Skip to content
Snippets Groups Projects

Scitoken multi issuer support

Merged Scitoken multi issuer support
scitoken_multi_issuer_support into master
Merged Duncan Meacher requested to merge scitoken_multi_issuer_support into master

This MR allows GraceDB to list multiple SciToken issuers that can be accepted, as requested in this issue: #340 (closed). The changes are based of this gwdatafind MR that has already been tested and merged in: computing/gwdatafind/server!83 (merged) These changes are currently deployed on graecdb-dev2.ligo.org and have been tested using both the cilogon test and prod servers for issuing SciTokens.

Edited by Duncan Meacher

Merge request reports

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
  • Duncan Meacher requested review from @alexander.pace

    requested review from @alexander.pace

  • Duncan Meacher assigned to @duncan.meacher

    assigned to @duncan.meacher

  • Duncan Meacher
    Duncan Meacher @duncan.meacher ·
    Author Maintainer

    @joshua.willis, I've added https://osdf.igwn.org/cit as an accepted issuer for GraceDB, as well as the test and prod cilogon issuers, though I'm not sure if this will be needed.

  • Duncan Meacher changed the description

    changed the description

  • Duncan Meacher
    Duncan Meacher @duncan.meacher ·
    Author Maintainer

    This MR has now been deployed on gracedb-test.ligo.org and tested with the test and prod cilogon issuers:

    (igwn) [duncan.meacher@ldas-grid ~]$ htgettoken -a vault.ligo.org -i igwn --audience https://gracedb-test.ligo.org --scope gracedb.read
Attempting to get token from https://vault.ligo.org:8200 ... failed
Attempting kerberos auth with https://vault.ligo.org:8200 ... failed
Attempting ssh-agent auth with https://vault.ligo.org:8200 ... failed
Attempting OIDC authentication with https://vault.ligo.org:8200

Complete the authentication at:
    https://cilogon.org/device/?user_code=LJH-9V7-9HH
No web open command defined, please copy/paste the above to any web browser
Waiting for response in web browser
Storing vault token in /tmp/vt_u42544
Saving credkey to /home/duncan.meacher/.config/htgettoken/credkey-igwn-default
Saving refresh token ... done
Attempting to get token from https://vault.ligo.org:8200 ... succeeded
Storing bearer token in /run/user/42544/bt_u42544
(igwn) [duncan.meacher@ldas-grid ~]$ httokendecode -H
{
  "sub": "duncan.meacher@ligo.org",
  "aud": "https://gracedb-test.ligo.org",
  "uid": "duncan.meacher",
  "ver": "scitoken:2.0",
  "nbf": "Fri Feb 16 12:18:01 PST 2024",
  "scope": "gracedb.read",
  "iss": "https://cilogon.org/igwn",
  "exp": "Fri Feb 16 15:18:06 PST 2024",
  "iat": "Fri Feb 16 12:18:06 PST 2024",
  "jti": "https://cilogon.org/oauth2/7e53956abbfe15c14f24a1c57c9f8ad1?type=accessToken&ts=1708114685846&version=v2.0&lifetime=10800000"
}
(igwn) [duncan.meacher@ldas-grid ~]$ gracedb -s https://gracedb-test.ligo.org/api/ credentials server
{
    "username": "duncan.meacher@ligo.org",
    "first_name": "Duncan",
    "last_name": "Meacher",
    "email": "duncan.meacher@ligo.org",
    "is_internal_user": true
}
(igwn) [duncan.meacher@ldas-grid ~]$ htgettoken -a vault.ligo.org -i igwn-test --audience https://gracedb-test.ligo.org --scope gracedb.read
Attempting to get token from https://vault.ligo.org:8200 ... failed
Attempting kerberos auth with https://vault.ligo.org:8200 ... failed
Attempting ssh-agent auth with https://vault.ligo.org:8200 ... failed
Attempting OIDC authentication with https://vault.ligo.org:8200

Complete the authentication at:
    https://test.cilogon.org/device/?user_code=NXT-DF4-DHJ
No web open command defined, please copy/paste the above to any web browser
Waiting for response in web browser
Storing vault token in /tmp/vt_u42544
Saving credkey to /home/duncan.meacher/.config/htgettoken/credkey-igwn-test-default
Saving refresh token ... done
Attempting to get token from https://vault.ligo.org:8200 ... succeeded
Storing bearer token in /run/user/42544/bt_u42544
(igwn) [duncan.meacher@ldas-grid ~]$ httokendecode -H
{
  "sub": "duncan.meacher@ligo.org",
  "aud": "https://gracedb-test.ligo.org",
  "uid": "duncan.meacher",
  "ver": "scitoken:2.0",
  "nbf": "Fri Feb 16 12:18:55 PST 2024",
  "scope": "gracedb.read",
  "iss": "https://test.cilogon.org/igwn",
  "exp": "Fri Feb 16 15:19:00 PST 2024",
  "iat": "Fri Feb 16 12:19:00 PST 2024",
  "jti": "https://test.cilogon.org/oauth2/3a34b8613507943f1fbbf3a583f59f0b?type=accessToken&ts=1708114740516&version=v2.0&lifetime=10800000"
}
(igwn) [duncan.meacher@ldas-grid ~]$ gracedb -s https://gracedb-test.ligo.org/api/ credentials server
{
    "username": "duncan.meacher@ligo.org",
    "first_name": "Duncan",
    "last_name": "Meacher",
    "email": "duncan.meacher@ligo.org",
    "is_internal_user": true
}
  • Alexander Pace approved this merge request

    approved this merge request

  • Duncan Meacher merged

    merged

  • Alexander Pace mentioned in merge request !201 (merged)

    mentioned in merge request !201 (merged)

Please register or sign in to reply