search

irods-contrib / irods_auth_plugin_openid

Other
2 stars 2 forks source link

Implement ability to specify multiple oidc providers, and per-provider scopes #4

Closed theferrit32 closed 6 years ago

theferrit32 commented 6 years ago

In additional to minimal set of openid scopes currently used to identify the user (openid,email,profile), in order to actually do anything useful with that other than identify the user, other scopes need to be able to be specified. These vary by provider. In the future we will also need to be able to talk to multiple providers, so I'm planning to do these changes all at the same time.

proposed example format for irods server_config.json file:

"plugin_configuration": {
    "authentication": {
        "openid": {
            "globus": {
                "discovery_url": "https://auth.globus.org/.well-known/openid-configuration",
                "client_id": "<client-id-for-globus>",
                "client_secret": "<client-secret-for-globus",
                "redirect_uri": "https://<domain>/authcallback",
                "scopes": ["openid","email","profile","urn:globus:auth:scope:transfer.api.globus.org:all"]
            },
            "google": {
                "discovery_url": "https://accounts.google.com/.well-known/openid-configuration",
                "client_id": "<client-id-for-google>",
                "client_secret": "<client-secret-for-google>",
                "redirect_uri": "https://<domain>/authcallback",
                "scopes": ["openid","email","profile","https://www.googleapis.com/auth/drive.readonly"]
            },
            "cas": {
                "discovery_url": "https://cas-server.commonsshare.org:443/cas/oidc/.well-known/openid-configuration",
                "client_id": "<client-id-for-cas>",
                "client_secret": "<client-secret-for-cas>",
                "redirect_uri": "https://<domain>/authcallback",
                "scopes": ["openid","email","profile"]
            }
            /// other provider configs
        }
        /// other auth-plugin configs
    }
    /// other plugin configs
}
/// other server configs
theferrit32 commented 6 years ago

for globus, when requested scopes span resource servers, it does not combine the scope authorizations into one access token. It will return the top level auth access token (scope: openid), and that object have an additional field "other_tokens" in which more access tokens are defined and associated with their scope. This is stored in the irods server database by appending a "_N" to the end of the metadata attr_name used by the metadata entry for the primary, auth access_token entry.

For example if an openid access_token is stored in a metadata entry with attr_name openid_sess_1234abcd, and the request was authorized against the globus auth api, and other_tokens were returned in the callback, the additional access tokens will be stored under metadata entries with attr_name openid_sess_1234abcd_1, openid_sess_1234abcd_2, etc.

The primary/auth access_token will have a kvp in the meta_attr_value scope=openid, while the other entries for that session will have their scope set in that kvp.