-
Notifications
You must be signed in to change notification settings - Fork 107
Tokens in WMCore
Tokens provides a way to authenticate services with OAuth providers. Please refer to OAuth documentation for detail description of OAuth protocol and further references. Here we will describe a practical aspect on how to obtain tokens within CMS environment.
There are multiple ways to obtain a token, either via oidc tools or by obtaining client's credentials and querying IAM provider. The former requires installation of oidc tools on your node and running oidc-agent
, while latter can use standard tools like curl
. Below we'll describe a process of obtaining token via client's credentials and curl
tool.
To obtain IAM token via client's credentials you need to follow these steps:
- visit https://cms-auth.web.cern.ch/
- login via your X509 or CERN SSO, if necessary you'll need to register
- then, click on
Self-service client registration
- provide proper fields in the main tab, these includes:
- Client-Name, e.g.
Test-WMAgent
- Redirect URIs, e.g.
https://cmsweb.cern.ch
- Contacts, e.g. you may add some e-group which will handle the registration and access to tokens, for that I suggest to created admin group (we do follow that rule in CMSWEB, Monitoring groups) which will have only few members, like L2s or main developers. This group will receive emails or can be used to access to token afterwards
- Client-Name, e.g.
- go to
Access
tab and check all scopes your token will need, I chose compute.read, etc. which may be relevant for WMAgent - THE MOST IMPORTANT: for
Grant Types
chooseclient credentials
and forResponse Types
uncheck everything - finally, return to main tab and click on Save. This will present you with client's credentials, configuration URI and registration access token. Save all of them in safe place (DO NOT SHARE). The
client_id
andclient_secret
will be used by this script and you'll need them to put in place on WMA node. While, registration token will be used if you'll later need to change something in your token configuration.
After you obtained your client_id
and client_secret
and saved them in some files you may run the provided script as following:
IAM_CLIENT_ID=./secrets/client_id IAM_CLIENT_SECRET=./secrets/client_secret bin/create-iam-token.sh
or, put your client_id and client_secret in different location. The script will generate token in /tmp/token which later you can use for access to OAuth protected sites and/or in your workflows.
If you prefer pure curl
solution run the following command (which is executed within create-iam-token.sh
):
curl -s -k -d grant_type=client_credentials \
-u ${client_id}:${client_secret} \
https://cms-auth.web.cern.ch/token
where client_id
and client_secrets
are your client id/secret values.
or, put your client_id and client_secret in different location. The script will generate token in /tmp/token which later you can use for access to OAuth protected sites and/or in your workflows.
If you want to know what is stored in your token you may grab your token and visit jwt.io
where you can paste it and see its attributes. We also provide decode-token
tool which can be used as following:
# run client
./decode-token -token=$token
# if token is invalid you'll see the following message:
2022/02/22 13:49:38 The token is not valid
# otherwise the token attributes will be printed like this:
{
"sub": "xxxx-yyyy-6251d28e94a1",
"aud": "[https://wlcg.cern.ch/jwt/v1/any]",
"iss": "https://cms-auth.web.cern.ch/",
"username": "",
"active": true,
"session_state": "",
"clientId": "xxxx-yyyy-51ee6a978680",
"email": "",
"scope": "address phone openid offline_access profile eduperson_scoped_affiliation eduperson_entitlement email wlcg",
"exp": 1645557402,
"clientHost": ""
}
This information is also visible from jwt.io web site when you will paste your token over there.
Once you have valid token stored in a file you need to manage it accordingly since it will expire after some time. This can be done by running cronjob with create-aim-token.sh
script which will store token in your desire location. Please refer to create-aim-token.sh
script for more details which env variables to provide for this task.
To use your token from WMCore codebase, e.g. within your application or service, you need to define IAM_TOKEN
environment variable to point either to your token value or to a file name which stores the token. Then, all calls which will be done via pycurl_manager
module will use this token. If you will need to explicitly obtain token then you should do the following:
# load appropriate module
from Utils.TokenManager import getToken
# get token
token = getToken()
The getToken
function by default uses IAM_TOKEN
environment, but you can also provide to it a file name which stores the token, e.g.
# location of file which keeps token
fname = `/tmp/token`
# get token
token = getToken(fname)
Alternatively, you may use TokenManager
class to manage your tokens
# load appropriate module
from Utils.TokenManager import TokenManager
# define manager to use specific location, in this case /tmp/token file
fname = `/tmp/token`
tmgr = TokenManager(fname)
token = tmgr.getToken()
# define/use HTTP headers
headers = {}
headers['Authorization'] = 'Bearer {}'.format(token)
# follow your code logic to use HTTP headers