Tips, Tricks, Docs about tokens

how to get a token

  1. via web interface by visiting
  2. via oidc-agent/oidc-token tool (see )

how to use the token

gocurl -header "Authorization: Bearer <token>" ...<your-service>
More from Valentin

This is similar to x509, you obtain certificate separately and then you can use it. The token you'll obtain separately too. For web clients everything will be transparent, i.e. when client will be visiting cmsweb-auth, it will be redirected to CERN SSO if it does not have valid token (within browser). For CLI tools you'll need extra software to obtain token, or you can use token obtained to a web interface.

how to reset encryption password

from Andrea Ceccanti

Ciao Stefano,

credo tu ti riferisca alla password locale dell'account oidc-agent.

Quello che farei io e' creare un altro account.

Conta che puoi sempre fare piazza pulita cancellando il file da


questo lascera' un client orfano in IAM ma non e' un grosso problema.


On Tue, Nov 02, 2021 at 06:18:21PM +0100, Stefano Belforte wrote:
> Ciao Andrea,
> so che non dovrei scrivere a te.. ma non so a chi altri !
> Facevo delle prove on indigo iam
> e mi sono accorto che ho dimenticaot la decryption password,
> e ora non mi fa nemeno ricominciare da capo perche' per cancelllare
> la config. vuole comunque la password.
> Come si puo' fare un reset ? C'e' un file da qualche parte che
> posso cancellare come root ?
> LapSB:~$ oidc-add -l
> The following account configurations are usable:
> wlcg
> LapSB:~$ oidc-add wlcg
> Enter decryption password for account config 'wlcg':
> Enter decryption password for account config 'wlcg':
> Enter decryption password for account config 'wlcg':
> Error: reached maximum number of tries
> Error: reached maximum number of tries
> LapSB:~$
> oidc-token wlcg  anche peggio perche' mi chiede la password
> in una finestra popup

Andrea Ceccanti - INFN-CNAF

Viale Berti Pichat 6/2 40127 Bologna, Italy
+39 0512095 50
skype: andreaceccanti
keybase: andreaceccanti

useful links

from Stephan

There is a good general token introduction video, there is a CE token presentation by Brian and the WLCG token specification at

from Maarten:

Hi again,
hopefully the following set of links is sufficient to get started:

1. The IAM client needs to be registered to have access.
As Panos is in the CMS VO, this may be the easiest method:

It also has a link to the API.  The service for CMS is:

2. How to get oidc-agent that (for now) is used to get tokens:

3. How to use the registered client to get an access token:

4. The SCIM API through which the desired user info can be obtained:

5. Example implementation from ESCAPE, which only picks up the set of X509 subject DNs from the VO, ignoring the token subjects:

Let's see how things go and we can then consolidate such info plus
improvements on a Twiki page.  Brian, do you have better links?

> On 03/11/2021 16:50 wrote:
> Hi Panos,
> the token _subject_ is a string, like the X509 subject DN, except that
> we preferred making it opaque for GDPR reasons.  You can get it from
> IAM along with the X509 subject DN(s) per user.
> I will find you the relevant links.

How to check token validity etc.

in general this works:

for tokens obtained by cmsweb-auth, expiration is printed in the browser output

other ways ? can use python. Need to split access token in the 3 parts (header, payload, signature) as per and add extra padding for safety as per , but it is OK at least in python3

import base64
import json
import pprint
import time
#signature is a binary string... no point
# give things like:
>>> pprint.pprint(header)
{'alg': 'RS256',
 'kid': 'VaD3D0PRnPW0y1zA-0byR1fHlHUjjSEg016x2crchyc',
 'typ': 'JWT'}
>>> pprint.pprint(payload)
{'acr': '1',
 'at_hash': '_ni5DQTPqHpctiCcR8WEUQ',
 'aud': 'cms-go',
 'auth_time': 1635979533,
 'azp': 'cms-go',
 'cern_mail_upn': '',
 'cern_person_id': 373708,
 'cern_preferred_language': 'EN',
 'cern_upn': 'belforte',
 'email': '',
 'exp': 1635980733,
 'family_name': 'Belforte',
 'given_name': 'Stefano',
 'iat': 1635979533,
 'iss': '',
 'jti': 'ddb0f5b5-d375-4cae-926d-9da5583fb887',
 'name': 'Stefano Belforte',
 'preferred_username': 'belforte',
 'session_state': 'b92aa5b1-bc21-4869-abfd-bac3653152b1',
 'sub': 'belforte',
 'typ': 'ID'}
>>> print('exp: ' + time.ctime(payload.get('exp',0)))
exp: Thu Nov  4 00:05:33 2021

Token renewal flow

From Brian

Hi Stefano,

You're not the only one to ask such a question.  The OSG put together a small package to make this simpler:

The idea is you can specify the tokens you want in a single config file (possibly referencing other files with the secrets in it) and ensure they are always periodically available as a specific user.

There's a number of items to wrangle.  I'd suggest starting at a single place.  My suggested sequence is:

1.  IDTOKENS for CRAB TaskWorker -> CRAB schedd communication.
2.  Token to talk from CRAB TaskWorker to CMSWEB.
3.  Token managed by HTCondor and sent to job.
4.  Token managed by user for "crab submit".

Tokens vs xrootd (from Bockjoo)

-- StefanoBelforte - 2021-11-03

Edit | Attach | Watch | Print version | History: r5 < r4 < r3 < r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r5 - 2022-07-03 - StefanoBelforte
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    Sandbox All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2022 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback