ARC support for OIDC¶
Currently the support for OIDC tokens in ARC is at a technology preview level. Only tokens conforming to the WLCG profile have been tested. The current validation is not strict: the token is parsed and the signature is checked if present, but no additional requirements are imposed. Tokens are only accepted for client authentication during job submission through the EMI-ES interface.
Obtaining and using tokens¶
The suggested way for obtaining a token is through the oidc-agent utility - https://indigo-dc.gitbook.io/oidc-agent/. Install it following the instructions for your Linux distribution.
Point your browser to https://wlcg.cloud.cnaf.infn.it/ and create an account.
Start the oidc-agent. It will print few lines of shell commands. Copy them to the command line and execute. This will set up environment variables for other oidc-* commands.
Start oidc-gen. It will guide you through the steps to register the OIDC
client and create a profile for the oidc-agent.
When asked to select the issuer, select
When asked about the scope, write
openid profile wlcg. You only need to run the oidc-gen once.
Next time when you use the oidc-agent, you can load an already created profile
with the ‘oidc-add NAME_YOU_CHOOSE’ command.
When the oidc-gen command tells you “”To continue and approve the registered client visit the following URL in a Browser of your choice:” point your browser (which must be running on the same machine as the oidc tools do) to the adress given.
Obtain the token and store it in the ARC_OTOKEN variable:
export ARC_OTOKEN=`oidc-token NAME_YOU_CHOOSE`
If the oidc tools were installed on a different machine than your ARC client, then first obtain the token on the oidc tool machine:
Then copy the token string and on your ARC client machine do:
Now submit the job to an ARC CE with arcsub through the EMI-ES interface. For that, use the option ‘-S org.ogf.glue.emies.activitycreation’ (or if you are using ARC client >= 6.5.0 ‘-T emies’). The token stored in the ARC_TOKEN variable will be used instead of the X.509 certificate for authenticating the user to the ARC CE server. Data staging currently will still use the X.509 proxy credentials.
Note: You can use any other method for obtaining a WLCG compliant OIDC token. Just store it in the ARC_OTOKEN variable before calling arcsub.