Mailing List Archives
Authenticated access
|
|
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif)
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [HTCondor-users] Security implications of SEC_SCITOKENSâFOREIGN_TOKEN?
- Date: Tue, 31 Mar 2026 01:30:17 +0000
- From: Jaime Frey <jfrey@xxxxxxxxxxx>
- Subject: Re: [HTCondor-users] Security implications of SEC_SCITOKENSâFOREIGN_TOKEN?
HTCondor uses the scitokens-cpp library to validate the tokens used for the SCITOKENS authentication method. That library expects the tokens to follow one of several defined schemas for their claims (SciTokens, WLCG, or at+jwt). If the tokenâs claims donât follow of those schemas, it will fail the libraryâs validation check. Since EGI CheckIn tokens use a different schema, they will thus be rejected.
The FOREIGN_TOKEN parameters make the validation check optional (the cryptographic signature is still verified, though), but only for the named issuers. The default is to allow foreign token schemas (SEC_SCITOKENS_ALLOW_FOREIGN_TOKEN_TYPES=True), but only for the EGI CheckIn token issuer (SEC_SCITOKENS_FOREIGN_TOKEN_ISSUERS=https://aai-dev.egi.eu/auth/realms/egi).
The words of caution in the manual are for adding any additional issuers to the list of allowed foreign tokens.
Note that for a token to be authorized, it also needs to be mapped to an HTCondor identity (using the âissâ and âsubâ claims in the mapfile or via a mapping plugin), and that identity must be authorized via the ALLOW/DENY_XXXX configuration parameters.
- Jaime
> On Mar 29, 2026, at 3:37âPM, KÃhn, Max (SCC) <max.fischer@xxxxxxx> wrote:
>
> Hi all,
>
> We got approached about supporting EGI CheckIn Tokens and are just trying to understand what that would entail. As per the docs [0] we are looking at the SEC_SCITOKENSâFOREIGN_TOKEN family of things.
>
> However, I am now a bit alarmed as there are multiple vague warnings that this lowers security checks:
>
>> These parameters should be used with caution, as they disable some security checks. [0, 1]
>
> Plus it looks like these are already switched on by default [2].
>
> Is this something that will practically lower security checks also for regular SciTokens auth? Is this just because third-party plugins are invoked to check the tokens? Something else?
>
> Cheers,
> Max
>
>
> [0] Security docs on EGI CheckIn tokens
> https://htcondor.readthedocs.io/en/25.0/admin-manual/security.html#scitokens-authentication
>
> [1]
> https://htcondor.readthedocs.io/en/25.0/admin-manual/configuration-macros.html#SEC_SCITOKENS_FOREIGN_TOKEN_ISSUERS
>
> [2] # condor_config_val SEC_SCITOKENS_ALLOW_FOREIGN_TOKEN_TYPES CONDOR_VERSION -verbose
> SEC_SCITOKENS_ALLOW_FOREIGN_TOKEN_TYPES = true
> # at: <Default>
> # raw: SEC_SCITOKENS_ALLOW_FOREIGN_TOKEN_TYPES = true
>
> CONDOR_VERSION = 25.0.8
> # at: <Default>
> # raw: CONDOR_VERSION = 25.0.8
>
> _______________________________________________
> HTCondor-users mailing list
> To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
> subject: Unsubscribe
>
> The archives can be found at: https://www-auth.cs.wisc.edu/lists/htcondor-users/