ARC support for OIDC¶
Currently the support for OIDC tokens in ARC is at a technology preview level. Only tokens conforming to WLCG profile are supported. Currently validation is not strict. The token is parsed and the signature is checked if present. But no additional requirements are imposed. Tokens are only accepted for client authentication for job submission through the EMIES interface.
Obtaining and using tokens¶
The suggested way for obtaining a token is through the oidc-agent utility - https://indigo-dc.gitbook.io/oidc-agent/. Install it following instructions for your distribution.
Point your browser at https://wlcg.cloud.cnaf.infn.it/ and create an account.
Start the oidc-agent. It will print few lines of shell commands. Copy them at command line and execute. They will set up environment variables for other oidc-* commands.
Start oidc-gen. It will guide you through the steps to register the OIDC
client and create a profile for the oidc-agent.
When asked to select issuer, select
When asked about scope write
openid profile wlcg. You need to run the oidc-gen only once.
Next time you use the oidc-agent You can load an already created profile
with the ‘oidc-add NAME_YOU_CHOOSE’ command.
When the oidc-gen command tells you “”To continue and approve the registered client visit the following URL in a Browser of your choice:” point your browser (which must be running on the same machine as the oidc tools do) to the adress given.
Obtain the token and store it in the ARC_OTOKEN variable:
export ARC_OTOKEN=`oidc-token NAME_YOU_CHOOSE`
If the oidc tools were installed on a different machine than your ARC client, then first obtain the token on the oidc tool machine
Then copy the token string and on your ARC client machine do
Now submit the job to ARC CE with arcsub through the EMIES interface. For that use the option ‘-S org.ogf.glue.emies.activitycreation’ (or if you are using the ARC client >= 6.5.0 ‘-T emies’). The token stored in the ARC_TOKEN variable will be used instead of the X.509 certificate for authenticating the user to the ARC CE server. The datastaging currently will still use the X.509 proxy credentials.
Note: You can use any other method for obtaining a WLCG compliant OIDC token. Just store it into the ARC_OTOKEN variable before calling arcsub.