Commit 734aa630 authored by Aleksandr Konstantinov's avatar Aleksandr Konstantinov
Browse files

Changing name of token variable. Adding readme for oidc.

parent 2a3d874d
ARC support for OIDC
Support level
Currently support for OIDC tokens in ARC is at technology preview level.
Only tokens conforming to WLCG profile are supported.
Currently validation is not strict. Token is parsed and signature is
checked if present. But no additional requirements are imposed.
Tokens are only accepted for client authentication for job submission
through EMIES interface.
Obtaining and using tokens
Suggested way for obtaining token is through oidc-agent utility - Install it following
instructions for your distribution.
Point your browser at and create
Start oidc-agent. It will print few lines of shell commands. Copy
then at command line and execute. They will set up environment
variables for other oidc-* commands.
Start oidc-gen. It will guide You through steps to register OIDC
client and crete profile for oidc-agent. When asked about scope
write 'openid profile wlcg'. You need to run oidc-gen only once.
Next time You use oidc-agent You cam load already creted profile
with 'oidc-add NAME_YOU_CHOSE'.
Obtain token and store it into ARC_OTOKEN variable.
export ARC_OTKEN=`oidc-token NAME_YOU_CHOSE`
Now submit job to ARC CE with arcsub through EMIES interface. For that
use option '-S org.ogf.glue.emies.activitycreation'. The token stored
in ARC_TOKEN variable will be used instead of X.509 certificate for
authenticating user to ARC CE server.
Note: You can use any other method for obtaining WLCG compliant OIDC
token. Just store it into ARC_OTOKEN variable before calling arcsub.
Configuring authorization on server
User can be authorized on server by adding dedicated command to authgroup block:
otokens=subject issuer audience scope
Specified parameters must match those in provided token. Parameters
can be '*' to match any value. For example
otokens=e83eec5a-e2e3-43c6-bb67-df8f5ec3e8d0 * *
matches user with subject e83eec5a-e2e3-43c6-bb67-df8f5ec3e8d0 in token issued by .
User mapping to local account is implemented using simulated X.509 user subject.
Because subjects obtained from OIDC tokens are not limited to domains/namespaces
the generated identifier suitable for mapping is composed of issuer and original
subject by catenating them like "issuer/subject". For example user with subject
e83eec5a-e2e3-43c6-bb67-df8f5ec3e8d0 in token issued by
is represented by simulated identifier
......@@ -83,7 +83,7 @@ namespace Arc {
logger.msg(DEBUG, "Creating an EMI ES client");
otoken = Arc::GetEnv("OTOKEN");
otoken = Arc::GetEnv("ARC_OTOKEN");
std::cerr<<"OTOKEN: "<<otoken<<std::endl;
if(!otoken.empty()) {
// removing credentials from HTTPS layer
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment