Support validating tokens without an outbound network connection

[duncanmmacleod]

Currently one cannot validate a bearer token without an outbound network connection:

$ scitokens-test-access $BEARER_TOKEN https://cilogon.org/ligo ANY read /frames
Failed to deserialize a token: Couldn't connect to server

Is this feasible? It would enable using tokens for jobs on cluster nodes that are not exposed to the network (e.g. on LIGO/Hawk in Cardiff).

[jbasney]

Unlike X.509 CA signing keys, which IGTF updates once per month via RPMs, the SciTokens signing keys need to be updated more frequently, because there are no CRLs in the SciTokens world. Assuming the cluster head node (or management node) has external connectivity, then the head node could update the SciTokens key cache once per hour / once per day and distribute the key cache to the cluster nodes. We'd need a tool that takes a set of trusted issuers and updates the key cache for all the issuers, rather than letting the library do it on demand. This would also require fixing caching lifetimes (#80 & #86).

In scitokens-cpp, the key cache is in $XDG_CACHE_HOME/scitokens/scitokens_cpp.sqllite. See: https://github.com/scitokens/scitokens-cpp/blob/master/src/scitokens_cache.cpp

In Python, the SciTokens key cache is in $XDG_CACHE_HOME/scitokens/scitokens_keycache.sqllite. See: https://github.com/scitokens/scitokens/blob/master/src/scitokens/utils/keycache.py

Seems to me we should try to use the same cache for both C++ and Python.

[bbockelm]

@duncanmmacleod - I don't know if it's helpful, but manipulating the keycache is something I was working on earlier this week:

#99

With that, potentially a nightly cronjob to preload the public keys would suffice?

Beyond that, libcurl is used by scitokens-cpp to download the keys. If you can think of a way to manipulate the environment variables set for the validation process, it might obey https_proxy (mind you, then you'll have to maintain a SSL bump for your cluster ... no easy option!).

Brian