Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expand description of htgettoken on using-tokens page #119

Merged
merged 2 commits into from
Aug 25, 2023
Merged

Expand description of htgettoken on using-tokens page #119

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
147f9d6
expand description of htgettoken on using-tokens page
DrDaveD Aug 24, 2023
d69fdbe
Minor prose tweaks
brianhlin Aug 25, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 26 additions & 2 deletions docs/security/tokens/using-tokens.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,24 @@ If you are a member of a collaboration with an OIDC provider (such as [CILogon](
This client tool is available either as [a container](#using-a-container) or as
[an RPM installation](#using-an-rpm-installation).

Alternatively, a collaboration may choose to set up a shared
[htvault-config](https://github.com/fermitools/htvault-config)
service that is registered as the OIDC client or clients and enables
each user to have a simpler experience to obtain tokens using the
[htgettoken](https://github.com/fermitools/htgettoken)
command while at the same time keeping long-lived refresh tokens stored
more securely.
Both of those can be installed as RPMs from OSG as described at the
brianhlin marked this conversation as resolved.
Show resolved Hide resolved
above links, and they are also
[integrated with HTCondor](https://htcondor.readthedocs.io/en/latest/admin-manual/file-and-cred-transfer.html#using-vault-as-the-oauth-client).
OSG recommends those tools as documented at those links for when
brianhlin marked this conversation as resolved.
Show resolved Hide resolved
collaborations are ready to use tokens in production,
but the rest of this page gives instructions for `oidc-agent` which
is better for early experimentation with tokens.
At the [end of the page](#examining-tokens) we also recommend installing
the `htgettoken` package just for its additional `htdecodetoken` command
which is useful for looking inside tokens.

!!! tip "Alternative tokens for testing"
If you are not a member of a collaboration with access to an OIDC provider, you can generate test SciTokens using
[these instructions](#generating-scitokens-for-testing)
Expand Down Expand Up @@ -255,5 +273,11 @@ You can use the tools in the `scitokens-cpp` RPM to validate a SciToken or WLCG

# yum install htgettoken

2. Write the token to a file named `tok`.
3. Run `httokendecode -H tok`
2. Write the token to a file named `tok` or store it in one of the
default WLCG Bearer Token Discovery locations described above.
3. Run `htdecodetoken -H tok` or leave off the `tok` filename if
it is in one of the default locations.

`htdecodetoken` is one of the
[additional commands](https://github.com/fermitools/htgettoken#additional-commands)
that come with the `htgettoken` package.