Manage Identity Providers Allow/Deny Lists#
Various ESS microservices can configure
INRUPT_JWT_ISSUER_ALLOW_LIST
and INRUPT_JWT_ISSUER_DENY_LIST
options to manage trusted Solid-OIDC issuers (i.e., identity providers).
The following ESS microservices provide the configuration options for managing the trusted identity providers; the second column lists the Kustomization label that can be used to maintain consistent configuration across the services that share the label:
Services |
OAuth Component ( |
---|---|
|
|
|
Example Customizations#
Example: Update INRUPT_JWT_ISSUER_ALLOW_LIST
#
For a given service,
If its corresponding
INRUPT_JWT_ISSUER_ALLOW_LIST
is unset, the service accepts tokens from all Solid-OIDC issuers with the exception of those listed in itsINRUPT_JWT_ISSUER_DENY_LIST
.If its corresponding
INRUPT_JWT_ISSUER_ALLOW_LIST
is set, the service accepts only those Solid-OIDC issuers in the list with the following exception:If an issuer is in both
INRUPT_JWT_ISSUER_ALLOW_LIST
andINRUPT_JWT_ISSUER_DENY_LIST
, theINRUPT_JWT_ISSUER_DENY_LIST
supersedes theINRUPT_JWT_ISSUER_ALLOW_LIST
and that issuer is not accepted by the service.
The following services have oauth-component
value of
resource-server
:
Query Service (since version 2.0.9 [1])
You can use the oauth-component
value to update the
INRUPT_JWT_ISSUER_ALLOW_LIST
option across all services with
the resource-server
value. For example:
Go to your ESS installation directory:
cd ${HOME}/ess
Modify the
kustomization.yaml
(i.e., step 3 of the Applying Your Customizations procedure).Specifically, add the highlighted content to the
kustomization.yaml
file to thepatches
section:# kustomization.yaml in your ESS installation directory # ... Preceding content omitted for brevity # ... patches: - target: kind: Deployment labelSelector: oauth-component=resource-server patch: | - op: add path: /spec/template/spec/containers/0/env/- value: name: INRUPT_JWT_ISSUER_ALLOW_LIST value: "https://login.inrupt.com,https://login.example.com"
Tip
To update just a single service, you can target the service deployment
name
instead of by thelabelSelector
.Continue with the rest of the Applying Your Customizations procedure.
The following services have oauth-component
value of
authorization-server
:
You can use the oauth-component
value to update the
INRUPT_JWT_ISSUER_ALLOW_LIST
option across all services with
the authorization-server
value. For example:
Go to your ESS installation directory:
cd ${HOME}/ess
Modify the
kustomization.yaml
(i.e., step 3 of the Applying Your Customizations procedure).Specifically, add the highlighted content to the
kustomization.yaml
file to thepatches
section:# kustomization.yaml in your ESS installation directory # ... Preceding content omitted for brevity # ... patches: - target: kind: Deployment labelSelector: oauth-component=authorization-server patch: | - op: add path: /spec/template/spec/containers/0/env/- value: name: INRUPT_JWT_ISSUER_ALLOW_LIST value: "https://login.inrupt.com,https://login.example.com"
Tip
To update just a single service, you can target the service deployment
name
instead of by thelabelSelector
.Continue with the rest of the Applying Your Customizations procedure.
To update just a single service, you can target the service
deployment by name
instead of by the labelSelector
.
Tip
Target by the services by labelSelector
if you need to
maintain consistency across a group of services.
The following example updates ESS’
Query Service
INRUPT_JWT_ISSUER_ALLOW_LIST
configuration value only.
Go to your ESS installation directory:
cd ${HOME}/ess
Modify the
kustomization.yaml
(i.e., step 3 of the Applying Your Customizations procedure).Specifically, add the highlighted content to the
kustomization.yaml
file to thepatches
section:# kustomization.yaml in your ESS installation directory # ... Preceding content omitted for brevity # ... patches: - target: kind: Deployment name: ess-fragments-query patch: | - op: add path: /spec/template/spec/containers/0/env/- value: name: INRUPT_JWT_ISSUER_ALLOW_LIST value: "https://login.inrupt.com,https://login.example.com"
Continue with the rest of the Applying Your Customizations procedure.
