# SciAuth Tutorial

In this tutorial you will learn how to:
1. Create a SciToken signing key.
2. Publish the key to a website to create an issuer.
3. Use a token to submit to a HTCondor node.

### Requirements
- GitHub account
- This notebook already has the python-scitokens package installed.  You can install it with `pip install scitokens`

This page is a special `bash` type page rather than Python.  Commands entered into this page are executed on the command line, not within a python interpreter.

## Creating a Key

We first will create a private and public key to sign tokens that we will create.

Create the private key with the `scitokens-admin-create-key` program.

In [1]:
scitokens-admin-create-key --create-keys --pem-private > private.pem

Take a look at the newly created private key, `private.pem`.  You may want to **backup** the file since it's an important private key.  Feel free to download it from the file browser at the left.

In [2]:
cat private.pem

-----BEGIN RSA PRIVATE KEY-----
MIIEpgIBAAKCAQEA8/VlWc4KyHxCHco126YQryLkiPkLUsl2aergt8auUpuz0wWR
i6kHa8IDl2nv49r0402GruHgPkwZdokIdehDmlqSCrhibDX9G4aaYKSDcJnVWCV+
smOXTisdTBBuWI7XfIfBTpBIWEUwN0kv5R+0j4dILzGZRrClbKKBG8qhARYhxxym
8mzrXTXH7sjwoCA1fDIV47uPkMorM7HekK5nBeBEr+Gt9ISxPqFmVX5affaBqjLh
zwdn9NK9vV8XydM1J50PXUoy+vtPBO6iPGKABetZMN0XFkxWeZ7oGrX5TspATaqV
n0I+usWLIy17zgSQqdShEVjZ+Ltye7oskDB6EQIDAQABAoIBAQCAut7OMpEyFY91
1LvyuYBYShs5w+CbwL8BSPVnRCm8YXjUQz336iuGSwxGG5qAK4vJXaFSKtJ/TPyq
tciHHxZ9HomtqnoVC7ARlEdl86mAA0y2hKKEU1UF5G5DMvBnPoiqp5/zauMh4PB+
W9owFzjZ+9K1RIDS8md4GY/zMEshHJrYxuFKNwvyyso2Q8wK7c3boNzr25F5OpFS
uaEKMTSkOObY/jtOniMJVGOZu4XXG7a3QHSZ3/ydl/Ao0apjIpxLa2ms8TVzeYhx
ZvayaNwVMEiPPmDF2eHhJFG5wyD4tG7bWGLZIiu1luIN5yHJeJqGwNKUYlcHITd9
KYMgw46hAoGBAPyNCKrTPknde69hf/IqPV3UHY7mqx4LPqcWJ5YJMQHRoLHW+kSI
4HR0T5wtNbaRr2C7QTKu4fsEqKlos7Ut/IvcZLEUVED++v2D/McOOxZfuM2Yxrf0
yTNQeudzuSQRyPxkceyu1rRleKHiVt7Dg5Mr+3Un7Yg8GvRInKkPqt1tAoGBAPdK
UlRxUekwFVG8wEslpFubPRM/3M6kRA+pU1toTs+34u2qEQcME64hKEiFPQ

Next we will create the public key, in jwks format so that we can upload it to the website.

In [3]:
scitokens-admin-create-key --private-keyfile private.pem --jwks-public

{
    "keys": [
        {
            "alg": "RS256",
            "e": "AQAB",
            "kid": "2482",
            "kty": "RSA",
            "n": "8_VlWc4KyHxCHco126YQryLkiPkLUsl2aergt8auUpuz0wWRi6kHa8IDl2nv49r0402GruHgPkwZdokIdehDmlqSCrhibDX9G4aaYKSDcJnVWCV-smOXTisdTBBuWI7XfIfBTpBIWEUwN0kv5R-0j4dILzGZRrClbKKBG8qhARYhxxym8mzrXTXH7sjwoCA1fDIV47uPkMorM7HekK5nBeBEr-Gt9ISxPqFmVX5affaBqjLhzwdn9NK9vV8XydM1J50PXUoy-vtPBO6iPGKABetZMN0XFkxWeZ7oGrX5TspATaqVn0I-usWLIy17zgSQqdShEVjZ-Ltye7oskDB6EQ==",
            "use": "sig"
        }
    ]
}


In order for an issuer to work, you need:
1. A metadata page for clients to find the keys (`username/.well-known/openid-configuration`) 
2. The public keys

The metadata page is very short with only 2 attributes.  In the example below, be sure to replace my github username (djw8605) with your own.

