ARC support for OIDC
Support level
Only tokens conforming to the WLCG profile have been tested. The current validation is not strict: the token is parsed and the signature is checked if present, but no additional requirements are imposed. Tokens are only accepted for client authentication during job submission through the EMI-ES and REST interfaces.
Obtaining and using tokens
The suggested way for obtaining a token is through the oidc-agent utility - https://indigo-dc.gitbook.io/oidc-agent/. Install it following the instructions for your Linux distribution.
Point your browser to https://wlcg.cloud.cnaf.infn.it/ and create an account.
Start the oidc-agent. It will print few lines of shell commands. Copy them to the command line and execute. This will set up environment variables for other oidc-* commands.
Start oidc-gen. It will guide you through the steps to register the OIDC
client and create a profile for the oidc-agent.
When asked to select the issuer, select https://wlcg.cloud.cnaf.infn.it/
.
When asked about the scope, write openid profile wlcg
. You only need to run the oidc-gen once.
Next time when you use the oidc-agent, you can load an already created profile
with the ‘oidc-add NAME_YOU_CHOOSE’ command.
When the oidc-gen command tells you “To continue and approve the registered client visit the following URL in a Browser of your choice:” point your browser (which must be running on the same machine as the oidc tools do) to the adress given.
Obtain the token and store it in the BEARER_TOKEN variable:
export BEARER_TOKEN=`oidc-token NAME_YOU_CHOOSE`
If the oidc tools were installed on a different machine than your ARC client, then first obtain the token on the oidc tool machine:
oidc-token NAME_YOU_CHOOSE
Then copy the token string and on your ARC client machine do:
export BEARER_TOKEN=<token-string>
Now submit the job to an ARC CE with arcsub through the REST interface. For that, use the option ‘-T arcrest’. The token stored in the BEARER_TOKEN variable will be used instead of the X.509 certificate for authenticating the user to the ARC CE server. Note that arcsub still requires an X.509 proxy which will be delegated to the CE. Data staging currently will also still use the X.509 proxy credentials.
Note: You can use any other method for obtaining a WLCG compliant OIDC token. Just store it in the BEARER_TOKEN variable before calling arcsub.