OpenID: Difference between revisions

From T2B Wiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 6: Line 6:
== Getting an OpenID identity ==
== Getting an OpenID identity ==
* Go the CMS IAM service at https://cms-auth.web.cern.ch/ and log in
* Go the CMS IAM service at https://cms-auth.web.cern.ch/ and log in
* At the left, you can see you active tokens. At the moment, you have none.
* At the left, click 'Manage Active Tokens'. At the moment, you have none.
* Go to the M machines and issue the following command:
* Go to the M machines and issue the following command:
<pre>
<pre>
oidc-gen --iss https://cms-auth.web.cern.ch/ --scope openid -w device cms-id
oidc-gen --iss https://cms-auth.web.cern.ch/ --scope openid -w device cms-id
Options:
iss:    IAM site of your virtual organisation
scope:  set of pre-defined rules that limit what you can do with your tokens. The most encompassing is --scope max
w:      way to connect the local 'id' to the IAM one. In this case 'device' means you will need to go a specific webpage and insert a code that oidc-gen will specify. The other option do not work well at T2B
cms-id: your local id name. 
</pre>
</pre>
* Follow the onscreen instructions.
* Follow the onscreen instructions.
* 'cms-id' now contains the reference to your online identity and will be used in subsequent commands. Feel free to use your own name.
* 'cms-id' now contains the reference to your online identity and will be used in subsequent commands. Feel free to use your own name.
* You can now go to the IAM site and see that you have just created this identity with the 'openid' scope.
* You can now go back to the IAM site and see that you have just created this identity with the 'openid' scope.
* It has also created 2 tokens for your. More on this in a later section.
* For more detailed information about the available options, you can see [https://indigo-dc.gitbook.io/oidc-agent/user/oidc-gen this page]  
* For more detailed information about the available options, you can see [https://indigo-dc.gitbook.io/oidc-agent/user/oidc-gen this page]  
* You can make as many IDs a you wish. Each can have a different scope and thus different use cases.
* You can make as many IDs a you wish. Each can have a different scope and thus different use cases.
Line 27: Line 35:


== Creating a token ==
== Creating a token ==
On the CMS IAM page, you will see that you have a short and long lived token. One is for direct usage, the other to easily renew without the need for a password. This is especially useful when running longer jobs.
On the CMS IAM page, you saw that you have a short and long lived token. One is for direct usage, the other to easily renew without the need for a password. This is especially useful when running longer jobs.


The renewal token can also be recreated, but this does require you to give in a password.  
The renewal token can also be recreated, but this does require you to give in a password.  
Line 41: Line 49:
oidc-token -s storage.read:/ cms-id
oidc-token -s storage.read:/ cms-id
</pre>
</pre>
When your long lived renewal token expires, it can be recreated via:
<pre>
oidc-gen --reauthenticate --flow=device cms-id
</pre>


More information about the use of oidc-token can be found [https://indigo-dc.gitbook.io/oidc-agent/user/oidc-token here].
More information about the use of oidc-token can be found [https://indigo-dc.gitbook.io/oidc-agent/user/oidc-token here].

Revision as of 08:31, 9 May 2023

Grid facilities in general and CMS in particular ar slowly moving from a certificate/proxy based authentication towards an OpenID/token based authentication.

This page explains how to use them yourself at T2B [BR] IMPORTANT: these instructions only work on M19 for the time being!!!!!!

Getting an OpenID identity

  • Go the CMS IAM service at https://cms-auth.web.cern.ch/ and log in
  • At the left, click 'Manage Active Tokens'. At the moment, you have none.
  • Go to the M machines and issue the following command:
oidc-gen --iss https://cms-auth.web.cern.ch/ --scope openid -w device cms-id

Options:
iss:    IAM site of your virtual organisation
scope:  set of pre-defined rules that limit what you can do with your tokens. The most encompassing is --scope max
w:      way to connect the local 'id' to the IAM one. In this case 'device' means you will need to go a specific webpage and insert a code that oidc-gen will specify. The other option do not work well at T2B
cms-id: your local id name.  
  • Follow the onscreen instructions.
  • 'cms-id' now contains the reference to your online identity and will be used in subsequent commands. Feel free to use your own name.
  • You can now go back to the IAM site and see that you have just created this identity with the 'openid' scope.
  • It has also created 2 tokens for your. More on this in a later section.
  • For more detailed information about the available options, you can see this page
  • You can make as many IDs a you wish. Each can have a different scope and thus different use cases.
  • If you want basic information about your identity, issue the following command:
oidc-gen -p cms-id | jq .


Register your OpenID identity at T2B

for now, I have no idea on how to do this.You need to tell me when you connect and then I'll be able to get the correct result.

Creating a token

On the CMS IAM page, you saw that you have a short and long lived token. One is for direct usage, the other to easily renew without the need for a password. This is especially useful when running longer jobs.

The renewal token can also be recreated, but this does require you to give in a password.

A token is created via the following command:

oidc-token cms-id

Notice the use of 'cms-id' that must be the same name as the ID you created in the previous step.

You can also limit your token to specific tasks. If you want to give read access to your files to a colleague, you can pass a token created like this:

oidc-token -s storage.read:/ cms-id

When your long lived renewal token expires, it can be recreated via:

oidc-gen --reauthenticate --flow=device cms-id


More information about the use of oidc-token can be found here.


Using your token at T2B

If your ID is registered at T2B and you made a new token, you can now use it easily via the usual 'gfal' commands.

The gfal commands can take on both a proxy and a token depending on a environment variable. In the case of tokens, the variable can be set in the following way:

export BEARER_TOKEN=$(oidc-token cms-id)

Now all the gfal commnds will take your token to identify.