Manage OpenID Token Issuer Allow/Deny Lists#
Various ESS microservices can configure
INRUPT_JWT_ISSUER_ALLOW_LIST and INRUPT_JWT_ISSUER_DENY_LIST
options to manage trusted issuers of Solid OIDC tokens (i.e., identity
providers).
The following ESS microservices provide the configuration options for managing the trusted identity providers; the second column lists the Kustomization label that can be used to maintain consistent configuration across the services that share the label:
Services |
OAuth Component ( |
|---|---|
|
|
|
Example Customizations#
Example: Update INRUPT_JWT_ISSUER_ALLOW_LIST#
For a given service,
If its corresponding
INRUPT_JWT_ISSUER_ALLOW_LISTis unset, the service accepts tokens from all Solid-OIDC token issuers with the exception of those listed in itsINRUPT_JWT_ISSUER_DENY_LIST.If its corresponding
INRUPT_JWT_ISSUER_ALLOW_LISTis set, the service accepts only the Solid-OIDC tokens from the issuers in the list with the following exception:If an issuer is in both
INRUPT_JWT_ISSUER_ALLOW_LISTandINRUPT_JWT_ISSUER_DENY_LIST, theINRUPT_JWT_ISSUER_DENY_LISTsupersedes theINRUPT_JWT_ISSUER_ALLOW_LISTand tokens issued by that issuer is not accepted by the service.
The following services have oauth-component value of
resource-server:
Query Service (since version 2.0.9 [1])
You can use the oauth-component value to update the
INRUPT_JWT_ISSUER_ALLOW_LIST option across all services with
the resource-server value. For example:
Go to your ESS installation directory:
cd ${HOME}/ess
Modify the
kustomization.yaml(i.e., step 3 of the Applying Your Customizations procedure).Specifically, add the highlighted content to the
kustomization.yamlfile to thepatchessection:# kustomization.yaml in your ESS installation directory # ... Preceding content omitted for brevity # ... patches: - target: kind: Deployment labelSelector: oauth-component=resource-server patch: | - op: add path: /spec/template/spec/containers/0/env/- value: name: INRUPT_JWT_ISSUER_ALLOW_LIST value: "https://openid.myESS.com,https://openid.example.com"
Tip
To update just a single service, you can target the service deployment
nameinstead of by thelabelSelector.Continue with the rest of the Applying Your Customizations procedure.
Important
Ensure that the INRUPT_JWT_ISSUER_ALLOW_LIST value for the
authorization-server services are consistent with those
set for resource-server.
The following services have oauth-component value of
authorization-server:
You can use the oauth-component value to update the
INRUPT_JWT_ISSUER_ALLOW_LIST option across all services with
the authorization-server value. For example:
Go to your ESS installation directory:
cd ${HOME}/ess
Modify the
kustomization.yaml(i.e., step 3 of the Applying Your Customizations procedure).Specifically, add the highlighted content to the
kustomization.yamlfile to thepatchessection:# kustomization.yaml in your ESS installation directory # ... Preceding content omitted for brevity # ... patches: - target: kind: Deployment labelSelector: oauth-component=authorization-server patch: | - op: add path: /spec/template/spec/containers/0/env/- value: name: INRUPT_JWT_ISSUER_ALLOW_LIST value: "https://openid.myESS.com,https://trustedopenid.example.com"
Tip
To update just a single service, you can target the service deployment
nameinstead of by thelabelSelector.Continue with the rest of the Applying Your Customizations procedure.
Important
Ensure that the INRUPT_JWT_ISSUER_ALLOW_LIST value for the
authorization-server services are consistent with those
set for resource-server.
To update just a single service, you can target the service
deployment by name instead of by the labelSelector.
Tip
Target by the services by labelSelector if you need to
maintain consistency across a group of services.
The following example updates ESS’
Query Service
INRUPT_JWT_ISSUER_ALLOW_LIST configuration value only.
