When using ZTN to pass the scitoken, the token reaches XrdAccSciTokens::Validate() as expected. However, a later call to XrdAccSciTokens::Access() fails.

https://github.com/xrootd/xrootd/blob/10d27966ce0a6637e988df5a7c43bdaad7d09b24/src/XrdSciTokens/XrdSciTokensAccess.cc#L312-L314

Access() expects to find the token with env->Get("authz") which I believe is only true for HTTPS.

With the current flow, it seems Validate() does a scitoken_deserialize() to process the token, and leaves ACLs to Access(). Then Access() generates ACLs, and puts them into a cache (keyed by the JWT).

As for possible solutions, the token could be stored in Validate() (which seems like something to avoid). Or we could refactor to instead generate the ACLs in Validate().


Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.
You are receiving this because you are subscribed to this thread.Message ID: <xrootd/xrootd/issues/1584@github.com>

[ { "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://github.com/xrootd/xrootd/issues/1584", "url": "https://github.com/xrootd/xrootd/issues/1584", "name": "View Issue" }, "description": "View this Issue on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1