Dear dCache developers,
With our OIDC Code-Flow setup (see slide 7 of my presentation at dCache Workshop), we have encountered a problem:
When having frontend.authz.anonymous-operations = NONE set, our OIDC authentication with callback at dCache View fails, and a 2nd login window pops up.
When going back to frontend.authz.anonymous-operations = READONLY, the authentication/authorization path completes successfully.
Based on my own investigation of gplazma logs and frontend access logs, it seems like a significant part of that path runs as "nobody" user, including the callback command.
With that, I've run an LLM-supported investigation on the dcache code base. Please find the document attached:
oidc-authentication-investigation.md
It seems to confirm my assumptions. I've also cross-checked the links and references to code, and they look plausible.
This issue seems to boil down to a timing gap between the authentication/authorization path, and the commands running in the background when the dCache View page is called.
We would like to know, whether this is intended behavior, and if not, whether it would be possible to fix that in future dCache (View) versions.
Thanks a lot in advance for considering this issue!
Artur
Dear dCache developers,
With our OIDC Code-Flow setup (see slide 7 of my presentation at dCache Workshop), we have encountered a problem:
When having frontend.authz.anonymous-operations = NONE set, our OIDC authentication with callback at dCache View fails, and a 2nd login window pops up.
When going back to frontend.authz.anonymous-operations = READONLY, the authentication/authorization path completes successfully.
Based on my own investigation of gplazma logs and frontend access logs, it seems like a significant part of that path runs as "nobody" user, including the callback command.
With that, I've run an LLM-supported investigation on the dcache code base. Please find the document attached:
oidc-authentication-investigation.md
It seems to confirm my assumptions. I've also cross-checked the links and references to code, and they look plausible.
This issue seems to boil down to a timing gap between the authentication/authorization path, and the commands running in the background when the dCache View page is called.
We would like to know, whether this is intended behavior, and if not, whether it would be possible to fix that in future dCache (View) versions.
Thanks a lot in advance for considering this issue!
Artur