the OpenID Connect provider via some method outside of Arvados. +# The client presents the access token with an Arvados API request (e.g., request header @Authorization: Bearer xxxxaccesstokenxxxx@). +# The API server uses the provider's UserInfo endpoint to validate the presented token. +# If the token is valid, it is cached in the Arvados database and accepted in subsequent API calls for the next 10 minutes. + h3. Diagram !{{site.baseurl}}/images/Session_Establishment.svg! -- 2.30.2