forked from nordugrid/arc-old
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathREADME.OIDC
72 lines (54 loc) · 2.96 KB
/
README.OIDC
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
=====================
ARC support for OIDC
=====================
Support level
==============
Currently support for OIDC tokens in ARC is at technology preview level.
Only tokens conforming to WLCG profile are supported.
Currently validation is not strict. Token is parsed and signature is
checked if present. But no additional requirements are imposed.
Tokens are only accepted for client authentication for job submission
through EMIES interface.
Obtaining and using tokens
===========================
Suggested way for obtaining token is through oidc-agent utility -
https://indigo-dc.gitbook.io/oidc-agent/. Install it following
instructions for your distribution.
Point your browser at https://wlcg.cloud.cnaf.infn.it/ and create
an account.
Start oidc-agent. It will print few lines of shell commands. Copy
them at command line and execute. They will set up environment
variables for other oidc-* commands.
Start oidc-gen. It will guide You through steps to register OIDC
client and crete profile for oidc-agent. When asked about scope
write 'openid profile wlcg'. You need to run oidc-gen only once.
Next time You use oidc-agent You can load already created profile
with 'oidc-add NAME_YOU_CHOOSE' command.
Obtain token and store it into BEARER_TOKEN variable.
export BEARER_TOKEN=`oidc-token NAME_YOU_CHOOSE`
Now submit job to ARC CE with arcsub through EMIES interface. For that
use option '-S org.ogf.glue.emies.activitycreation'. The token stored
in BEARER_TOKEN variable will be used instead of X.509 certificate for
authenticating user to ARC CE server. The datastaging currently will
still use X.509 proxy credentials.
Note: You can use any other method for obtaining WLCG compliant OIDC
token. Just store it into BEARER_TOKEN variable before calling arcsub.
Alternatively You can store it into file and assign file path to
BEARER_TOKEN_FILE environment variable.
Configuring authorization on server
====================================
Token processing is enabled by presence of [otokens] configuration block.
User can be authorized on server by adding dedicated command to authgroup block:
otokens=subject issuer audience scope group
Specified parameters must match those in provided token. Parameters
can be '*' to match any value. For example
otokens=e83eec5a-e2e3-43c6-bb67-df8f5ec3e8d0 https://wlcg.cloud.cnaf.infn.it/ * * *
matches user with subject e83eec5a-e2e3-43c6-bb67-df8f5ec3e8d0 in token issued by
https://wlcg.cloud.cnaf.infn.it/ .
User mapping to local account is implemented using simulated X.509 user subject.
Because subjects obtained from OIDC tokens are unique only in scope used identity
provider the generated identifier suitable for mapping is composed of issuer and original
subject by catenating them like "issuer/subject". For example user with subject
e83eec5a-e2e3-43c6-bb67-df8f5ec3e8d0 in token issued by https://wlcg.cloud.cnaf.infn.it/
is represented by simulated identifier
https://wlcg.cloud.cnaf.infn.it//e83eec5a-e2e3-43c6-bb67-df8f5ec3e8d0