-
Created by
Aksieniia Shtimmerman, last updated by Carmelo Pellegrino on Mar 23, 2026
4 minute read
Currently, two technologies are involved in Authentication (AuthN for short) and Authorization (AuthZ) in the computing grid:
- Virtual Organization Membership Service (VOMS), based on the X.509 standard for SSL certificates;
- JSON Web Token (JWT), based on openid-connect and OAuth2.
They allow users to interact with the grid middleware, for example HTCondor-CE and Arc-CE for computing job submission, StoRM WebDAV, dCache, XRootD, etc... for storage management.
VOMS
A VOMS proxy is a file, typically stored in /tmp/x509up_u$UID, that contains a certificate chain and a private key, used to interact with grid middleware. The proxy descends from a grid-enabled (i.e. IGTF) personal certificate and is shorter-lived, typically 12 hours.
For generating a proxy certificate without VOMS extensions, a user can issue the following command:
[ashtimmerman@ui-tier1 ~]$ voms-proxy-init Enter GRID pass phrase for this identity: Created proxy in /tmp/x509up_u10171. Your proxy is valid until Wed Jun 18 07:04:04 CEST 2025
For generating a proxy with VOMS extensions:
$ voms-proxy-init --voms <VO_name>
To display basic information about the current VOMS proxy:
[ashtimmerman@ui-tier1 ~]$ voms-proxy-info --all subject : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Aksieniia Shtimmerman ashtimmerman@infn.it/CN=1171514709 issuer : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Aksieniia Shtimmerman ashtimmerman@infn.it identity : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Aksieniia Shtimmerman ashtimmerman@infn.it type : RFC3820 compliant impersonation proxy strength : 2048 path : /tmp/x509up_u10171 timeleft : 11:58:42 key usage : Digital Signature, Key Encipherment === VO juno extension information === VO : juno subject : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Aksieniia Shtimmerman ashtimmerman@infn.it issuer : /DC=org/DC=terena/DC=tcs/C=IT/ST=Roma/O=Istituto Nazionale di Fisica Nucleare/CN=voms-juno.cloud.cnaf.infn.it attribute : /juno/Role=NULL/Capability=NULL timeleft : 11:58:42 uri : voms-juno.cloud.cnaf.infn.it:15008
Often, for debugging purposes, it is useful to display the entire certificate chain, including intermediate and root certificates used to validate the proxy:
[ashtimmermanus@ui-tier1 ~]$ voms-proxy-info --all --chain === Proxy Chain Information === X.509 v3 certificate Subject: CN=1479623907,CN=Aksieniia Shtimmerman ashtimmerman@infn.it,O=Istituto Nazionale di Fisica Nucleare,C=IT,DC=tcs,DC=terena,DC=org Issuer: CN=Aksieniia Shtimmerman ashtimmerman@infn.it,O=Istituto Nazionale di Fisica Nucleare,C=IT,DC=tcs,DC=terena,DC=org Valid from: Tue Jun 17 19:04:04 CEST 2025 Valid to: Wed Jun 18 07:04:04 CEST 2025 CA: false Signature alg: SHA384WITHRSA Public key type: RSA 2048bit Allowed usage: digitalSignature keyEncipherment Serial number: 1479623907 VOMS extensions: no. X.509 v3 certificate Subject: CN=Aksieniia Shtimmerman ashtimmerman@infn.it,O=Istituto Nazionale di Fisica Nucleare,C=IT,DC=tcs,DC=terena,DC=org Issuer: CN=GEANT TCS Authentication RSA CA 4B,O=GEANT Vereniging,C=NL Valid from: Fri Nov 22 09:08:54 CET 2024 Valid to: Mon Dec 22 09:08:54 CET 2025 Subject alternative names: email: aksieniia.shtimmerman@cnaf.infn.it CA: false Signature alg: SHA384WITHRSA Public key type: RSA 2048bit Allowed usage: digitalSignature keyEncipherment Allowed extended usage: clientAuth emailProtection Serial number: 101113208650839486715316733014861942537 === Proxy Information === subject : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Aksieniia Shtimmerman ashtimmerman@infn.it/CN=1479623907 issuer : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Aksieniia Shtimmerman ashtimmerman@infn.it identity : /DC=org/DC=terena/DC=tcs/C=IT/O=Istituto Nazionale di Fisica Nucleare/CN=Aksieniia Shtimmerman ashtimmerman@infn.it type : RFC3820 compliant impersonation proxy strength : 2048 path : /tmp/x509up_u10171 timeleft : 11:42:28 key usage : Digital Signature, Key Encipherment
For removing the current VOMS proxy certificate:
[ashtimmerman@ui-tier1 ~]$ voms-proxy-destroy [ashtimmerman@ui-tier1 ~]$ voms-proxy-info --all Proxy not found: /tmp/x509up_u10171 (No such file or directory)
JWT
Once registered within the token issuer (e.g. IAM), an access token can be retrieved using OIDC-agent, which is available in ui-tier1. A full set of commands follows below.