Go to your ESS installation directory:
cd ${HOME}/ess
Modify the
kustomization.yaml(i.e., step 3 of the Applying Your Customizations procedure).Specifically, add the highlighted content to the
kustomization.yamlfile to thepatchessection:# kustomization.yaml in your ESS installation directory # ... Preceding content omitted for brevity # ... patches: - target: kind: Deployment name: ess-fragments-query patch: | - op: add path: /spec/template/spec/containers/0/env/- value: name: INRUPT_JWT_ISSUER_ALLOW_LIST value: "https://openid.myess.com,https://trustedopenid.example.com"
Continue with the rest of the Applying Your Customizations procedure.
Example: Update INRUPT_JWT_ISSUER_DENY_LIST#
For a given service,
If its corresponding
INRUPT_JWT_ISSUER_DENY_LISTis unset, the service accepts tokens from all token issuers (Solid-OIDC and, if supported UMA) unlessINRUPT_JWT_ISSUER_ALLOW_LISTis set, in which case, the service only accepts tokens from issuers in theINRUPT_JWT_ISSUER_ALLOW_LIST.If its corresponding
INRUPT_JWT_ISSUER_DENY_LISTis set, the service disallows tokens from those issuers in the list. IfINRUPT_JWT_ISSUER_ALLOW_LISTis also set, tokens from issuers not in theINRUPT_JWT_ISSUER_ALLOW_LISTare also disallowed.
The following services have oauth-component value of
resource-server:
Query Service (since version 2.0.9 [1])
You can use the oauth-component value to update the
INRUPT_JWT_ISSUER_DENY_LIST option across all services with
the resource-server value. For example:
Go to your ESS installation directory:
cd ${HOME}/ess
Modify the
kustomization.yaml(i.e., step 3 of the Applying Your Customizations procedure).Specifically, add the highlighted content to the
kustomization.yamlfile to thepatchessection:# kustomization.yaml in your ESS installation directory # ... Preceding content omitted for brevity # ... patches: - target: kind: Deployment labelSelector: oauth-component=resource-server patch: | - op: add path: /spec/template/spec/containers/0/env/- value: name: INRUPT_JWT_ISSUER_DENY_LIST value: "https://openid.notMyESS.com,https://openid.example.com"
Tip
To update just a single service, you can target the service deployment by
nameinstead of by thelabelSelector.Continue with the rest of the Applying Your Customizations procedure.
The following services have oauth-component value of
authorization-server:
You can use the oauth-component value to update the
INRUPT_JWT_ISSUER_DENY_LIST option across all services with
the authorization-server value. For example:
Go to your ESS installation directory:
cd ${HOME}/ess
Modify the
kustomization.yaml(i.e., step 3 of the Applying Your Customizations procedure).Specifically, add the highlighted content to the
kustomization.yamlfile to thepatchessection:# kustomization.yaml in your ESS installation directory # ... Preceding content omitted for brevity # ... patches: - target: kind: Deployment labelSelector: oauth-component=authorization-server patch: | - op: add path: /spec/template/spec/containers/0/env/- value: name: INRUPT_JWT_ISSUER_DENY_LIST value: "https://openid.notMyESS.com,https://openid.example.com"
Tip
To update just a single service, you can target the service deployment by
nameinstead of by thelabelSelector.Continue with the rest of the Applying Your Customizations procedure.
To update just a single service, you can target the service
deployment by name instead of by the labelSelector.
Tip
To ensure consistency across ESS services, you can target the
services by labelSelector instead.
The following example updates ESS’
Query Service
INRUPT_JWT_ISSUER_DENY_LIST configuration value only.
Go to your ESS installation directory:
cd ${HOME}/ess
Modify the
kustomization.yaml(i.e., step 3 of the Applying Your Customizations procedure).Specifically, add the highlighted content to the
kustomization.yamlfile to thepatchessection:# kustomization.yaml in your ESS installation directory # ... Preceding content omitted for brevity # ... patches: - target: kind: Deployment name: ess-fragments-query patch: | - op: add path: /spec/template/spec/containers/0/env/- value: name: INRUPT_JWT_ISSUER_DENY_LIST value: "https://openid.notMyESS.com,https://blockedopenid.example.com"
Continue with the rest of the Applying Your Customizations procedure.