Command line tools - Authentication and Authorization Service

<!doctype html> <html lang="en" class="no-js"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width,initial-scale=1"> <link rel="icon" href="../../assets/images/favicon.png"> <meta name="generator" content="mkdocs-1.3.1, mkdocs-material-8.5.3"> <title>Command line tools - Authentication and Authorization Service</title> <link rel="stylesheet" href="../../assets/stylesheets/main.7a952b86.min.css"> <link rel="stylesheet" href="../../assets/stylesheets/palette.cbb835fc.min.css"> <link rel="stylesheet" href="../../stylesheets/fonts.css"> <link rel="stylesheet" href="../../stylesheets/kuri-kuri.css"> <script>__md_scope=new URL("../..",location),__md_hash=e=>[...e].reduce((e,_)=>(e<<5)-e+_.charCodeAt(0),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script> </head> <body dir="ltr" data-md-color-scheme="" data-md-color-primary="none" data-md-color-accent="none"> <input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off"> <input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off"> <label class="md-overlay" for="__drawer"></label> <div data-md-component="skip"> <a href="#command-line-tools" class="md-skip"> Skip to content </a> </div> <div data-md-component="announce"> </div> <header class="md-header" data-md-component="header"> <nav class="md-header__inner md-grid" aria-label="Header"> <a href="../.." title="Authentication and Authorization Service" class="md-header__button md-logo" aria-label="Authentication and Authorization Service" data-md-component="logo"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54Z"/></svg> </a> <label class="md-header__button md-icon" for="__drawer"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2Z"/></svg> </label> <div class="md-header__title" data-md-component="header-title"> <div class="md-header__ellipsis"> <div class="md-header__topic"> <span class="md-ellipsis"> Authentication and Authorization Service </span> </div> <div class="md-header__topic" data-md-component="header-topic"> <span class="md-ellipsis"> Command line tools </span> </div> </div> </div> <label class="md-header__button md-icon" for="__search"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg> </label> <div class="md-search" data-md-component="search" role="dialog"> <label class="md-search__overlay" for="__search"></label> <div class="md-search__inner" role="search"> <form class="md-search__form" name="search"> <input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required> <label class="md-search__icon md-icon" for="__search"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"/></svg> </label> <nav class="md-search__options" aria-label="Search"> <button type="reset" class="md-search__icon md-icon" title="Clear" aria-label="Clear" tabindex="-1"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41Z"/></svg> </button> </nav> </form> <div class="md-search__output"> <div class="md-search__scrollwrap" data-md-scrollfix> <div class="md-search-result" data-md-component="search-result"> <div class="md-search-result__meta"> Initializing search </div> <ol class="md-search-result__list"></ol> </div> </div> </div> </div> </div> <div class="md-header__source"> <a href="https://gitlab.cern.ch/authzsvc/docs/authzsvc-docs" title="Go to repository" class="md-source" data-md-component="source"> <div class="md-source__icon md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg> </div> <div class="md-source__repository"> authzsvc-docs </div> </a> </div> </nav> </header> <div class="md-container" data-md-component="container"> <main class="md-main" data-md-component="main"> <div class="md-main__inner md-grid"> <div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" > <div class="md-sidebar__scrollwrap"> <div class="md-sidebar__inner"> <nav class="md-nav md-nav--primary" aria-label="Navigation" data-md-level="0"> <label class="md-nav__title" for="__drawer"> <a href="../.." title="Authentication and Authorization Service" class="md-nav__button md-logo" aria-label="Authentication and Authorization Service" data-md-component="logo"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54Z"/></svg> </a> Authentication and Authorization Service </label> <div class="md-nav__source"> <a href="https://gitlab.cern.ch/authzsvc/docs/authzsvc-docs" title="Go to repository" class="md-source" data-md-component="source"> <div class="md-source__icon