OpenID

From T2B Wiki
Revision as of 08:13, 9 May 2023 by Admin (talk | contribs)
Jump to navigation Jump to search

Grid facilities in general and CMS in particular ar slowly moving from a certificate/proxy based authentication towards an OpenID/token based authentication[BR] This page explains how to use them yourself at T2B[BR] IMPORTANT: these instructions only work on M19 for the time being!!!!!!

Getting an OpenID identity

  • Go the CMS IAM service at https://cms-auth.web.cern.ch/ and log in
  • At the left, you can see you active tokens. At the moment, you have none.
  • Go to the M machines and issue the following command:
oidc-gen --iss https://cms-auth.web.cern.ch/ --scope openid -w device cms-id
  • Follow the onscreen instructions.
  • 'cms-id' now contains the reference to your online identity and will be used in subsequent commands. Feel free to use your own name.
  • You can now go to the IAM site and see that you have just created this identity with the 'openid' scope.
  • For more detailed information about the available options, you can see this page
  • Youcan make as many IDs a you wish. Each can have a different scope and thus different use cases.

Register your OpenID identity at T2B

for now, I have no idea on how to do this.You need to tell me when you connect and then I'll be able to

Creating a token

On the CMS IAM page, you will see that you have a short and long lived token. One is for direct usage, the other to easily renew without the need for a password. This is especially useful when running longer jobs.[BR] The renewal token can also be recreated, but this does require you to give in a password.[BR] A token is created via the following command:

oidc-token cms-id

Notice the use of 'cms-id' that must be the same name as the ID you created in the previous step.[BR]


Using your token at T2B

If your ID is registered at T2B and you made a new token, you can now use it easily via the usual 'gfal' commands. [BR] The gfal commands can take on both a proxy and a token depending on a environment variable. In the case of tokens, the varibal can be set in the following way:

export BEARER_TOKEN=$(oidc-token cms-id)