Manage OpenID Token Issuer Allow/Deny Lists

Various ESS microservices can configure INRUPT_JWT_ISSUER_ALLOW_LIST and INRUPT_JWT_ISSUER_DENY_LIST options to manage trusted issuers of Solid OIDC tokens (i.e., identity providers).

The following ESS microservices provide the configuration options for managing the trusted identity providers; the second column lists the Kustomization label that can be used to maintain consistent configuration across the services that share the label:

Services

OAuth Component (oauth-component)

Access Grant Service Pod Services Query Service WebID Service WebSocket Notification Service

resource-server

Authorization Service UMA Service

authorization-server

Example Customizations

Example: Update `INRUPT_JWT_ISSUER_ALLOW_LIST`

For a given service,

If its corresponding INRUPT_JWT_ISSUER_ALLOW_LIST is unset, the service accepts tokens from all Solid-OIDC token issuers with the exception of those listed in its INRUPT_JWT_ISSUER_DENY_LIST .
If its corresponding INRUPT_JWT_ISSUER_ALLOW_LIST is set, the service accepts only the Solid-OIDC tokens from the issuers in the list with the following exception:
- If an issuer is in both INRUPT_JWT_ISSUER_ALLOW_LIST and INRUPT_JWT_ISSUER_DENY_LIST , the INRUPT_JWT_ISSUER_DENY_LIST supersedes the INRUPT_JWT_ISSUER_ALLOW_LIST and tokens issued by that issuer is not accepted by the service.

The following services have oauth-component value of resource-server :

You can use the oauth-component value to update the INRUPT_JWT_ISSUER_ALLOW_LIST option across all services with the resource-server value. For example:

Go to your ESS installation directory:
```
cd ${HOME}/ess
```

Modify the kustomization.yaml (i.e., step 3 of the Applying Your Customizations procedure). Specifically, add the highlighted content to the kustomization.yaml file to the patches section:


 # kustomization.yaml in your ESS installation directory
 # ...  Preceding content omitted for brevity 
 # ...
 patches:
   - target:
       kind: Deployment
       labelSelector: oauth-component=resource-server
     patch: |
       - op: add
         path: /spec/template/spec/containers/0/env/-
         value:
           name: INRUPT_JWT_ISSUER_ALLOW_LIST
           value: "https://openid.myESS.com,https://openid.example.com"

Tip

To update just a single service, you can target the service deployment name instead of by the labelSelector .

Continue with the rest of the Applying Your Customizations procedure.

Important Ensure that the INRUPT_JWT_ISSUER_ALLOW_LIST value for the authorization-server services are consistent with those set for resource-server .

The following services have oauth-component value of authorization-server :

You can use the oauth-component value to update the INRUPT_JWT_ISSUER_ALLOW_LIST option across all services with the authorization-server value. For example:

Go to your ESS installation directory:
```
cd ${HOME}/ess
```

Modify the kustomization.yaml (i.e., step 3 of the Applying Your Customizations procedure). Specifically, add the highlighted content to the kustomization.yaml file to the patches section:


 # kustomization.yaml in your ESS installation directory
 # ...  Preceding content omitted for brevity 
 # ...
 patches:
   - target:
       kind: Deployment
       labelSelector: oauth-component=authorization-server
     patch: |
       - op: add
         path: /spec/template/spec/containers/0/env/-
         value:
           name: INRUPT_JWT_ISSUER_ALLOW_LIST
           value: "https://openid.myESS.com,https://trustedopenid.example.com"

Tip

To update just a single service, you can target the service deployment name instead of by the labelSelector .

Continue with the rest of the Applying Your Customizations procedure.

Important Ensure that the INRUPT_JWT_ISSUER_ALLOW_LIST value for the authorization-server services are consistent with those set for resource-server .

To update just a single service, you can target the service deployment by name instead of by the labelSelector .

Tip Target by the services by labelSelector if you need to maintain consistency across a group of services.

The following example updates ESS’ Query Service INRUPT_JWT_ISSUER_ALLOW_LIST configuration value only.

Go to your ESS installation directory:
```
cd ${HOME}/ess
```

Modify the kustomization.yaml (i.e., step 3 of the Applying Your Customizations procedure). Specifically, add the highlighted content to the kustomization.yaml file to the patches section:


 # kustomization.yaml in your ESS installation directory
 # ...  Preceding content omitted for brevity 
 # ...
 patches:
   - target:
       kind: Deployment
       name: ess-fragments-query
     patch: |
       - op: add
         path: /spec/template/spec/containers/0/env/-
         value:
           name: INRUPT_JWT_ISSUER_ALLOW_LIST
           value: "https://openid.myess.com,https://trustedopenid.example.com"

Continue with the rest of the Applying Your Customizations procedure.