md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg> </div> <div class="md-source__repository"> authzsvc-docs </div> </a> </div> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../.." class="md-nav__link"> CERN Authentication and Authorization Services </a> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2" type="checkbox" id="__nav_2" > <label class="md-nav__link" for="__nav_2"> User authentication <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="User authentication" data-md-level="1"> <label class="md-nav__title" for="__nav_2"> <span class="md-nav__icon md-icon"></span> User authentication </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../user-documentation/authentication-options/" class="md-nav__link"> Authentication options </a> </li> <li class="md-nav__item"> <a href="../../user-documentation/two-factor-authentication/" class="md-nav__link"> Two factor authentication </a> </li> <li class="md-nav__item"> <a href="../../user-documentation/kerberos-authentication/" class="md-nav__link"> Kerberos </a> </li> <li class="md-nav__item"> <a href="../../user-documentation/time-limits/" class="md-nav__link"> Time limits </a> </li> <li class="md-nav__item"> <a href="../../user-documentation/autologon/" class="md-nav__link"> Autologon </a> </li> <li class="md-nav__item"> <a href="../../user-documentation/account-lifecycle/" class="md-nav__link"> Account Lifecycle </a> </li> <li class="md-nav__item"> <a href="../../user-documentation/unconfirmed-identities/" class="md-nav__link"> Unconfirmed identities </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--active md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3" type="checkbox" id="__nav_3" checked> <label class="md-nav__link" for="__nav_3"> Securing applications <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Securing applications" data-md-level="1"> <label class="md-nav__title" for="__nav_3"> <span class="md-nav__icon md-icon"></span> Securing applications </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../application-configuration/" class="md-nav__link"> Configuring your application </a> </li> <li class="md-nav__item"> <a href="../adding-application/" class="md-nav__link"> Adding your application to the service </a> </li> <li class="md-nav__item"> <a href="../permission-scheme/" class="md-nav__link"> Defining the permissions scheme </a> </li> <li class="md-nav__item"> <a href="../role-based-permissions/" class="md-nav__link"> Role based permissions (recommended) </a> </li> <li class="md-nav__item"> <a href="../group-based-permissions/" class="md-nav__link"> Group based permissions </a> </li> <li class="md-nav__item"> <a href="../sso-registration/" class="md-nav__link"> Registering your application to SSO </a> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_7" type="checkbox" id="__nav_3_7" > <label class="md-nav__link" for="__nav_3_7"> SAML <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="SAML" data-md-level="2"> <label class="md-nav__title" for="__nav_3_7"> <span class="md-nav__icon md-icon"></span> SAML </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../user-documentation/saml/saml/" class="md-nav__link"> About </a> </li> <li class="md-nav__item"> <a href="../../user-documentation/saml/config/" class="md-nav__link"> Configuration </a> </li> <li class="md-nav__item"> <a href="../../user-documentation/saml/shibboleth-integration/" class="md-nav__link"> Shibboleth integration </a> </li> <li class="md-nav__item"> <a href="../../user-documentation/saml/shibboleth-migration/" class="md-nav__link"> Shibboleth migration from the old SSO </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_8" type="checkbox" id="__nav_3_8" > <label class="md-nav__link" for="__nav_3_8"> OIDC <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="OIDC" data-md-level="2"> <label class="md-nav__title" for="__nav_3_8"> <span class="md-nav__icon md-icon"></span> OIDC </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../user-documentation/oidc/oidc/" class="md-nav__link"> About </a> </li> <li class="md-nav__item"> <a href="../../user-documentation/oidc/token-requests/" class="md-nav__link"> Token Requests </a> </li> <li class="md-nav__item"> <a href="../../user-documentation/oidc/scopes/" class="md-nav__link"> Scopes </a> </li> <li class="md-nav__item"> <a href="../../user-documentation/oidc/config/" class="md-nav__link"> OIDC configuration and usage </a> </li> <li