From cadd3ea051a35c17f9fcaf37a3f38e8001a7cf6a Mon Sep 17 00:00:00 2001 From: Haoming Meng Date: Mon, 8 Apr 2024 20:24:05 +0000 Subject: [PATCH 1/2] Add docs to get the public key from the origin --- docs/pages/serving_an_origin.mdx | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/docs/pages/serving_an_origin.mdx b/docs/pages/serving_an_origin.mdx index e370dd46a..3d723d791 100644 --- a/docs/pages/serving_an_origin.mdx +++ b/docs/pages/serving_an_origin.mdx @@ -198,3 +198,27 @@ Once you have your origin set up, follow the steps below to test if your origin ``` Congratulations! Your have finished setting up and running your origin. + +## Obtain the Public Key of the Origin + +Pelican origin follows [OpenID Connect (OIDC)](https://openid.net/developers/how-connect-works/) protocol for authenticating users for object accesses. In the OIDC setup, a user's identity was encoded in a _token_ that is _signed_ by the origin, using its _private key_. The private key only lives on the origin server and is never exposed to the public. To verify the integrity the token and make sure it's not tampered by malicious attackers, a _public key_ generated from the _private key_ is available for others to check the signature of the token. + +The _public keys_ are used in Pelican federation to facilitate user authentication and server identity verification. It is also used to register a namespace at the Pelican registry. The public key used to register a namespace at the Pelican registry should be the public key of the Pelican origin that exports and hosts the namespace. This is because Pelican origin manages user identity verification and authorization for the namespaces it exports. To look up the public key of a Pelican origin, go to `https://:/.well-known/issuer.jwks`. The public key will be automatically downloaded as a `JSON` file. An example file is as following: + +```json filename="issuer.jwks" +{ + "keys":[ + { + "kty":"EC", + "use":"sig", + "crv":"P-256", + "kid":"sig-1712605941", + "x":"c3BhLEMGqmO98-43pD3R5DJtUGIQf4McsNBWuVTorVI", + "y":"eWssaV6WrG4kVla1Ygdr_qUZeqgN7I2fDeb3K1qL0qI", + "alg":"ES384" + } + ] +} +``` + +> Note that you need to run your Pelican origin before downloading the public key From 03f5992f91e10f8b9698b436c563f36125e5f754 Mon Sep 17 00:00:00 2001 From: Haoming Meng Date: Thu, 11 Apr 2024 21:13:37 +0000 Subject: [PATCH 2/2] Fix typo --- docs/pages/serving_an_origin.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/pages/serving_an_origin.mdx b/docs/pages/serving_an_origin.mdx index 3d723d791..e15df86d2 100644 --- a/docs/pages/serving_an_origin.mdx +++ b/docs/pages/serving_an_origin.mdx @@ -201,9 +201,9 @@ Congratulations! Your have finished setting up and running your origin. ## Obtain the Public Key of the Origin -Pelican origin follows [OpenID Connect (OIDC)](https://openid.net/developers/how-connect-works/) protocol for authenticating users for object accesses. In the OIDC setup, a user's identity was encoded in a _token_ that is _signed_ by the origin, using its _private key_. The private key only lives on the origin server and is never exposed to the public. To verify the integrity the token and make sure it's not tampered by malicious attackers, a _public key_ generated from the _private key_ is available for others to check the signature of the token. +Pelican origins follow [OpenID Connect (OIDC)](https://openid.net/developers/how-connect-works/) protocol for authenticating users for object access. In the OIDC setup, a user's identity is encoded in a _token_ that is _signed_ by the origin, using its _private key_. The private key only lives on the origin server and is never exposed to the public. To verify the integrity the token and make sure it's not tampered by malicious attackers, a _public key_ generated from the _private key_ is available for others to use to check the signature of the token. -The _public keys_ are used in Pelican federation to facilitate user authentication and server identity verification. It is also used to register a namespace at the Pelican registry. The public key used to register a namespace at the Pelican registry should be the public key of the Pelican origin that exports and hosts the namespace. This is because Pelican origin manages user identity verification and authorization for the namespaces it exports. To look up the public key of a Pelican origin, go to `https://:/.well-known/issuer.jwks`. The public key will be automatically downloaded as a `JSON` file. An example file is as following: +The _public keys_ are used in a Pelican federation to facilitate user authentication and server identity verification. They are also used to register a namespace at the Pelican registry. The public key used to register a namespace at the Pelican registry should be the public key of the Pelican origin that exports and hosts the namespace. This is because the Pelican origin manages user identity verification and authorization for the namespaces it exports. To look up the public key of a Pelican origin, go to `https://:/.well-known/issuer.jwks`. The public key will be automatically downloaded as a `JSON` file. An example file is as following: ```json filename="issuer.jwks" {