Example: Update INRUPT_JWT_ISSUER_DENY_LIST
#
For a given service,
If its corresponding
INRUPT_JWT_ISSUER_DENY_LIST
is unset, the service accepts tokens from all Solid-OIDC issuers unlessINRUPT_JWT_ISSUER_ALLOW_LIST
is set, in which case, the service only accepts those in theINRUPT_JWT_ISSUER_ALLOW_LIST
.If its corresponding
INRUPT_JWT_ISSUER_DENY_LIST
is set, the service disallows the Solid-OIDC issuers in the list. IfINRUPT_JWT_ISSUER_ALLOW_LIST
is also set, issuers not in theINRUPT_JWT_ISSUER_ALLOW_LIST
are also disallowed.
The following services have oauth-component
value of
resource-server
:
Query Service (since version 2.0.9 [1])
You can use the oauth-component
value to update the
INRUPT_JWT_ISSUER_DENY_LIST
option across all services with
the resource-server
value. For example:
Go to your ESS installation directory:
cd ${HOME}/ess
Modify the
kustomization.yaml
(i.e., step 3 of the Applying Your Customizations procedure).Specifically, add the highlighted content to the
kustomization.yaml
file to thepatches
section:# kustomization.yaml in your ESS installation directory # ... Preceding content omitted for brevity # ... patches: - target: kind: Deployment labelSelector: oauth-component=resource-server patch: | - op: add path: /spec/template/spec/containers/0/env/- value: name: INRUPT_JWT_ISSUER_DENY_LIST value: "https://login.inrupt.com,https://login.example.com"
Tip
To update just a single service, you can target the service deployment by
name
instead of by thelabelSelector
.Continue with the rest of the Applying Your Customizations procedure.
The following services have oauth-component
value of
authorization-server
:
You can use the oauth-component
value to update the
INRUPT_JWT_ISSUER_DENY_LIST
option across all services with
the authorization-server
value. For example:
Go to your ESS installation directory:
cd ${HOME}/ess
Modify the
kustomization.yaml
(i.e., step 3 of the Applying Your Customizations procedure).Specifically, add the highlighted content to the
kustomization.yaml
file to thepatches
section:# kustomization.yaml in your ESS installation directory # ... Preceding content omitted for brevity # ... patches: - target: kind: Deployment labelSelector: oauth-component=authorization-server patch: | - op: add path: /spec/template/spec/containers/0/env/- value: name: INRUPT_JWT_ISSUER_DENY_LIST value: "https://login.inrupt.com,https://login.example.com"
Tip
To update just a single service, you can target the service deployment by
name
instead of by thelabelSelector
.Continue with the rest of the Applying Your Customizations procedure.
To update just a single service, you can target the service
deployment by name
instead of by the labelSelector
.
Tip
To ensure consistency across ESS services, you can target the
services by labelSelector
instead.
The following example updates ESS’
Query Service
INRUPT_JWT_ISSUER_DENY_LIST
configuration value only.
Go to your ESS installation directory:
cd ${HOME}/ess
Modify the
kustomization.yaml
(i.e., step 3 of the Applying Your Customizations procedure).Specifically, add the highlighted content to the
kustomization.yaml
file to thepatches
section:# kustomization.yaml in your ESS installation directory # ... Preceding content omitted for brevity # ... patches: - target: kind: Deployment name: ess-fragments-query patch: | - op: add path: /spec/template/spec/containers/0/env/- value: name: INRUPT_JWT_ISSUER_DENY_LIST value: "https://login.inrupt.com,https://login.example.com"
Continue with the rest of the Applying Your Customizations procedure.