Oh, I had misunderstood your setup! I didn't realize the scitokens piece and multiuser piece were on different servers. Seems the problem is the fact that the token is evaluated (and potentially mapped) per-request whereas maybe SSS works at the session level? In other words, the mapping is happening too late to affect what SSS is doing. @cantrip - if you insert the token into the URL (`?authz=Bearer%20XXXXXX`), does it forward the token to the origin and does the origin act correctly in that case? This is getting to my limit of knowledge about how SSS works... @abh3, should we be forwarding the session token in the proxy? -- Reply to this email directly or view it on GitHub: https://github.com/xrootd/xrootd/issues/1851#issuecomment-1341899964 You are receiving this because you are subscribed to this thread. Message ID: <[log in to unmask]> ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1