Manage Identity Providers Allow/Deny Lists#

Various ESS microservices can configure INRUPT_JWT_ISSUER_ALLOW_LIST and INRUPT_JWT_ISSUER_DENY_LIST options to manage trusted Solid-OIDC issuers (i.e., identity providers).

The following ESS microservices provide the configuration options for managing the trusted identity providers; the second column lists the group label used in Kustomization to facilitate consistent configuration across services):

Services

OAuth Component (oauth-component)

resource-server

authorization-server

Example Customizations#

Example: Update INRUPT_JWT_ISSUER_ALLOW_LIST#

For a given service,

  • If its corresponding INRUPT_JWT_ISSUER_ALLOW_LIST is unset, the service accepts tokens from all Solid-OIDC issuers with the exception of those listed in its INRUPT_JWT_ISSUER_DENY_LIST.

  • If its corresponding INRUPT_JWT_ISSUER_ALLOW_LIST is set, the service accepts only those Solid-OIDC issuers in the list with the following exception:

    • If an issuer is in both INRUPT_JWT_ISSUER_ALLOW_LIST and INRUPT_JWT_ISSUER_DENY_LIST, the INRUPT_JWT_ISSUER_DENY_LIST supersedes the INRUPT_JWT_ISSUER_ALLOW_LIST and that issuer is not accepted by the service.

The following services have oauth-component value of resource-server:

You can use the oauth-component value to update the INRUPT_JWT_ISSUER_ALLOW_LIST option across all services with the resource-server value. For example:

  1. Go to your ESS installation directory:

    cd ${HOME}/ess
    
  2. Modify the kustomization.yaml (i.e., step 3 of the Applying Your Customizations procedure).

    Specifically, add the highlighted content to the kustomization.yaml file to the patches section:

    # kustomization.yaml in your ESS installation directory
    
    # ...  Preceding content omitted for brevity 
    # ...
    
    patches:
      - target:
          kind: Deployment
          labelSelector: oauth-component=resource-server
        patch: |
          - op: add
            path: /spec/template/spec/containers/0/env/-
            value:
              name: INRUPT_JWT_ISSUER_ALLOW_LIST
              value: "https://login.inrupt.com,https://login.example.com"
    

    Tip

    To update just a single service, you can target the service deployment name instead of by the labelSelector.

  3. Continue with the rest of the Applying Your Customizations procedure.

Example: Update INRUPT_JWT_ISSUER_DENY_LIST#

For a given service,

  • If its corresponding INRUPT_JWT_ISSUER_DENY_LIST is unset, the service accepts tokens from all Solid-OIDC issuers unless INRUPT_JWT_ISSUER_ALLOW_LIST is set, in which case, the service only accepts those in the INRUPT_JWT_ISSUER_ALLOW_LIST.

  • If its corresponding INRUPT_JWT_ISSUER_DENY_LIST is set, the service disallows the Solid-OIDC issuers in the list. If INRUPT_JWT_ISSUER_ALLOW_LIST is also set, issuers not in the INRUPT_JWT_ISSUER_ALLOW_LIST are also disallowed.

The following services have oauth-component value of resource-server:

You can use the oauth-component value to update the INRUPT_JWT_ISSUER_DENY_LIST option across all services with the resource-server value. For example:

  1. Go to your ESS installation directory:

    cd ${HOME}/ess
    
  2. Modify the kustomization.yaml (i.e., step 3 of the Applying Your Customizations procedure).

    Specifically, add the highlighted content to the kustomization.yaml file to the patches section:

    # kustomization.yaml in your ESS installation directory
    
    # ...  Preceding content omitted for brevity 
    # ...
    
    patches:
      - target:
          kind: Deployment
          labelSelector: oauth-component=resource-server
        patch: |
          - op: add
            path: /spec/template/spec/containers/0/env/-
            value:
              name: INRUPT_JWT_ISSUER_DENY_LIST
              value: "https://login.inrupt.com,https://login.example.com"
    

    Tip

    To update just a single service, you can target the service deployment by name instead of by the labelSelector.

  3. Continue with the rest of the Applying Your Customizations procedure.