Manage OpenID Token Issuer Allow/Deny Lists#

Various ESS microservices can configure INRUPT_JWT_ISSUER_ALLOW_LIST and INRUPT_JWT_ISSUER_DENY_LIST options to manage trusted issuers of Solid OIDC tokens (i.e., identity providers).

The following ESS microservices provide the configuration options for managing the trusted identity providers; the second column lists the Kustomization label that can be used to maintain consistent configuration across the services that share the label:

Services

OAuth Component (oauth-component)

resource-server

authorization-server

Example Customizations#

Example: Update INRUPT_JWT_ISSUER_ALLOW_LIST#

For a given service,

  • If its corresponding INRUPT_JWT_ISSUER_ALLOW_LIST is unset, the service accepts tokens from all Solid-OIDC token issuers with the exception of those listed in its INRUPT_JWT_ISSUER_DENY_LIST.

  • If its corresponding INRUPT_JWT_ISSUER_ALLOW_LIST is set, the service accepts only the Solid-OIDC tokens from the issuers in the list with the following exception:

    • If an issuer is in both INRUPT_JWT_ISSUER_ALLOW_LIST and INRUPT_JWT_ISSUER_DENY_LIST, the INRUPT_JWT_ISSUER_DENY_LIST supersedes the INRUPT_JWT_ISSUER_ALLOW_LIST and tokens issued by that issuer is not accepted by the service.

The following services have oauth-component value of resource-server:

You can use the oauth-component value to update the INRUPT_JWT_ISSUER_ALLOW_LIST option across all services with the resource-server value. For example:

  1. Go to your ESS installation directory:

    cd ${HOME}/ess
    
  2. Modify the kustomization.yaml (i.e., step 3 of the Applying Your Customizations procedure).

    Specifically, add the highlighted content to the kustomization.yaml file to the patches section:

    # kustomization.yaml in your ESS installation directory
    
    # ...  Preceding content omitted for brevity 
    # ...
    
    patches:
      - target:
          kind: Deployment
          labelSelector: oauth-component=resource-server
        patch: |
          - op: add
            path: /spec/template/spec/containers/0/env/-
            value:
              name: INRUPT_JWT_ISSUER_ALLOW_LIST
              value: "https://openid.myESS.com,https://openid.example.com"
    

    Tip

    To update just a single service, you can target the service deployment name instead of by the labelSelector.

  3. Continue with the rest of the Applying Your Customizations procedure.

Important

Ensure that the INRUPT_JWT_ISSUER_ALLOW_LIST value for the authorization-server services are consistent with those set for resource-server.

Example: Update INRUPT_JWT_ISSUER_DENY_LIST#

For a given service,

  • If its corresponding INRUPT_JWT_ISSUER_DENY_LIST is unset, the service accepts tokens from all token issuers (Solid-OIDC and, if supported UMA) unless INRUPT_JWT_ISSUER_ALLOW_LIST is set, in which case, the service only accepts tokens from issuers in the INRUPT_JWT_ISSUER_ALLOW_LIST.

  • If its corresponding INRUPT_JWT_ISSUER_DENY_LIST is set, the service disallows tokens from those issuers in the list. If INRUPT_JWT_ISSUER_ALLOW_LIST is also set, tokens from issuers not in the INRUPT_JWT_ISSUER_ALLOW_LIST are also disallowed.

The following services have oauth-component value of resource-server:

You can use the oauth-component value to update the INRUPT_JWT_ISSUER_DENY_LIST option across all services with the resource-server value. For example:

  1. Go to your ESS installation directory:

    cd ${HOME}/ess
    
  2. Modify the kustomization.yaml (i.e., step 3 of the Applying Your Customizations procedure).

    Specifically, add the highlighted content to the kustomization.yaml file to the patches section:

    # kustomization.yaml in your ESS installation directory
    
    # ...  Preceding content omitted for brevity 
    # ...
    
    patches:
      - target:
          kind: Deployment
          labelSelector: oauth-component=resource-server
        patch: |
          - op: add
            path: /spec/template/spec/containers/0/env/-
            value:
              name: INRUPT_JWT_ISSUER_DENY_LIST
              value: "https://openid.notMyESS.com,https://openid.example.com"
    

    Tip

    To update just a single service, you can target the service deployment by name instead of by the labelSelector.

  3. Continue with the rest of the Applying Your Customizations procedure.