https://github.com/opensciencegrid/osg-token-renewer

oidc-agent token renewal service and timer
https://github.com/opensciencegrid/osg-token-renewer

Last synced: 3 days ago
JSON representation

oidc-agent token renewal service and timer

• Host: GitHub
• URL: https://github.com/opensciencegrid/osg-token-renewer
• Owner: opensciencegrid
• Created: 2021-08-09T18:00:29.000Z (over 4 years ago)
• Default Branch: master
• Last Pushed: 2024-02-13T17:27:51.000Z (almost 2 years ago)
• Last Synced: 2024-04-16T19:14:04.631Z (almost 2 years ago)
• Language: Python
• Size: 50.8 KB
• Stars: 0
• Watchers: 8
• Forks: 5
• Open Issues: 2
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
The OSG Token Renewal Service

----------------------------- 

The OSG token renewal service is set up as a "oneshot" systemd service,

which runs under the `osg-token-svc` user, sets up an `oidc-agent`,

adds the relevant OIDC client accounts as specified in the `config.ini`

with `oidc-add`, and generates the tokens with `oidc-token`.

This service is set to run via a systemd timer approximately every 15 minutes.

If you would like to run the service manually at a different time (e.g., to generate

all the tokens immediately), you can run the service once with:

```console

root@host # systemctl start osg-token-renewer

```

If this succeeds, the new token will be written to the location you configured

for `token_path` (`/etc/osg/tokens/.token`, by convention).

Failures can be diagnosed by running:

```console

root@host # journalctl -eu osg-token-renewer

```

Configuring the OSG Token Renewal Service

----------------------------------------- 

The main configuration file for the service is `/osg/token-renewer/config.ini`.

For each OIDC Client, you will add an `account` section to the config file.

For each token you wish to generate for this client account,

you will configure a `token` section with any relevant options.

Examples of this can be found in the `/osg/token-renewer/config.ini` that gets

installed with the package.

Each `[account ]` section corresponds to a client account

named ``, set up with the `oidc-gen` tool, run by the

`osg-token-renewer-setup.sh` script.

In this `account` section, the `password_file` option is a path to a file

you create as `root` with the encryption password to be used for this client

account.

Details for this configuration can be found in the

[documentation here](https://opensciencegrid.org/docs/other/osg-token-renewer/#configuring-tokens).

For each client account, you can configure one or more `[token ]`

sections, where `` is a unique name of your choosing.

These sections describe how to create the token with the `oidc-token` tool.

For details, see the 

[documentation here](https://opensciencegrid.org/docs/other/osg-token-renewer/#configuring-accounts).