How to Request Tokens¶
As part of the GridFTP and GSI migration, the OSG will be transitioning authentication away from X.509 certificates to the use of bearer tokens such as SciTokens or WLCG JWT. This document is intended as a guide for OSG developers for requesting tokens necessary for software development.
Before you can request the appropriate tokens, you must have the following:
- A WLCG INDIGO IAM account belonging to the
- An installation of oidc-agent available as an RPM from the OSG repositories
oidc-agent is similar to SSH agent except that it works with OpenID Connect token providers.
Start the agent and add the appropriate variables to your environment:
Generate a local client profile and follow the prompts:
oidc-gen -w device <CLIENT NAME>
Specify the WLCG INDIGO IAM instance as the client issuer:
Issuer [https://iam-test.indigo-datacloud.eu/]: https://wlcg.cloud.cnaf.infn.it/
offline_access, and other scopes for the capabilities that you need:
Capability Scope HTCondor
compute.modify compute.cancel compute.create
For example, to request HTCondor
WRITEaccess, specify the following scopes:
This issuer supports the following scopes: openid profile email address phone offline_access wlcg iam wlcg.groups Space delimited list of scopes or 'max' [openid profile offline_access]: wlcg offline_access compute.read compute.modify compute.cancel compute.create
Note that, prior to HTCondor 8.9.7, the server also needed
condor:/ALLOWin all cases.
When prompted, open https://wlcg.cloud.cnaf.infn.it/device in a browser, enter the code provided by
oidc-gen, and click "Submit".
On the next page, verify the scopes and client profile name, and click "Authorize".
Enter a password to encrypt your local client profile. You'll need to remember this if you want to re-use this profile in subsequent sessions.
Request a token using the client name that you used above with
oidc-token --aud="<SERVER AUDIENCE>" <CLIENT NAME>
For tokens used against an HTCondor-CE, set
<SERVER AUDIENCE> to
<CE FQDN>:<CE PORT>.
- Copy the output of
oidc-tokeninto a file on the host where you need SciToken authentication, e.g. an HTCondor or XRootD client.
You can inspect the payload by copy-pasting the token into the "Encoded" text box here: http://jwt.io/. Mouse over the fields and values for details.