PyOIDC reimplementation
The integration of OpenID Connect with fts-rest has been reimplemented with pyoidc (https://github.com/OpenIDC/pyoidc).
New features:
- New configuration options:
ValidateAccessTokenOffline=True
JWKCacheSeconds=86400
TokenRefreshDaemonIntervalInSeconds=600
- The first is a boolean that indicates whether to validate access tokens offline using the cached JWK.
- The second indicates the number of seconds JWKs from the issuer should be cached.
- The third indicates the interval in seconds at which fts-rest should refresh stored access tokens.
- Multiple providers supported. Under the configuration section [providers], three lines must be specified for each provider.
[providers]
xdc=https://iam.extreme-datacloud.eu
xdc_ClientId=...
xdc_ClientSecret=...
wlcg=https://wlcg.cloud.cnaf.infn.it
wlcg_ClientId=...
wlcg_ClientSecret=...
- The first line should be 'providername=URL'
- The second line should be 'providername_ClientId=clientId'
- The third line should be 'providername_ClientSecret=clientSecret'
Important fixes:
- IAMTokenRefresher (refreshes access tokens periodically) now is a single thread across all instances of fts-rest sharing a DB. If the thread is killed, another instance will spawn a new thread.