class="md-nav__item"> <a href="../../user-documentation/oidc/apache/" class="md-nav__link"> Apache configuration </a> </li> <li class="md-nav__item"> <a href="../../user-documentation/oidc/securing-apis/" class="md-nav__link"> Securing APIs </a> </li> <li class="md-nav__item"> <a href="../../user-documentation/oidc/api-access/" class="md-nav__link"> API Access </a> </li> <li class="md-nav__item"> <a href="../../user-documentation/oidc/exchange-for-api/" class="md-nav__link"> Token Exchange </a> </li> <li class="md-nav__item"> <a href="../../user-documentation/oidc/device-code/" class="md-nav__link"> Device Code </a> </li> <li class="md-nav__item"> <a href="../../user-documentation/oidc/libraries/" class="md-nav__link"> Suggested libraries </a> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="../examples/" class="md-nav__link"> Examples </a> </li> <li class="md-nav__item"> <a href="../qa-environment/" class="md-nav__link"> QA Environment </a> </li> <li class="md-nav__item md-nav__item--active"> <input class="md-nav__toggle md-toggle" data-md-toggle="toc" type="checkbox" id="__toc"> <label class="md-nav__link md-nav__link--active" for="__toc"> Command line tools <span class="md-nav__icon md-icon"></span> </label> <a href="./" class="md-nav__link md-nav__link--active"> Command line tools </a> <nav class="md-nav md-nav--secondary" aria-label="Table of contents"> <label class="md-nav__title" for="__toc"> <span class="md-nav__icon md-icon"></span> Table of contents </label> <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix> <li class="md-nav__item"> <a href="#overview" class="md-nav__link"> Overview </a> </li> <li class="md-nav__item"> <a href="#installing-the-package" class="md-nav__link"> Installing the package </a> </li> <li class="md-nav__item"> <a href="#auth-get-sso-cookie" class="md-nav__link"> auth-get-sso-cookie </a> <nav class="md-nav" aria-label="auth-get-sso-cookie"> <ul class="md-nav__list"> <li class="md-nav__item"> <a href="#usage" class="md-nav__link"> Usage </a> </li> <li class="md-nav__item"> <a href="#migration-from-cern-get-sso-cookie" class="md-nav__link"> Migration from cern-get-sso-cookie </a> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="#auth-get-sso-token" class="md-nav__link"> auth-get-sso-token </a> </li> <li class="md-nav__item"> <a href="#auth-get-user-token" class="md-nav__link"> auth-get-user-token </a> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="../../user-documentation/faqs/" class="md-nav__link"> FAQs </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_4" type="checkbox" id="__nav_4" > <label class="md-nav__link" for="__nav_4"> Group Management System <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Group Management System" data-md-level="1"> <label class="md-nav__title" for="__nav_4"> <span class="md-nav__icon md-icon"></span> Group Management System </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../roadmap/group-missing-features/" class="md-nav__link"> Missing features </a> </li> <li class="md-nav__item"> <a href="../../groups/special-groups/" class="md-nav__link"> Special groups </a> </li> <li class="md-nav__item"> <a href="../../groups/dynamic-guidance/" class="md-nav__link"> Dynamic groups </a> </li> <li class="md-nav__item"> <a href="../../groups/csv/" class="md-nav__link"> CSV </a> </li> <li class="md-nav__item"> <a href="../../groups/e-groups-to-gms-sync-scenario/" class="md-nav__link"> E-Groups to GMS transition </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5" type="checkbox" id="__nav_5" > <label class="md-nav__link" for="__nav_5"> Resources lifecycle and eligibility <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Resources lifecycle and eligibility" data-md-level="1"> <label class="md-nav__title" for="__nav_5"> <span class="md-nav__icon md-icon"></span> Resources lifecycle and eligibility </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../resources/resources/" class="md-nav__link"> Introduction </a> </li> <li class="md-nav__item"> <a href="../../resources/resource-lifecycle-integration/" class="md-nav__link"> Integration </a> </li> <li class="md-nav__item"> <a href="../../resources/resource-states/" class="md-nav__link"> Resource States </a> </li> <li class="md-nav__item"> <a href="../../resources/push-rest-api/" class="md-nav__link"> Resources REST API (push) </a> </li> <li class="md-nav__item"> <a