OpenID

From T2B Wiki
Jump to navigation Jump to search

Grid facilities in general and CMS in particular are slowly moving from a certificate/proxy based authentication towards an OpenID/token based authentication.

This page explains how to use them yourself at T2B [BR] IMPORTANT: these instructions only work on M19 for the time being!!!!!!

Getting an OpenID identity

  • Go the CMS IAM service at https://cms-auth.web.cern.ch/ and log in
  • At the left, click 'Manage Active Tokens'. At the moment, you have none.
  • Go to the M machines and issue the following commands:
eval `oidc-agent-service use`
oidc-gen --iss https://cms-auth.web.cern.ch/ --scope openid -w device cms-id

Options:
iss:    IAM site of your virtual organisation
scope:  Set of pre-defined rules that limit what you can do with your tokens. The most encompassing is --scope max
w:      Way to connect the local 'id' to the IAM one. 
        In this case 'device' means you will need to go a specific webpage and insert a code that oidc-gen will specify. 
        The other options do not work well at T2B
cms-id: Your local id name.  
  • Follow the onscreen instructions.
  • 'cms-id' now contains the reference to your online identity and will be used in subsequent commands. Feel free to use your imagination here.
  • You can now go back to the IAM site and see that you have just created this identity with the 'openid' scope.
  • It has also created 2 tokens for your. More on this in a later section.
  • For more detailed information about the available options, you can see this page
  • You can make as many IDs a you wish. Each can have a different scope and thus different use cases.
  • If you want basic information about your identity, issue the following command:
oidc-gen -p cms-id | jq .

Register your OpenID identity at T2B

Go to your user page on the IAM page and send us the value of the field labelled 'sub'.

It should be of this form:

xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Creating a token

On the CMS IAM page, you saw that you have a short and long lived token. One is for direct usage, the other to easily renew without the need for a password. This is especially useful when running longer jobs.

The renewal token can also be recreated, but this does require you to give in a password.

A token is created via the following command:

oidc-token cms-id

Notice the use of 'cms-id' that must be the same name as the ID you created in the previous step.

If you forgot the name of your ID, you can always find it back via this command:

oidc-add --list

Details about your configuration can be retrieved via:

oidc-add --print cms-id


You can also limit your token to specific tasks. If you want to give read access to your files to a colleague, you can send her/him a token created like this:

oidc-token -s storage.read:/ cms-id

When your long lived renewal token expires, it can be recreated via:

oidc-gen --reauthenticate --flow=device cms-id

More information about the use of oidc-token can be found here.

Using your token at T2B

If your ID is registered at T2B and you made a new token, you can now use it easily via the usual 'gfal' commands.

The gfal commands can take either a proxy or a token, depending on an environment variable. In the case of tokens, the variable can be set in the following way:

export BEARER_TOKEN=$(oidc-token cms-id)

Now all the gfal commnads will use your token to identify. However, only the webdav protocol is supported as of now. This command will get you started:

gfal-ls https://dcache6-shadow.iihe.ac.be:2880/pnfs/iihe/cms/ph/sc4/