Implement OpenID Connect support

proycon / clam

Quickly turn command-line applications into RESTful webservices with a web-application front-end. You provide a specification of your command line application, its input, output and parameters, and CLAM wraps around your application to form a fully fledged RESTful webservice.

https://proycon.github.io/clam

GNU General Public License v3.0

129 stars 17 forks source link

Implement OpenID Connect support #93

Closed proycon closed 3 years ago

proycon commented 4 years ago

We already have OAuth2 support, but we probably need to add an extra layer for OpenID Connect support:

suitable library: https://flask-oidc.readthedocs.io/en/latest/

Implementation will start after the necessary infrastructure for CLARIAH has been implemented at knaw-huc (so we have something to test against and can be assured it will be actually used eventually, unlike the earlier OAuth implementation).

proycon commented 3 years ago

I'm first going to give things a try with the existing oauth2 implementation before I implement this.

proycon commented 3 years ago

we're going to need this, it standardizes some things on top of oauth2 that we need

proycon commented 3 years ago

My initial implementation will do a request to the /userinfo endpoint (mandated by OpenID Connect) on every request. This adds a bit of unnecessary overhead as we could also interpret the id_token that is provided by the access/ endpoint, but this would entail some extra session keeping (which we do want to avoid as much as possible because we're RESTful).

proycon commented 3 years ago

Things seem to be working now!