Steps to create the issuer:
1. Create the configuration file by going to the [repo website](https://github.com/SciAuth/htcondor-week-2022), clicking on "Create a new file, then enter your github **username**, then "/", then `.well-known`, then "/", then `openid-configuration`

    Metadata page (`openid-configuration`):
    ```json
    {  
        "issuer":"https://sciauth.org/htcondor-week-2022/djw8605",
        "jwks_uri":"https://sciauth.org/htcondor-week-2022/djw8605/oauth2/keys"
    }
    ```

    Start the pull request by clicking "Propose new file" at the bottom.  Then click "Create Pull Request"

2. Next, we will add the public keys to the pull request.  Under the pull request title, click on your branch.  Then, once again, click on "Add file" -> "Create new file".  This time, the path will be `username/oauth2/keys`.  The contents of the file will be the entire public key json above.  Be sure to include the starting and ending `{` and `}`.  Clicking on the commit at the bottom will add the new file to the pull request.

After both of the files have been created, the pull request will be reviewed by the maintainers and accepted.

Once your pull request has been merged, you can test the downloads with curl:

In [None]:
curl https://sciauth.org/htcondor-week-2022/djw8605/.well-known/openid-configuration

In [None]:
curl https://sciauth.org/htcondor-week-2022/djw8605/oauth2/keys

## Creating your first Token

Next, we will create your first token.

In [7]:
scitokens-admin-create-token --keyfile=private.pem --key_id 2482 \
--issuer https://sciauth.org/htcondor-week-2022/djw8605 scope="compute.write:/ write:/ read:/"

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjI0ODIifQ.eyJzY29wZSI6ImNvbXB1dGUud3JpdGU6LyB3cml0ZTovIHJlYWQ6LyIsImlzcyI6Imh0dHBzOi8vc2NpYXV0aC5vcmcvaHRjb25kb3Itd2Vlay0yMDIyL2Rqdzg2MDUiLCJleHAiOjE2NTI5ODQyMDYsImlhdCI6MTY1Mjk4MzAwNiwibmJmIjoxNjUyOTgzMDA2LCJqdGkiOiJhZmMxODYyMi1lYzQzLTQ5NTAtODBhOC1hMzNmYjg1N2I2ZGQifQ.8Ad_ygNe0jwEPTfw-iS9LRKR2TYTC7KSbB0j5nTDSvKJEL6NFls8A7Q_SD38HTnAd7H5z97nRvcEeZOxkxUAFkZblqmzDNTsaX0eJ9IMM_yibg1TPbdfjGaR36wIhvDMKTzo-fd1pplAuA6Qdcza7TTYTA9T-RaDNeTmERGk9MqqeMsTw3fffe2MRDt971HiatQi7rGLLJ24ID0GCwqqL6v2-2IYZfyV45S0bfgrM2NARSJgTrMAmGagxRK3Y8cabTdySBVApxsxEiJGkUXxh5DYEYOj_q_Y1GqTDuDHDc0LWda6KwQ3xcb_7MLw11mnNPuBLhtO90pDVHCSwF3ojg


## Submitting your first job

Lets submit our first job.  It will use the token you just created.  You will be submitting to a remote cluster that is configured to accept all issuers under https://sciauth.org/htcondor-week-2022/*

In [1]:
condor_q


-- Failed to fetch ads from: <128.104.100.46:9618?addrs=128.104.100.46-9618+[2607-f388-107c-501-216-4fff-fece-e1b2]-9618&alias=xd-submit0000.chtc.wisc.edu&noUDP&sock=schedd_1331_88a5> : xd-submit0000.chtc.wisc.edu
AUTHENTICATE:1003:Failed to authenticate with any method
AUTHENTICATE:1004:Failed to authenticate using SCITOKENS


: 1

Lets copy our token to a known location

In [19]:
scitokens-admin-create-token --keyfile=private.pem --key_id 2482  \
--issuer https://sciauth.org/htcondor-week-2022/djw8605 sub="dweitzel" scope="condor:READ condor:WRITE" > token

Save the token location to an environment variable for HTCondor to find

In [20]:
export BEARER_TOKEN_FILE=$PWD/token

In [21]:
condor_q



-- Schedd: xd-submit0000.chtc.wisc.edu : <128.104.100.46:9618?... @ 05/19/22 19:30:29
OWNER        BATCH_NAME    SUBMITTED   DONE   RUN    IDLE  TOTAL JOB_IDS
htcondorweek ID: 4604     5/18 19:49      _      _      _      1 4604.0
htcondorweek ID: 4611     5/19 18:28      _      _      1      1 4611.0
htcondorweek ID: 4612     5/19 18:39      _      _      1      1 4612.0
htcondorweek ID: 4613     5/19 18:42      _      _      1      1 4613.0
htcondorweek ID: 4614     5/19 18:42      _      _      1      1 4614.0
htcondorweek ID: 4615     5/19 19:06      _      _      _      1 4615.0

