Configure oidc-agent for iam.cloud.infn.it

# Configure oidc-agent for iam.cloud.infn.it ## Requirement Install the oidc-agent package following the instructions [here](https://indigo-dc.gitbook.io/oidc-agent/installation) ## Remove previous configurations Load oidc-agent and **remove the previous profile** that worked with login.cloud.infn.it ``` eval `oidc-agent` oidc-gen -d infncloud oidc-gen -d infncloud-wlcg oidc-gen -d infncloud-iam ``` __N.B.__ if you get an error saying that the specified profile does not exists, you can ignore it, since the purpose of the commands above is to ensure that you start from a fresh environment Now install the proper CA, for instance on Debian baased distro: ``` sudo wget "https://crt.sh/?d=2475254782" -O /usr/local/share/ca-certificates/ca.crt sudo update-ca-certificates ``` ## Choose the correct profile for your case Now you have the possibility to retrieve tokens both __WLCG profile__ and __IAM profile__ (mode details [here](https://indigo-iam.github.io/docs/v/current/admin-guide/multi_profile_support.html)), but a single OIDC-configuration can only retrieve one kind. In general if you want to access experiment resources, you'd probably need a WLCG-Profile, while in case of accessing personal resources (e.g. your personal bucket on a cloud storage) this can be the case for the IAM one. ### Configure the agent for a WLCG-Profile token Then start the registration for the new iam.cloud.infn.it ``` oidc-gen --flow device --dae https://iam.cloud.infn.it/devicecode infncloud-wlcg ``` You will get the following output: ``` [1] https://iam-test.indigo-datacloud.eu/ [2] https://iam.deep-hybrid-datacloud.eu/ [3] https://iam.extreme-datacloud.eu/ [4] https://iam-demo.cloud.cnaf.infn.it/ [5] https://b2access.eudat.eu/oauth2/ [6] https://b2access-integration.fz-juelich.de/oauth2 [7] https://unity.eudat-aai.fz-juelich.de/oauth2/ [8] https://unity.helmholtz-data-federation.de/oauth2/ [9] https://login.helmholtz-data-federation.de/oauth2/ [10] https://services.humanbrainproject.eu/oidc/ [11] https://accounts.google.com/ [12] https://aai.egi.eu/oidc/ [13] https://aai-dev.egi.eu/oidc [14] https://login.elixir-czech.org/oidc/ [15] https://oidc.scc.kit.edu/auth/realms/kit/ [16] https://wlcg.cloud.cnaf.infn.it/ Issuer [https://iam-test.indigo-datacloud.eu/]: ``` provide here the following: https://iam.cloud.infn.it/ Then you will be asked for the following: ``` This issuer supports the following scopes: openid profile email address phone offline_access Space delimited list of scopes or 'max' [openid profile offline_access]: ``` Insert the following: `openid profile email offline_access wlcg wlcg.groups` After that, you will get the following output: ``` Registering Client ... Generating account configuration ... accepted Using a browser on another device, visit: https://iam.cloud.infn.it/device And enter the code: HOTZEP ``` As suggested, open your browser and follow the link, then enter the code. You will be asked to approve the registered client After your approval, the `oidc_gen` command will automatically move to the next step allowing you to set an optional password for configuration encryption: ``` Enter encryption password for account configuration 'infncloud-wlcg': Confirm encryption Password: ``` Now check that you can obtain a valid token with the following command: ```bash oidc-token infncloud-wlcg ``` ### Configure the agent for a IAM-Profile token Then start the registration for the new iam.cloud.infn.it ``` oidc-gen --flow device --dae https://iam.cloud.infn.it/devicecode infncloud-iam ``` You will get the following output: ``` [1] https://iam-test.indigo-datacloud.eu/ [2] https://iam.deep-hybrid-datacloud.eu/ [3] https://iam.extreme-datacloud.eu/ [4] https://iam-demo.cloud.cnaf.infn.it/ [5] https://b2access.eudat.eu/oauth2/ [6] https://b2access-integration.fz-juelich.de/oauth2 [7] https://unity.eudat-aai.fz-juelich.de/oauth2/ [8] https://unity.helmholtz-data-federation.de/oauth2/ [9] https://login.helmholtz-data-federation.de/oauth2/ [10] https://services.humanbrainproject.eu/oidc/ [11] https://accounts.google.com/ [12] https://aai.egi.eu/oidc/ [13] https://aai-dev.egi.eu/oidc [14] https://login.elixir-czech.org/oidc/ [15] https://oidc.scc.kit.edu/auth/realms/kit/ [16] https://wlcg.cloud.cnaf.infn.it/ Issuer [https://iam-test.indigo-datacloud.eu/]: ``` provide here the following: https://iam.cloud.infn.it/ Then you will be asked for the following: ``` This issuer supports the following scopes: openid profile email address phone offline_access Space delimited list of scopes or 'max' [openid profile offline_access]: ``` Insert the following: `openid profile email iam offline_access` After that, you will get the following output: ``` Registering Client ... Generating account configuration ... accepted Using a browser on another device, visit: https://iam.cloud.infn.it/device And enter the code: HOTZEP ``` As suggested, open your browser and follow the link, then enter the code. You will be asked to approve the registered client After your approval, the `oidc_gen` command will automatically move to the next step allowing you to set an optional password for configuration encryption: ``` Enter encryption password for account configuration 'infncloud-iam': Confirm encryption Password: ``` Now check that you can obtain a valid token with the following command: ```bash oidc-token infncloud-iam ```