Diana Gudu, Marcus Hardt, Gabriel Zachmann
Oct 2023
oidc-agent
EPEL
, Fedora
,
Debian
, Ubuntu
, OpenSuSE
,
Mac
, Windows
mytokens
oidc-agent
+ curl
curl https://aai.egi.eu/auth/realms/egi/protocol/openid-connect/userinfo "Authorization: Bearer `oidc-token egi`"
flaat
# Example Code (skipping boilerplate)
@routes.get("/authorized_vo")
@flaat.requires(
get_vo_requirement(
[
"urn:geant:h-df.de:group:m-team:feudal-developers",
"urn:geant:h-df.de:group:MyExampleColab#unity.helmholtz.de",
],
"eduperson_entitlement", match=1,
)
)
async def authorized_vo(request):
return web.Response(text="This worked: user has the required entitlement")
# Example call and response
$ http http://localhost:8080/authorized_vo "Authorization: Bearer `oidc-token login`"
HTTP/1.1 200 OK
Content-Length: 46
Content-Type: text/plain; charset=utf-8
Date: Fri, 17 Mar 2023 13:54:51 GMT
Server: Python/3.11 aiohttp/3.8.3
This worked: user has the required entitlement
Refresh Token
to
the InfrastructureAccess Tokens
(ATs cannot be revoked!!)mytoken
to the usermytokens
for Access Tokens
:
mytoken
from a
“master” mytoken
refresh-tokens
with the jobmytoken
down to site where
its sent toorpheus
ssh
?Important
We are working together
to make
/ keep things compatible
entitlement
)sub + iss
)
pam-ssh-oidc
feudal
)motley_cue
+
mccli
)ssh-certificate
-based
approach (oinit
)pam-ssh-oidc
+
motley-cue
oidc-agent
+ mccli
mytoken
on
daily basis)oidc-agent
forwarding works out of the boxrsync
)scp
, rsync
, or
git
oinit
toolsoidc-agent
+ oinit
tools$HOME/.ssh/config
to define commands
to run before sshoinit add <host>[:port] [ca]
motley-cue
to auhorise and create useroinit
ssh
the serverside inspects the call (as
oinit
)
oinit-switch <username> [<command>]
rsync
, git
,
…unity
(also used for Eudat’s b2access)G0XY
documents)
{
"body": {
"iss": "https://login.helmholtz.de/oauth2",
"sub": "6c611e2a-2c1c-487f-9948-c058a36c8f0e"
},
"display_name": "Marcus Hardt",
"eduperson_assurance": [
"https://refeds.org/assurance/IAP/medium"
],
"eduperson_entitlement": [
"urn:geant:h-df.de:group:HDF#login.helmholtz.de",
"urn:geant:helmholtz.de:group:Helmholtz-member#login.helmholtz.de",
"urn:geant:helmholtz.de:group:HIFIS:Associates#login.helmholtz.de",
"urn:geant:helmholtz.de:group:IMK-TRO-EWCC#login.helmholtz.de",
"urn:geant:helmholtz.de:group:KIT#login.helmholtz.de",
"urn:mace:dir:entitlement:common-lib-terms",
"http://bwidm.de/entitlement/bwLSDF-SyncShare"
],
"eduperson_scoped_affiliation": [
"employee@kit.edu",
"member@kit.edu"
],
"eduperson_unique_id": "6c611e2a2c1c487f9948c058a36c8f0e@login.helmholtz-data-federation.de",
"email": "marcus.hardt@kit.edu"
}
eduPersonEntitlement
voPersonExternalID
voperson_external_id
Following the AARC Policy Development Kit:
https://aarc-community.org/policies/policy-development-kit
apt-get install motley-cue pam-ssh-oidc
pip install mccli
/etc/pam.d/sshd
/etc/motley-cue/motley-cue.conf
]/etc/motley-cue/feudal.conf
]Cloud –>