Yes, what gets forwarded with sss is a deep copy of the SecEntity
structure (that includes the token pointed to by creds) and its
attributes. That means any implied mapping at the time of the copy is
forwarded.

Now, it could be that the SciToken plugn does not use the ztn token if no
token is supplied on the URL. We did talk about doing this I just don't
remember if it ever got done.

Andy

On Wed, 7 Dec 2022, Brian P Bockelman wrote:

> Oh, I had misunderstood your setup! I didn't realize the scitokens piece and multiuser piece were on different servers.
>
> Seems the problem is the fact that the token is evaluated (and potentially mapped) per-request whereas maybe SSS works at the session level? In other words, the mapping is happening too late to affect what SSS is doing.
>
> @cantrip - if you insert the token into the URL (`?authz=Bearer%20XXXXXX`), does it forward the token to the origin and does the origin act correctly in that case?
>
> This is getting to my limit of knowledge about how SSS works... @abh3, should we be forwarding the session token in the proxy?
>
> --
> Reply to this email directly or view it on GitHub:
> https://github.com/xrootd/xrootd/issues/1851#issuecomment-1341899964
> You are receiving this because you were mentioned.
>
> Message ID: ***@***.***>

—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.

[ { "@context": "http://schema.org", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "https://github.com/xrootd/xrootd/issues/1851#issuecomment-1341955431", "url": "https://github.com/xrootd/xrootd/issues/1851#issuecomment-1341955431", "name": "View Issue" }, "description": "View this Issue on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1