Hello all,

starting a fresh thread here in reference to TPC with tokens.

I believe I have fixed the dCache door to allow for TPC with JWT tokens by allowing the third-party client to pass through authentication if it has the correct rendezvous key/token and TLS is on.   It certainly works for dCache to dCache, and I am trying to confirm dCache to xrootd and vice versa, but I am struggling to get the xrootd server set up properly to authorize using the token issued here at Fermilab.

However, that is not the question I have.  What I am writing about here has to do with ZTN in this equation.   If your ZTN module is loaded, how does it know to allow the third-party client to get a "pass", since that client does not have any JWT token?

Or does it still get the ZTN token even though it does not provide a token for authorization to the source server?

Or do you have to turn ZTN off with TPC?

I am asking these questions because I have not figured out, for dCache, how to (a) specify ZTN as an authentication protocol, but (b) allow a specifically third-party connection not to have to present a ZTN token.   At authentication time, it does not seem to me the server knows enough about the client to be able to distinguish what it is.   

Or does it?

Some guidance here would be very helpful,

Thanks, Al