At first, we have to start the process with the command
[ashtimmerman@ui-tier1 ~]$ eval $(oidc-agent-service use) 54956
To avoid having to manually run eval $(oidc-agent-service use) every time a user opens a new terminal session, it is possible to add
eval "$(oidc-agent-service use)"
to the .bashrc file. and load the changes with: source ~/.bashrc.
Then, one needs to register its own client (this has to be done just the first time to create a new local IAM client):
$ oidc-gen -w device <device name>
following the steps required by the application, and namely:
- initialise his OIDC client's name
- insert IAM URL (e.g. https://iam-t1-computing.cloud.cnaf.infn.it/)
- when a web page for authentication opens, enter the credentials of the IAM account
- authorise the new client
- set a password for your client, by typing it twice on the terminal prompt.
For example:
[ashtimmerman@ui-tier1 ~]$ oidc-gen -w device axy [1] https://iam-t1-computing.cloud.cnaf.infn.it/ [...] Issuer [https://iam-t1-computing.cloud.cnaf.infn.it/]: The following scopes are supported: openid profile email address phone offline_access eduperson_scoped_affiliation eduperson_entitlement eduperson_assurance entitlements wlcg.groups compute.read compute.create compute.cancel compute.modify storage.read storage.create storage.modify storage.stage Scopes or 'max' (space separated) [openid profile offline_access]: compute.read compute.create compute.cancel compute.modify openid profile offline_access Registering Client ... Generating account configuration ... accepted Using a browser on any device, visit: https://iam-t1-computing.cloud.cnaf.infn.it/device And enter the code: REDACTED Alternatively you can use the following QR code to visit the above listed URL. Enter encryption password for account configuration <client_name>: Confirm encryption password: Everything setup correctly!
From the second time on, it will enough to load the existing account configuration,:
[ashtimmerman@ui-tier1 ~]$ oidc-add axy Enter decryption password for account config 'axy': success
and eventually get the access token and save it in the BEARER_TOKEN environment variable:
[ashtimmerman@ui-tier1 ~]$ export BEARER_TOKEN=$(oidc-token <client_name>)
To inspect the content of the JWT, the jq tool can be used:
[ashtimmermanus@ui-tier1 ~]$ oidc-token axy | jq -R 'split(".")[1] | @base64d | fromjson'
The token will be valid for 60 minutes, but a new token can be obtained issuing the oidc-token command again.
At the end, stop oidc-agent daemon:
oidc-agent-service stop
A user can also get the list of all existing account configurations issuing
[ashtimmerman@ui-tier1 ~]$ oidc-add -l The following account configurations are usable: axy myobolicatest t1-computing
Finally, the list of the currently loaded accounts can be retrieved with:
[ashtimmermanus@ui-tier1 ~]$ oidc-add -a The following account configurations are currently loaded: axy