Mailing List Archives Authenticated access	UW Madison Computer Sciences Department Computer Systems Lab

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[HTCondor-users] Possible misbehavior when using UNDEFINED OAuth Services

Date: Wed, 4 Feb 2026 15:42:08 -0500
From: Alan Malta <alanmalta@xxxxxxxxx>
Subject: [HTCondor-users] Possible misbehavior when using UNDEFINED OAuth Services

Dear HTCondor experts,

we are finalizing token integration into CMS production workflows, and
due to some old application versions that need to be supported, we
need to instrument the WMS job submission component to either enable
or disable OAuth, via:
"""
use_oauth_services = cms
"""
or
"""
use_oauth_services = UNDEFINED
"""

However, when setting this job classad to UNDEFINED, it looks like it
parses it as any other string, instead of the reserved UNDEFINED word.
Note that, if I set it to `cms`, it works well - as this is one of the
credentials stored in condor credd.

One option to workaround this issue would be to not set
`use_oauth_services` at all, but then we hit an issue that has been
discussed in another thread, see:
https://www-auth.cs.wisc.edu/lists/htcondor-users/2025-November/msg00029.shtml

Would you have any recommendation on what could be done? Is it an
issue that should be resolved in HTCondor?

I am also providing details of my setup and how to reproduce it,
please see [1] for more information.

Thank you in advance.
Best regards,
Alan.

[1]
### job submission
xxx@vocmsxxx:tokens $ condor_submit submit3.jdl
Submitting job(s)
Attempting to get tokens for UNDEFINED
htgettoken: Failure getting token from https://xxx.cern.ch:xxx
Authentication needed for UNDEFINED
Attempting OIDC authentication with https://xxx.cern.ch:xxx
htgettoken: Initiating authentication to https://xxx.cern.ch:xxx
failed: HTTPError: Forbidden: permission denied
condor_vault_storer: htgettoken failed
Failed to process job credential requests (1):
'process_job_credentials(): invoking '/usr/bin/condor_vault_storer'
failed: 0 (Success)
'; BAILING OUT.

### condor version
xxx@vocmsxxx:tokens $ condor_version
$CondorVersion: 24.0.6 2025-03-05 BuildID: 790851 PackageID: 24.0.6-1 $
$CondorPlatform: x86_64_AlmaLinux9 $

### submit file
xxx@vocmsxxx:tokens $ cat submit3.jdl
Universe = vanilla
executable = test.sh
should_transfer_files = YES
request_memory = 1 GB
request_cpus = 1
request_disk = 1 GB
# Where to submit - cms specific configuration
requirements = stringListMember(GLIDEIN_CMSSite,DESIRED_Sites)
+DESIRED_Sites = "T1_US_FNAL,T2_CH_CERN"
accounting_group = analysis
+AccountGroup = analysis
Output = test.$(Cluster)-$(Process).out
Error = test.$(Cluster)-$(Process).err
Log = test.$(Cluster).log
use_oauth_services = UNDEFINED
Queue 1

Follow-Ups:
- Re: [HTCondor-users] Possible misbehavior when using UNDEFINED OAuth Services
  - From: Cole Bollig

Prev by Date: [HTCondor-users] What do consumption policies actually do?
Next by Date: Re: [HTCondor-users] What do consumption policies actually do?
Previous by thread: Re: [HTCondor-users] What do consumption policies actually do?
Next by thread: Re: [HTCondor-users] Possible misbehavior when using UNDEFINED OAuth Services
Index(es):
- Date
- Thread

Mailing List Archives

Authenticated access

[HTCondor-users] Possible misbehavior when using UNDEFINED OAuth Services