OpenID: Difference between revisions
(Created page with "Grid facilities in general and CMS in particular ar slowly moving from a certificate/proxy based authentication towards an OpenID/token based authentication[BR] This page explains how to use them yourself at T2B == Getting an OpenID identity == * Go the CMS IAM service at https://cms-auth.web.cern.ch/ and log in * At the left, you can see you active tokens. At the moment, you have none. * Go to the M machines and issue the following command: <pre> oidc-gen --iss https://...") |
No edit summary |
||
| Line 1: | Line 1: | ||
Grid facilities in general and CMS in particular ar slowly moving from a certificate/proxy based authentication towards an OpenID/token based authentication[BR] | Grid facilities in general and CMS in particular ar slowly moving from a certificate/proxy based authentication towards an OpenID/token based authentication[BR] | ||
This page explains how to use them yourself at T2B | This page explains how to use them yourself at T2B[BR] | ||
IMPORTANT: these instructions only work on M19 for the time being!!!!!! | |||
== Getting an OpenID identity == | == Getting an OpenID identity == | ||
* Go the CMS IAM service at https://cms-auth.web.cern.ch/ and log in | * Go the CMS IAM service at https://cms-auth.web.cern.ch/ and log in | ||
| Line 9: | Line 11: | ||
</pre> | </pre> | ||
* Follow the onscreen instructions. | * Follow the onscreen instructions. | ||
* 'cms-id' now contains the reference to your online identity and will be used in subsequent commands. Feel free to use your own name. | |||
* You can now go to the IAM site and see that you have just created this identity with the 'openid' scope. | |||
* For more detailed information about the available options, you can see [https://indigo-dc.gitbook.io/oidc-agent/user/oidc-gen this page] | |||
* Youcan make as many IDs a you wish. Each can have a different scope and thus different use cases. | |||
== Register your OpenID identity at T2B == | == Register your OpenID identity at T2B == | ||
| Line 16: | Line 21: | ||
== Creating a token == | == Creating a token == | ||
On the CMS IAM page, you will see that you have a short and long lived token. One is for direct usage, the other to easily renew without the need for a password. This is especially useful when running longer jobs.[BR] | |||
The renewal token can also be recreated, but this does require you to give in a password.[BR] | |||
A token is created via the following command: | |||
<pre> | |||
oidc-token cms-id | |||
</pre> | |||
Notice the use of 'cms-id' that must be the same name as the ID you created in the previous step.[BR] | |||
== Using your token at T2B == | == Using your token at T2B == | ||
Revision as of 08:13, 9 May 2023
Grid facilities in general and CMS in particular ar slowly moving from a certificate/proxy based authentication towards an OpenID/token based authentication[BR] This page explains how to use them yourself at T2B[BR] IMPORTANT: these instructions only work on M19 for the time being!!!!!!
Getting an OpenID identity
- Go the CMS IAM service at https://cms-auth.web.cern.ch/ and log in
- At the left, you can see you active tokens. At the moment, you have none.
- Go to the M machines and issue the following command:
oidc-gen --iss https://cms-auth.web.cern.ch/ --scope openid -w device cms-id
- Follow the onscreen instructions.
- 'cms-id' now contains the reference to your online identity and will be used in subsequent commands. Feel free to use your own name.
- You can now go to the IAM site and see that you have just created this identity with the 'openid' scope.
- For more detailed information about the available options, you can see this page
- Youcan make as many IDs a you wish. Each can have a different scope and thus different use cases.
Register your OpenID identity at T2B
for now, I have no idea on how to do this.You need to tell me when you connect and then I'll be able to
Creating a token
On the CMS IAM page, you will see that you have a short and long lived token. One is for direct usage, the other to easily renew without the need for a password. This is especially useful when running longer jobs.[BR] The renewal token can also be recreated, but this does require you to give in a password.[BR] A token is created via the following command:
oidc-token cms-id
Notice the use of 'cms-id' that must be the same name as the ID you created in the previous step.[BR]
Using your token at T2B
If your ID is registered at T2B and you made a new token, you can now use it easily via the usual 'gfal' commands. [BR] The gfal commands can take on both a proxy and a token depending on a environment variable. In the case of tokens, the varibal can be set in the following way:
export BEARER_TOKEN=$(oidc-token cms-id)