> First, what is the actual contents of authinfo when a token is used to populate that field Of course, currently there is nothing. Here's how the fields are populated from a XrdSecEntity object (from https://github.com/xrootd/xrootd/blob/master/src/XrdXrootd/XrdXrootdXeq.cc#L4037-L4048): ``` snprintf(Buff,sizeof(Buff), "&p=%s&n=%s&h=%s&o=%s&r=%s&g=%s&m=%s%s&I=%c", Client->prot, (Client->name ? Client->name : ""), (Client->host ? Client->host : ""), (Client->vorg ? Client->vorg : ""), (Client->role ? Client->role : ""), (Client->grps ? Client->grps : ""), (Client->moninfo ? Client->moninfo : ""), (Entity.moninfo ? Entity.moninfo : ""), (clientPV & XrdOucEI::uIPv4 ? '4' : '6') ``` For the XrdSciTokens plugin (https://github.com/xrootd/xrootd/blob/master/src/XrdSciTokens/XrdSciTokensAccess.cc#L453), here's what's in those fields: - `prot`: Unfilled by plugin, I consider this owned by the authorization plugin (could be `ztn`, for example, or `https`). - `name`: Unfilled by plugin. - Instead, `request.name` in extended attributes is set to the mapped username. - `token.subject` is set to the `sub` claim of the token. - `host`: Unfilled by plugin, not relevant here. - `vorg`: Set to the issuer (`iss` claim) - `grps`: Set to the groups in the token (`wlcg.groups` for WLCG tokens). Unused by macaroons plugin. - `role`: Unused by the SciTokens and Macaroons plugin currently. - `moninfo`: Unused by either plugin. Here's what I'd propose for an authinfo for a request: - `n`: Set to `request.name`. - `o`: Set to issuer - `r`: Set to role if non-empty. - `g`: Set to groups if non-empty. - `m`: Set to `token.subject`. This is to be taken from the `XrdSecEntity` object associated with the file-open request. I'd propose it's only populated if the `request.name` extended attribute is set as that attribute indicates something occurred per-request. Notably, `p` and `h` are not included. So, for an existing token from the WLCG issuer, here's a proposed authinfo: ``` n=bbockelm&o=https://cms-auth.web.cern.ch&m=e608252d-e817-4071-b15c-1a72fe557b3f ``` About 80 characters total. -- Reply to this email directly or view it on GitHub: https://github.com/xrootd/xrootd/issues/1987#issuecomment-1499088998 You are receiving this because you are subscribed to this thread. Message ID: <[log in to unmask]> ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1