OpenID: Difference between revisions

From T2B Wiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 1: Line 1:
Grid facilities in general and CMS in particular ar slowly moving from a certificate/proxy based authentication towards an OpenID/token based authentication[BR]
Grid facilities in general and CMS in particular ar slowly moving from a certificate/proxy based authentication towards an OpenID/token based authentication.
This page explains how to use them yourself at T2B[BR]
 
This page explains how to use them yourself at T2B [BR]
IMPORTANT: these instructions only work on M19 for the time being!!!!!!
IMPORTANT: these instructions only work on M19 for the time being!!!!!!


Line 14: Line 15:
* You can now go to the IAM site and see that you have just created this identity with the 'openid' scope.
* You can now go to the IAM site and see that you have just created this identity with the 'openid' scope.
* For more detailed information about the available options, you can see [https://indigo-dc.gitbook.io/oidc-agent/user/oidc-gen this page]  
* For more detailed information about the available options, you can see [https://indigo-dc.gitbook.io/oidc-agent/user/oidc-gen this page]  
* Youcan make as many IDs a you wish. Each can have a different scope and thus different use cases.
* You can make as many IDs a you wish. Each can have a different scope and thus different use cases.
* If you want basic information about your identity, issue the following command:
<pre>
oidc-gen -p cms-id | jq .
</pre>
 


== Register your OpenID identity at T2B ==
== Register your OpenID identity at T2B ==


for now, I have no idea on how to do this.You need to tell me when you connect and then I'll be able to  
for now, I have no idea on how to do this.You need to tell me when you connect and then I'll be able to get the correct result.


== Creating a token ==
== Creating a token ==
On the CMS IAM page, you will see that you have a short and long lived token. One is for direct usage, the other to easily renew without the need for a password. This is especially useful when running longer jobs.[BR]
On the CMS IAM page, you will see that you have a short and long lived token. One is for direct usage, the other to easily renew without the need for a password. This is especially useful when running longer jobs.
The renewal token can also be recreated, but this does require you to give in a password.[BR]
 
The renewal token can also be recreated, but this does require you to give in a password.  
 
A token is created via the following command:
A token is created via the following command:
<pre>
<pre>
oidc-token cms-id
oidc-token cms-id
</pre>
</pre>
Notice the use of 'cms-id' that must be the same name as the ID you created in the previous step.[BR]
Notice the use of 'cms-id' that must be the same name as the ID you created in the previous step.
 
You can also limit your token to specific tasks. If you want to give read access to your files to a colleague, you can pass a token created like this:
<pre>
oidc-token -s storage.read:/ cms-id
</pre>
 
More information about the use of oidc-token can be found [https://indigo-dc.gitbook.io/oidc-agent/user/oidc-token here].
 




== Using your token at T2B ==
== Using your token at T2B ==


If your ID is registered at T2B and you made a new token, you can now use it easily via the usual 'gfal' commands. [BR]
If your ID is registered at T2B and you made a new token, you can now use it easily via the usual 'gfal' commands.
The gfal commands can take on both a proxy and a token depending on a environment variable. In the case of tokens, the varibal can be set in the following way:
 
The gfal commands can take on both a proxy and a token depending on a environment variable. In the case of tokens, the variable can be set in the following way:
<pre>
<pre>
export BEARER_TOKEN=$(oidc-token cms-id)
export BEARER_TOKEN=$(oidc-token cms-id)
</pre>
</pre>
Now all the gfal commnds will take your token to identify.

Revision as of 08:23, 9 May 2023

Grid facilities in general and CMS in particular ar slowly moving from a certificate/proxy based authentication towards an OpenID/token based authentication.

This page explains how to use them yourself at T2B [BR] IMPORTANT: these instructions only work on M19 for the time being!!!!!!

Getting an OpenID identity

  • Go the CMS IAM service at https://cms-auth.web.cern.ch/ and log in
  • At the left, you can see you active tokens. At the moment, you have none.
  • Go to the M machines and issue the following command:
oidc-gen --iss https://cms-auth.web.cern.ch/ --scope openid -w device cms-id
  • Follow the onscreen instructions.
  • 'cms-id' now contains the reference to your online identity and will be used in subsequent commands. Feel free to use your own name.
  • You can now go to the IAM site and see that you have just created this identity with the 'openid' scope.
  • For more detailed information about the available options, you can see this page
  • You can make as many IDs a you wish. Each can have a different scope and thus different use cases.
  • If you want basic information about your identity, issue the following command:
oidc-gen -p cms-id | jq .


Register your OpenID identity at T2B

for now, I have no idea on how to do this.You need to tell me when you connect and then I'll be able to get the correct result.

Creating a token

On the CMS IAM page, you will see that you have a short and long lived token. One is for direct usage, the other to easily renew without the need for a password. This is especially useful when running longer jobs.

The renewal token can also be recreated, but this does require you to give in a password.

A token is created via the following command:

oidc-token cms-id

Notice the use of 'cms-id' that must be the same name as the ID you created in the previous step.

You can also limit your token to specific tasks. If you want to give read access to your files to a colleague, you can pass a token created like this:

oidc-token -s storage.read:/ cms-id

More information about the use of oidc-token can be found here.


Using your token at T2B

If your ID is registered at T2B and you made a new token, you can now use it easily via the usual 'gfal' commands.

The gfal commands can take on both a proxy and a token depending on a environment variable. In the case of tokens, the variable can be set in the following way:

export BEARER_TOKEN=$(oidc-token cms-id)

Now all the gfal commnds will take your token to identify.