ARC support for OIDC¶
Support level¶
Currently the support for OIDC tokens in ARC is at a technology preview level. Only tokens conforming to the WLCG profile have been tested. The current validation is not strict: the token is parsed and the signature is checked if present, but no additional requirements are imposed. Tokens are only accepted for client authentication during job submission through the EMI-ES interface.
Obtaining and using tokens¶
The suggested way for obtaining a token is through the oidc-agent utility - https://indigo-dc.gitbook.io/oidc-agent/. Install it following the instructions for your Linux distribution.
Point your browser to https://wlcg.cloud.cnaf.infn.it/ and create an account.
Start the oidc-agent. It will print few lines of shell commands. Copy them to the command line and execute. This will set up environment variables for other oidc-* commands.
Start oidc-gen. It will guide you through the steps to register the OIDC
client and create a profile for the oidc-agent.
When asked to select the issuer, select https://wlcg.cloud.cnaf.infn.it/
.
When asked about the scope, write openid profile wlcg
. You only need to run the oidc-gen once.
Next time when you use the oidc-agent, you can load an already created profile
with the ‘oidc-add NAME_YOU_CHOOSE’ command.
When the oidc-gen command tells you “”To continue and approve the registered client visit the following URL in a Browser of your choice:” point your browser (which must be running on the same machine as the oidc tools do) to the adress given.
Obtain the token and store it in the ARC_OTOKEN variable:
export ARC_OTOKEN=`oidc-token NAME_YOU_CHOOSE`
If the oidc tools were installed on a different machine than your ARC client, then first obtain the token on the oidc tool machine:
oidc-tool NAME_YOU_CHOOSE
Then copy the token string and on your ARC client machine do:
export ARC_OTOKEN=<token-string>
Now submit the job to an ARC CE with arcsub through the EMI-ES interface. For that, use the option ‘-S org.ogf.glue.emies.activitycreation’ (or if you are using ARC client >= 6.5.0 ‘-T emies’). The token stored in the ARC_TOKEN variable will be used instead of the X.509 certificate for authenticating the user to the ARC CE server. Data staging currently will still use the X.509 proxy credentials.
Note: You can use any other method for obtaining a WLCG compliant OIDC token. Just store it in the ARC_OTOKEN variable before calling arcsub.
Configuring authorization on server¶
Token processing is enabled by the presence of the [authtokens] configuration block.
The user can be authorized on the server by adding a dedicated command to the authgroup block:
authtokens=subject issuer audience scope group
The specified parameters must match those in the provided token. Parameters can be ‘*’ to match any value, for example
authtokens=e83eec5a-e2e3-43c6-bb67-df8f5ec3e8d0 https://wlcg.cloud.cnaf.infn.it/ * * *
matches a user with subject e83eec5a-e2e3-43c6-bb67-df8f5ec3e8d0 in token issued by https://wlcg.cloud.cnaf.infn.it/ .
Note
Until handling of authtokens is integrated with arcproxy you will have to find the subject of the token using a tool like e.g. https://jwt.io/ . Alternatively you can install flaat (https://pypi.org/project/flaat/).
User mapping to a local account is implemented using a simulated X.509 user subject. The subject provided by an OIDC token is unique only in scope of the identity provider. To generate a globally unique user-identifier, the issuer and the subject are cocatenated as “issuer/subject” to provide an identifier suitable for user mapping. For example, a user with subject e83eec5a-e2e3-43c6-bb67-df8f5ec3e8d0 in the token issued by https://wlcg.cloud.cnaf.infn.it/ is represented by a simulated identifier https://wlcg.cloud.cnaf.infn.it//e83eec5a-e2e3-43c6-bb67-df8f5ec3e8d0