ARC support for OIDC

Support level

Currently the support for OIDC tokens in ARC is at a technology preview level. Only tokens conforming to WLCG profile are supported. Currently validation is not strict. The token is parsed and the signature is checked if present. But no additional requirements are imposed. Tokens are only accepted for client authentication for job submission through the EMIES interface.

Obtaining and using tokens

The suggested way for obtaining a token is through the oidc-agent utility - https://indigo-dc.gitbook.io/oidc-agent/. Install it following instructions for your distribution.

Point your browser at https://wlcg.cloud.cnaf.infn.it/ and create an account.

Start the oidc-agent. It will print few lines of shell commands. Copy them at command line and execute. They will set up environment variables for other oidc-* commands.

Start oidc-gen. It will guide you through the steps to register the OIDC client and create a profile for the oidc-agent. When asked to select issuer, select https://wlcg.cloud.cnaf.infn.it/. When asked about scope write openid profile wlcg. You need to run the oidc-gen only once. Next time you use the oidc-agent You can load an already created profile with the ‘oidc-add NAME_YOU_CHOOSE’ command.

When the oidc-gen command tells you “”To continue and approve the registered client visit the following URL in a Browser of your choice:” point your browser (which must be running on the same machine as the oidc tools do) to the adress given.

Obtain the token and store it in the ARC_OTOKEN variable:

export ARC_OTOKEN=`oidc-token NAME_YOU_CHOOSE`

If the oidc tools were installed on a different machine than your ARC client, then first obtain the token on the oidc tool machine

Then copy the token string and on your ARC client machine do

export ARC_OTOKEN=<token-string>

Now submit the job to ARC CE with arcsub through the EMIES interface. For that use the option ‘-S org.ogf.glue.emies.activitycreation’ (or if you are using the ARC client >= 6.5.0 ‘-T emies’). The token stored in the ARC_TOKEN variable will be used instead of the X.509 certificate for authenticating the user to the ARC CE server. The datastaging currently will still use the X.509 proxy credentials.

Note: You can use any other method for obtaining a WLCG compliant OIDC token. Just store it into the ARC_OTOKEN variable before calling arcsub.

Configuring authorization on server

Token processing is enabled by presence of the [authtokens] configuration block.

The user can be authorized on the server by adding a dedicated command to authgroup block:

authtokens=subject issuer audience scope group

The specified parameters must match those in the provided token. Parameters can be ‘*’ to match any value. For example

authtokens=e83eec5a-e2e3-43c6-bb67-df8f5ec3e8d0 https://wlcg.cloud.cnaf.infn.it/ * * *

matches a user with subject e83eec5a-e2e3-43c6-bb67-df8f5ec3e8d0 in token issued by https://wlcg.cloud.cnaf.infn.it/ .

Note

Until the handling of authtokens is integrated with arcproxy you must find the subject of the token using a tool like e.g. https://jwt.io/ .

User mapping to local account is implemented using a simulated X.509 user subject. The subject provided by an OIDC token is unique only in scope of the identity provider. To generate a globally unique user-identifier issuer and subject are cocatenated like “issuer/subject” to provide an identifier suitable for user mapping. For example a user with subject e83eec5a-e2e3-43c6-bb67-df8f5ec3e8d0 in the token issued by https://wlcg.cloud.cnaf.infn.it/ is represented by a simulated identifier https://wlcg.cloud.cnaf.infn.it//e83eec5a-e2e3-43c6-bb67-df8f5ec3e8d0