OIDC Access Tokens for Seqera Platform API
acknowledged
V
Various Peafowl
I'm looking at joining some existing systems to the Seqera Platform, and building some new ones surrounding it. Users log in to those systems and they might request a Seqera Platform Nextflow pipeline to run, or to view the Nextflow Pipeline Run status and metadata, as well as metadata from other places.
We're currently moving our SSO system to OpenID Connect through Okta, and having the ability to pass on the JWT based Access Token to Seqera Platform to make requests with a logged in users identity would make this much more possible.
As a basic flow:
- A user logs in to Application A, and gains an Access Tokenand anIdentity Tokenfrom Okta.
- The user views a Nextflow pipeline run, and surrounding metadata and decides to rerun it.
- In Application A, the user clicks rerun.
- A request is made to Seqera Platform with the users' Access Tokenas aBearertoken.
- Seqera Platform can either validate the JWT is correct or make a request to Okta to check its valid (or both).
- Seqera Platform validates access, kicking off a Nextflow Pipeline Run on the relevant compute environment.
- Application A polls the Seqera Platform for updates.
Rob Newman
Merged in a post:
Allow API authentication via OIDC provider
B
Brass Wildcat
The Seqera Platform API currently allows both PAT and JWT token authentication.
- PAT:Used for accessing the API using long term access keys
- JWT:Used for accessing the API with a browser app interaction
Allowing access to the Tower APIs via a JWT token acquired programmatically in order to integrate the Tower API into a separate third-party service using an OIDC authentication provider would be another option.
This would allow the implementation of an SSO (single sign-on) experience between the third-party application and the Tower backend API.
Rob Newman
marked this post as
acknowledged