Example: Update `INRUPT_JWT_ISSUER_DENY_LIST`

For a given service,

If its corresponding INRUPT_JWT_ISSUER_DENY_LIST is unset, the service accepts tokens from all token issuers (Solid-OIDC and, if supported UMA) unless INRUPT_JWT_ISSUER_ALLOW_LIST is set, in which case, the service only accepts tokens from issuers in the INRUPT_JWT_ISSUER_ALLOW_LIST .
If its corresponding INRUPT_JWT_ISSUER_DENY_LIST is set, the service disallows tokens from those issuers in the list. If INRUPT_JWT_ISSUER_ALLOW_LIST is also set, tokens from issuers not in the INRUPT_JWT_ISSUER_ALLOW_LIST are also disallowed.

The following services have oauth-component value of resource-server :

You can use the oauth-component value to update the INRUPT_JWT_ISSUER_DENY_LIST option across all services with the resource-server value. For example:

Go to your ESS installation directory:
```
cd ${HOME}/ess
```

Modify the kustomization.yaml (i.e., step 3 of the Applying Your Customizations procedure). Specifically, add the highlighted content to the kustomization.yaml file to the patches section:


 # kustomization.yaml in your ESS installation directory
 # ...  Preceding content omitted for brevity 
 # ...
 patches:
   - target:
       kind: Deployment
       labelSelector: oauth-component=resource-server
     patch: |
       - op: add
         path: /spec/template/spec/containers/0/env/-
         value:
           name: INRUPT_JWT_ISSUER_DENY_LIST
           value: "https://openid.notMyESS.com,https://openid.example.com"

Tip To update just a single service, you can target the service deployment by name instead of by the labelSelector .

Continue with the rest of the Applying Your Customizations procedure.

The following services have oauth-component value of authorization-server :

You can use the oauth-component value to update the INRUPT_JWT_ISSUER_DENY_LIST option across all services with the authorization-server value. For example:

Go to your ESS installation directory:
```
cd ${HOME}/ess
```

Modify the kustomization.yaml (i.e., step 3 of the Applying Your Customizations procedure). Specifically, add the highlighted content to the kustomization.yaml file to the patches section:


 # kustomization.yaml in your ESS installation directory
 # ...  Preceding content omitted for brevity 
 # ...
 patches:
   - target:
       kind: Deployment
       labelSelector: oauth-component=authorization-server
     patch: |
       - op: add
         path: /spec/template/spec/containers/0/env/-
         value:
           name: INRUPT_JWT_ISSUER_DENY_LIST
           value: "https://openid.notMyESS.com,https://openid.example.com"

Tip To update just a single service, you can target the service deployment by name instead of by the labelSelector .

Continue with the rest of the Applying Your Customizations procedure.

To update just a single service, you can target the service deployment by name instead of by the labelSelector .

Tip To ensure consistency across ESS services, you can target the services by labelSelector instead.

The following example updates ESS’ Query Service INRUPT_JWT_ISSUER_DENY_LIST configuration value only.

Go to your ESS installation directory:
```
cd ${HOME}/ess
```

Modify the kustomization.yaml (i.e., step 3 of the Applying Your Customizations procedure) Specifically, add the highlighted content to the kustomization.yaml file to the patches section:


 # kustomization.yaml in your ESS installation directory
 # ...  Preceding content omitted for brevity 
 # ...
 patches:
   - target:
       kind: Deployment
       name: ess-fragments-query
     patch: |
       - op: add
         path: /spec/template/spec/containers/0/env/-
         value:
           name: INRUPT_JWT_ISSUER_DENY_LIST
           value: "https://openid.notMyESS.com,https://blockedopenid.example.com"

Continue with the rest of the Applying Your Customizations procedure.

PreviousSet Initial Pod Clients Allow List NextUse Official Certificate Authority

Last updated 2 months ago

Example Customizations

Example: Update INRUPT_JWT_ISSUER_ALLOW_LIST

Example: Update INRUPT_JWT_ISSUER_DENY_LIST

Example: Update `INRUPT_JWT_ISSUER_ALLOW_LIST`

Example: Update `INRUPT_JWT_ISSUER_DENY_LIST`