Yes, what gets forwarded with sss is a deep copy of the SecEntity structure (that includes the token pointed to by creds) and its attributes. That means any implied mapping at the time of the copy is forwarded. Now, it could be that the SciToken plugn does not use the ztn token if no token is supplied on the URL. We did talk about doing this I just don't remember if it ever got done. Andy On Wed, 7 Dec 2022, Brian P Bockelman wrote: > Oh, I had misunderstood your setup! I didn't realize the scitokens piece and multiuser piece were on different servers. > > Seems the problem is the fact that the token is evaluated (and potentially mapped) per-request whereas maybe SSS works at the session level? In other words, the mapping is happening too late to affect what SSS is doing. > > @cantrip - if you insert the token into the URL (`?authz=Bearer%20XXXXXX`), does it forward the token to the origin and does the origin act correctly in that case? > > This is getting to my limit of knowledge about how SSS works... @abh3, should we be forwarding the session token in the proxy? > > -- > Reply to this email directly or view it on GitHub: > https://github.com/xrootd/xrootd/issues/1851#issuecomment-1341899964 > You are receiving this because you were mentioned. > > Message ID: ***@***.***> -- Reply to this email directly or view it on GitHub: https://github.com/xrootd/xrootd/issues/1851#issuecomment-1341955431 You are receiving this because you are subscribed to this thread. Message ID: <[log in to unmask]> ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1