Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[#111] OIDC setup docs #112

Merged
merged 1 commit into from
Oct 26, 2023
Merged

[#111] OIDC setup docs #112

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -255,6 +255,47 @@ irods_http_api /path/to/config.json

To stop the server, you can use **CTRL-C** or send **SIGINT** or **SIGTERM** to the process.

### OpenID Connect
Some additional configuration is required to run the OpenID Connect portion of the HTTP API.
Following are a few points of interest.

#### OpenID Provider Requirements and HTTP API Configuration
The OpenID Provider, at this moment, must support discovery via a well-known endpoint.
This endpoint must be specified in the `well_known_uri` OIDC configuration parameter.

One should take care to ensure that `/.well-known/openid-configuration` is not included
in the configuration parameter, as this is included automatically.

One must also set the OIDC `config_host` and `port` parameter, so that the OpenID configuration
may be gathered from the well-known endpoint on the HTTP API server's startup.
The OpenID Provider must be running prior to starting the HTTP API server, otherwise, the HTTP API server
will not be able to query the required information from the desired OpenID Provider.

Additionally, the OIDC `redirect_uri` parameter must be set to the HTTP API's authentication endpoint.
This is required, as the Authorization Code Grant needs to be redirected back to the HTTP API, to complete
HTTP API token generation.

#### Add `irods_username` to the claims
Currently, the server looks for the custom claim `irods_username` in the ID Token.
This serves as the mapping mechanism for an OIDC User to an iRODS User.

A user who authenticates but does not have a `irods_username` mapped in their account
will not have access to the API.
MartinFlores751 marked this conversation as resolved.
Show resolved Hide resolved
A HTTP 400 Bad Request status code will be returned if no `irods_username` is found.

#### Supported Grants
Currently, the HTTP API server supports the following two grants:

- Resource Owner Password Credentials Grant
- Authorization Code Grant

While we currently support the _Resource Owner Password Credentials Grant_, there are plans to remove
support for this in the future.

Reason being, the [OAuth 2.0 Security Best Current Practice](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics) draft,
as well as the [The OAuth 2.1 Authorizaiton Framework](https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/) draft both deprecate that grant.
More information can be found on the reasoning for the deprecation in the links provided above.

## Documentation

API documentation can be found in [API.md](./API.md).
Loading