Total for query: 6 jobs; 2 completed, 0 removed, 4 idle, 0 running, 0 held, 0 suspended 
Total for htcondorweek: 6 jobs; 2 completed, 0 removed, 4 idle, 0 running, 0 held, 0 suspended 
Total for all users: 6 jobs; 2 completed, 0 removed, 4 idle, 0 running, 0 held, 0 suspended



In [10]:
condor_submit job.txt -spool


ERROR: Failed to open command file (job.txt) (No such file or directory)


: 1

In [9]:
condor_q



-- Schedd: xd-submit0000.chtc.wisc.edu : <128.104.100.46:9618?... @ 05/19/22 19:12:16
OWNER        BATCH_NAME    SUBMITTED   DONE   RUN    IDLE  TOTAL JOB_IDS
htcondorweek ID: 4604     5/18 19:49      _      _      _      1 4604.0
htcondorweek ID: 4611     5/19 18:28      _      _      1      1 4611.0
htcondorweek ID: 4612     5/19 18:39      _      _      1      1 4612.0
htcondorweek ID: 4613     5/19 18:42      _      _      1      1 4613.0
htcondorweek ID: 4614     5/19 18:42      _      _      1      1 4614.0
htcondorweek ID: 4615     5/19 19:06      _      _      _      1 4615.0

Total for query: 6 jobs; 2 completed, 0 removed, 4 idle, 0 running, 0 held, 0 suspended 
Total for htcondorweek: 6 jobs; 2 completed, 0 removed, 4 idle, 0 running, 0 held, 0 suspended 
Total for all users: 6 jobs; 2 completed, 0 removed, 4 idle, 0 running, 0 held, 0 suspended



In [6]:
condor_transfer_data <jobid>

Fetching data files...


In [8]:
cat log

000 (4615.000.000) 2022-05-19 14:06:45 Job submitted from host: <128.104.100.46:9618?addrs=128.104.100.46-9618+[2607-f388-107c-501-216-4fff-fece-e1b2]-9618&alias=xd-submit0000.chtc.wisc.edu&noUDP&sock=schedd_1331_88a5>
...
040 (4615.000.000) 2022-05-19 14:06:50 Started transferring input files
	Transferring to host: <192.168.3.86:42270?addrs=192.168.3.86-42270&alias=lnxfarm186.colorado.edu&noUDP>
...
040 (4615.000.000) 2022-05-19 14:06:50 Finished transferring input files
...
001 (4615.000.000) 2022-05-19 14:06:51 Job executing on host: <192.168.3.86:34301?CCBID=128.104.103.162:9619%3faddrs%3d128.104.103.162-9619%26alias%3dospool-cm.osg.chtc.io%26noUDP%26sock%3dcollector3#2344931%20192.170.236.247:9619%3faddrs%3d192.170.236.247-9619+[fd12-3456-789a-10bc-dd5f-fe31-3e2d-7404]-9619%26alias%3d192.170.236.247%26noUDP%26sock%3dcollector5#6805302&PrivNet=lnxfarm186.colorado.edu&addrs=192.168.3.86-34301&alias=lnxfarm186.colorado.edu&noUDP>
...
006 (4615.000.000) 2022-05-19 14:06:57 Image size 

## Get a token from an issuer

We will be using [oidc-agent](https://indigo-dc.gitbook.io/oidc-agent/) to download a token to also submit a job.  This time, the issuer will instead by a public issuer, not a private key we generated.

Since oidc-agent uses a lot of interaction, we will be using the jupyter terminal.  Click on the blue "plus" sign on the left top, and select "Terminal" at the bottom.

The first step is to start the oidc-agent process.

In [22]:
eval `oidc-agent-service use`

103


Next, setup the issuer configuration.  It will ask you several questions.  For scopes, select max.  You can just hit "enter" through the encryption password questions.

In [24]:
oidc-gen issuer --issuer=https://lw-issuer.osgdev.chtc.io/scitokens-server/

Registering Client ...
To update the client to have all the requested scope values, please contact the provider.
[0mGenerating account configuration ...
accepted

Using a browser on any device, visit:
https://lw-issuer.osgdev.chtc.io/scitokens-server/device

And enter the code: 3T4-HJG-Q93
Alternatively you can use the following QR code to visit the above listed URL.

