Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP] Add OIDC multi-provider auth #446

Draft
wants to merge 10 commits into
base: main
Choose a base branch
from
Draft

[WIP] Add OIDC multi-provider auth #446

wants to merge 10 commits into from

Conversation

MattMcL4475
Copy link
Collaborator

@MattMcL4475 MattMcL4475 commented Oct 4, 2023
edited
Loading

Adds support for multiple concurrently-configured OpenID Connect providers, such as Azure AD, AWS Cognito, Google Identity. Also the principal_id identifies the service principal object associated with a Managed Identity in Azure AD, and it corresponds to the Object ID (oid) claim in the JWT token. As a result, when Cromwell calls TES, TES could use the oid and use it to specify the user-managed identity that should be assigned to the Batch pool. Another possibility - SaveTokens can be set to true, and then the ClaimsPrincipal will have claims that can be used for TES to make authorized requests to Azure Storage on the user's behalf (but would require injecting the token from TES into the Batch node, so might not be as simple as oid)

Then this branch adds multi-user support:
#447

@MattMcL4475 MattMcL4475 changed the title Add OIDC multi-provider auth [WIP] Add OIDC multi-provider auth Oct 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@MattMcL4475