Test JWT Howto using ARC Control Tool
The Test JWT can be seen as a personal Identity Provider (IdP) on the local client computer.
It is part of the main arcctl package available both for clients and server installations.
Server brings it as dependency, but on the client, it should be installed separately:
dnf install nordugrid-arc-arcctl
Initialize IdP
TestJWT is supposed to be run on the clint computer by regurlar user:
[user01@arc ~]$ arcctl test-jwt init
[2024-10-25 22:54:34,846] [ARCCTL.JWTIssuer] [INFO] [684] [Showing the JWKS for JWT Issuer https://arc.local/arc/testjwt/89685a6f/1002]
{
"keys": [
{
"e": "AQAB",
"kid": "testjwt",
"kty": "RSA",
"n": "9JutYVvLUeeTqxzyBMhgwnqexVKxTb0HNrC6iZElqeyFSEK7CBrkUhSwk8Fp-0qDIbtLHnXUJNZqzkcPhKFyEVN3dbXX7_3LhhVrfM9QnE0MZS2NTF5x7VgoT-NrddZ7Tm2_4yD81xIs66QmJpRvPqEYT8Ds76rq5GnQP4xUitI0zicX8a7jIQk5dWRfHx8ilHdY0FtuYDxgvwm4COUaKxkhPW5FbAtcVS-cJOOB1gIPdoceRUql0EkSgIIC8d7EM8plmN7G9o0W3L9wn4_Z4rn6J-75nLg5KTww37SiF7ELu76EIuHCjewFBRmva10If9xTu0bzwbywb3V0f8TRYw",
"use": "sig"
}
]
}
[2024-10-25 22:54:34,846] [ARCCTL.TestJWT] [INFO] [684] [Generating deployment command to be executed on ARC CE to trust the Test JWT issuer https://arc.local/arc/testjwt/89685a6f/1002]
arcctl deploy jwt-issuer --deploy-conf test-jwt://H4sIAIoFHGcC/6WSyZKiQBRF/4V12+AAie4coEQRlcmho8NgSCBlhsQEDf+90q6u6HVVr/LexTnxIt97MCnEju9gh5k8GFTXDayYCRNhXNQTlnUq72eSe07ySiyGNb4SzIpjQeQdIWD7HDdgfjA4j2F2gZlf5CjDX8PZPzCVNDWsUBbk3/V88lRF4SqvC+hhlH97rn8SanQaHOUVujv/Y/yUQCq8kri+NBX6ouKFMc8P/LWwGHb0/fVgIBVN99MZVcfIp+Uv/+q4o103pjRnNI1XDT7ZN9WC0CzbezfbRCHJStja69Z0uaVWzQV0lpISdrIhrcF8VsVWZJBYlIseVy4UF6vL7GittHN5j71dtJY7ydaGvns8gstQjSK7CjbjfSZxm7Mx0EyZb4Ed5mZPq3z/DMx0cBl1C7HfKrUg7NNVod92pXQyxUUNhKrk37L9btRaCCvcHXlH0QFXZR/z/kEPlq2IkqV/4mTcnBZteCPpaL61nHUbR7sDL7tT7NlGz1ttt7N+qOz83IO6VSacFBuhosxFH0gbsUhSDbyNc+4wVMckG13OoyoTVj3AZ2rIr01ChsBAMpDUBgiS0iznV0jkmZ7enD6nBOPWbDj3TtyOuEObC0RTP5GPC6bfW6OQef5+Pt8Bg4jmjFoDAAA=
Trust JWT Issuer on ARC CE
Copy the arcctl deploy command form the output of init or run arcctl test-jwt export
to show the command again.
[root@arc-ce ~]# arcctl deploy jwt-issuer --deploy-conf test-jwt://H4sIAIoFHGcC/6WSyZKiQBRF/4V12+AAie4coEQRlcmho8NgSCBlhsQEDf+90q6u6HVVr/LexTnxIt97MCnEju9gh5k8GFTXDayYCRNhXNQTlnUq72eSe07ySiyGNb4SzIpjQeQdIWD7HDdgfjA4j2F2gZlf5CjDX8PZPzCVNDWsUBbk3/V88lRF4SqvC+hhlH97rn8SanQaHOUVujv/Y/yUQCq8kri+NBX6ouKFMc8P/LWwGHb0/fVgIBVN99MZVcfIp+Uv/+q4o103pjRnNI1XDT7ZN9WC0CzbezfbRCHJStja69Z0uaVWzQV0lpISdrIhrcF8VsVWZJBYlIseVy4UF6vL7GittHN5j71dtJY7ydaGvns8gstQjSK7CjbjfSZxm7Mx0EyZb4Ed5mZPq3z/DMx0cBl1C7HfKrUg7NNVod92pXQyxUUNhKrk37L9btRaCCvcHXlH0QFXZR/z/kEPlq2IkqV/4mTcnBZteCPpaL61nHUbR7sDL7tT7NlGz1ttt7N+qOz83IO6VSacFBuhosxFH0gbsUhSDbyNc+4wVMckG13OoyoTVj3AZ2rIr01ChsBAMpDUBgiS0iznV0jkmZ7enD6nBOPWbDj3TtyOuEObC0RTP5GPC6bfW6OQef5+Pt8Bg4jmjFoDAAA=
[2024-10-25 22:58:12,626] [ARCCTL.ThirdParty.Deploy] [INFO] [266740] [ARC CE now trust JWT signatures of https://arc.local/arc/testjwt/89685a6f/1002 issuer.]