[48;5;231m                                                                          [0m
[48;5;231m                                                                          [0m
[48;5;231m    [48;5;16m              [48;5;231m      [48;5;16m  [48;5;231m  [48;5;16m  [48;5;231m      [48;5;16m  [48;5;231m    [48;5;16m          [48;5;231m    [48;5;16m              [48;5;231m    [0m
[48;5;231m    [48;5;16m  [48;5;231m          [48;5;16m  [48;5;231m  [48;5;16m    [48;5;231m  [48;5;16m  [48;5;231m    [48;5;16m          [48;5;231m  [48;5;16m      [48;5;231m  [48;5;16m  [48;5;231m  [48;5;16m  [48;5

Get the token and put it on the command line with the `oidc-token` command:

In [28]:
oidc-token issuer

eyJ0eXAiOiJKV1QiLCJraWQiOiJ4cmRzaG92ZWxlciIsImFsZyI6IlJTMjU2In0.eyJhdWQiOiJBTlkiLCJzdWIiOiJodHRwOi8vY2lsb2dvbi5vcmcvc2VydmVyRS91c2Vycy84ODgyIiwidmVyIjoic2NpdG9rZW46Mi4wIiwibmJmIjoxNjUyOTg4ODY2LCJzY29wZSI6ImNvbmRvcjpSRUFEIGNvbmRvcjpXUklURSIsImlzcyI6Imh0dHBzOi8vbHctaXNzdWVyLm9zZ2Rldi5jaHRjLmlvL3NjaXRva2Vucy1zZXJ2ZXIiLCJleHAiOjE2NTI5ODk3NzEsImlhdCI6MTY1Mjk4ODg3MSwiY2lkIjoib2E0bXA6L2NsaWVudF9pZC83ZjRmNzg3ZGZhMmFkMDlmNDQ3Y2UzY2IzNzU5YTgyNSIsImp0aSI6Imh0dHBzOi8vbHctaXNzdWVyLm9zZ2Rldi5jaHRjLmlvL3NjaXRva2Vucy1zZXJ2ZXIvNGI1N2QzNTBmMTVjN2ZmZWI2NDI5ZmJkZDU2ZTRkZmM_dHlwZT1hY2Nlc3NUb2tlbiZ0cz0xNjUyOTg4ODcxNDAzJnZlcnNpb249djIuMCZsaWZldGltZT05MDAwMDAifQ.JY9rlsZudIVNAEX4LdTjS0VwoEI6Fz1n8FnZYf-QE2lwDEYxtlT6zL7kA03ILQA5mCr5g9D9TCgzdM-AaXUTYpbfomvVzmFpbv1aLlzG8QA4eJS-L8PgGK7Bz2hdpxcvojTSAvlLtGwLgklY2j0bxPUJIIKFfUqRp8u_ca2LWSBSf03lIL99XAt0fPbwPVJEYQpivYkiwDRUUNp5RGpxMhrSJ6BTum1F43yetLuXXjtTfaDNVA16_IQxOC3FBaLbMnGa003kON3PQslamm3i1wyBMmXdVL4wlVEu477BGuzv9VEzVK9D2nnLe4kWdDZkZc_7QUIBj1zxCyC6JrgzNw


Save the new token to the `token` file.

In [29]:
oidc-token issuer > token

In [30]:
condor_q



-- Schedd: xd-submit0000.chtc.wisc.edu : <128.104.100.46:9618?... @ 05/19/22 19:36:34
OWNER        BATCH_NAME    SUBMITTED   DONE   RUN    IDLE  TOTAL JOB_IDS
htcondorweek ID: 4604     5/18 19:49      _      _      _      1 4604.0
htcondorweek ID: 4611     5/19 18:28      _      _      1      1 4611.0
htcondorweek ID: 4612     5/19 18:39      _      _      1      1 4612.0
htcondorweek ID: 4613     5/19 18:42      _      _      1      1 4613.0
htcondorweek ID: 4614     5/19 18:42      _      _      1      1 4614.0
htcondorweek ID: 4615     5/19 19:06      _      _      _      1 4615.0

Total for query: 6 jobs; 2 completed, 0 removed, 4 idle, 0 running, 0 held, 0 suspended 
Total for htcondorweek: 6 jobs; 2 completed, 0 removed, 4 idle, 0 running, 0 held, 0 suspended 
Total for all users: 6 jobs; 2 completed, 0 removed, 4 idle, 0 running, 0 held, 0 suspended

