Auth: Use the FTS instance domain as audience #6590

The discussion on how the Audience claim should be handled is still on-going. However, the FTS team has expressed their wish to stop supporting the WLCG wildcard audience. For the time being, it was agreed to use the domain of the targeted FTS instance, mimicking how it’s done for tokens destined at storages.
rucio · Apr 2, 2024 · ee20f32 · ee20f32
1 parent 74fda30
commit ee20f32
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 3 deletions.
diff --git a/etc/docker/dev/fts/fts3restconfig b/etc/docker/dev/fts/fts3restconfig
@@ -11,6 +11,7 @@ DbConnectString=ftsdb/fts
 ValidateAccessTokenOffline=True
 JWKCacheSeconds=86400
 TokenRefreshDaemonIntervalInSeconds=600
+AuthorizedAudiences=https://wlcg.cern.ch/jwt/v1/any;fts
 
 #The alias used for the FTS endpoint, will be published as such in the dashboard transfers UI http://dashb-wlcg-transfers.cern.ch/ui/
 Alias=rucio/fts

diff --git a/lib/rucio/transfertool/fts3.py b/lib/rucio/transfertool/fts3.py
@@ -832,9 +832,7 @@ def __init__(self, external_host, oidc_account=None, oidc_support: bool = False,
         self.token = None
         if oidc_support:
             fts_hostname = urlparse(external_host).hostname
-            # FIXME: At the time of writing, it is not yet finalised what
-            # audience and/or scope is required by FTS.
-            token = request_token(audience='https://wlcg.cern.ch/jwt/v1/any', scope='fts')
+            token = request_token(audience=fts_hostname, scope='fts')
             if token is not None:
                 self.logger(logging.INFO, 'Using a token to authenticate with FTS instance %s', fts_hostname)
                 self.token = token