[2024-10-25 22:58:12,626] [ARCCTL.JWTIssuer] [INFO] [266740] [Auth configuration for JWT issuer https://arc.local/arc/testjwt/89685a6f/1002 has been written to /etc/arc.conf.d/10-testjwt-8475ff6c.conf]
[2024-10-25 22:58:12,626] [ARCCTL.JWTIssuer] [WARNING] [266740] [ARC services restart is needed to apply configuration changes.]
[root@arc-ce ~]# arcctl service restart -a
Issue JWT token
To generate token signed by TestJWT instance run (print to stdout):
[user01@arc ~]$ arcctl test-jwt token
eyJhbGciOiJSUzI1NiIsImtpZCI6InRlc3Rqd3QifQ.eyJhdWQiOiJhcmMiLCJhenAiOiJhcmMiLCJleHAiOjE3Mjk5MzMyMDMsImlhdCI6MTcyOTg5MDAwMywiaXNzIjoiaHR0cHM6Ly9hcmMubG9jYWwvYXJjL3Rlc3Rqd3QvODk2ODVhNmYvMTAwMiIsImp0aSI6IjFhZWU1NDNjLTkzMTQtMTFlZi05NTliLWY4NzVhNGVmZTdmMSIsIm5hbWUiOiJUZXN0IFVzZXIgODM5MTg4NjUiLCJuYmYiOjE3Mjk4ODk3MDMsInByZWZlcnJlZF91c2VybmFtZSI6IlRlc3QgVXNlciA4MzkxODg2NSIsInNjb3BlIjoib3BlbmlkIHByb2ZpbGUiLCJzdWIiOiJUZXN0IFVzZXIgODM5MTg4NjUiLCJ0eXAiOiJCZWFyZXIifQ.R7Q15g5jVHdyESmKzNB68-j32iB6-yxz4v00n0xXA7RXURKMB-JjT6xc20Hh9McTXrenhxW3o_Z-Fo4ReEgU2VCeKCswRQavxXPejP9v0rnpTJM3oKyHsuO7GnuEp8nf-7DaKgbJwK3Y1Baidd-6ygXjWCS9M0zeJLP2BgerPMPItjR8KiYw6eLDp7UAs3LYxSM1Ktajt2bvhCGn2qG_8t0zaM0rOelWbL50TafnlSw8xlkaHmUXb-cQwoL6c17zKcBYySwmX8Ed7QJLNAUUAAvyqwpP16J54nKbGbERPhH__iupSRhHMqCUf_yh-y_vuQI13upZH9QaHGYsv2B6OQ
ARC client relies on the BEARER_TOKEN variable, so the convenient way is to run:
[user01@arc ~]$ export BEARER_TOKEN=$( arcctl test-jwt token )
Fine-tune token claims
Token claims can be modified via command line arguments to arcctl test-jwt token.
Command help is a best friend here:
[user01@arc ~]$ arcctl test-jwt token -h
usage: arcctl test-jwt token [-h] [-p PROFILE] [-n USERNAME] [-v VALIDITY] [-s SCOPES] [-c CLAIMS]
optional arguments:
-h, --help show this help message and exit
-p PROFILE, --profile PROFILE
Generate using token named profile (default is default
-n USERNAME, --username USERNAME
Use specified username instead of automatically generated
-v VALIDITY, --validity VALIDITY
Validity of the token in hours (default is 12)
-s SCOPES, --scopes SCOPES
Additional scopes to include into the token
-c CLAIMS, --claims CLAIMS
Additional claims (JSON) to include into the token
For example:
arcctl test-jwt token -n 'Andrii' -s "storage.read storage.write" -v 72`
will generate a token with a subject “Andrii”, adds stuff to list of scopes and increase validity from default 12 to 72 hours.
Using token profiles
You can create a profile with customized claims for re-use in tokens generation instead of using command line arguments:
[user01@arc ~]$ arcctl test-jwt config-set -p wlcg username "Atlas User"
[user01@arc ~]$ arcctl test-jwt config-set -p wlcg scopes "compute.create:/"
[user01@arc ~]$ arcctl test-jwt config-set -p wlcg claims '{"wlcg.ver": "1.0", "wlcg.groups": ["/atlas", "/atlas/production"]}'
[user01@arc ~]$ arcctl test-jwt config-set -p wlcg validity 24
[user01@arc ~]$ arcctl test-jwt config-get -p wlcg
{
"username": "Atlas User",
"scopes": "compute.create:/",
"claims": "{\"wlcg.ver\": \"1.0\", \"wlcg.groups\": [\"/atlas\", \"/atlas/production\"]}",
"validity": "24"
}
[user01@arc ~]$ arcctl test-jwt token -p wlcg