href="../../resources/policies/" class="md-nav__link"> Custom Resource Policies </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_6" type="checkbox" id="__nav_6" > <label class="md-nav__link" for="__nav_6"> Documents <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Documents" data-md-level="1"> <label class="md-nav__title" for="__nav_6"> <span class="md-nav__icon md-icon"></span> Documents </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../documents/why-keycloak/" class="md-nav__link"> Why Keycloak </a> </li> <li class="md-nav__item"> <a href="../../documents/presentations/" class="md-nav__link"> Presentations </a> </li> <li class="md-nav__item"> <a href="../../documents/our-contributions/" class="md-nav__link"> Our contributions to Keycloak </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_7" type="checkbox" id="__nav_7" > <label class="md-nav__link" for="__nav_7"> Services <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Services" data-md-level="1"> <label class="md-nav__title" for="__nav_7"> <span class="md-nav__icon md-icon"></span> Services </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../services/" class="md-nav__link"> Overview </a> </li> <li class="md-nav__item"> <a href="../../services/instances/" class="md-nav__link"> Links to instances </a> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_7_3" type="checkbox" id="__nav_7_3" > <label class="md-nav__link" for="__nav_7_3"> Authorization Service API <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Authorization Service API" data-md-level="2"> <label class="md-nav__title" for="__nav_7_3"> <span class="md-nav__icon md-icon"></span> Authorization Service API </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../authzsvc/overview/" class="md-nav__link"> Overview </a> </li> <li class="md-nav__item"> <a href="../../authzsvc/managed-applications/" class="md-nav__link"> Managing applications for other users </a> </li> <li class="md-nav__item"> <a href="../../authzsvc/roles/" class="md-nav__link"> Role definitions </a> </li> <li class="md-nav__item"> <a href="../../authzsvc/model/" class="md-nav__link"> Model (attributes) </a> </li> <li class="md-nav__item"> <a href="../../authzsvc/examples/" class="md-nav__link"> Examples </a> </li> </ul> </nav> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_8" type="checkbox" id="__nav_8" > <label class="md-nav__link" for="__nav_8"> Help <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Help" data-md-level="1"> <label class="md-nav__title" for="__nav_8"> <span class="md-nav__icon md-icon"></span> Help </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../trouble-shooting/edugain-authentication/" class="md-nav__link"> eduGAIN Authentication </a> </li> <li class="md-nav__item"> <a href="../../trouble-shooting/2fa-tips/" class="md-nav__link"> 2FA Tips </a> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="../../privacy-notice/" class="md-nav__link"> Privacy notice </a> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_10" type="checkbox" id="__nav_10" > <label class="md-nav__link" for="__nav_10"> Migration notes <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Migration notes" data-md-level="1"> <label class="md-nav__title" for="__nav_10"> <span class="md-nav__icon md-icon"></span> Migration notes </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../migrations/keycloak24/" class="md-nav__link"> Keycloak 24 </a> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="../../contact/" class="md-nav__link"> Contact </a> </li> </ul> </nav> </div> </div> </div> <div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" > <div class="md-sidebar__scrollwrap"> <div class="md-sidebar__inner"> <nav class="md-nav md-nav--secondary" aria-label="Table of contents"> <label class="md-nav__title" for="__toc"> <span class="md-nav__icon md-icon"></span> Table of contents </label> <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix> <li class="md-nav__item"> <a href="#overview" class="md-nav__link"> Overview </a> </li> <li class="md-nav__item"> <a href="#installing-the-package" class="md-nav__link"> Installing the package </a> </li> <li class="md-nav__item"> <a href="#auth-get-sso-cookie" class="md-nav__link"> auth-get-sso-cookie </a> <nav class="md-nav" aria-label="auth-get-sso-cookie"> <ul class="md-nav__list"> <li class="md-nav__item"> <a href="#usage" class="md-nav__link"> Usage </a> </li> <li class="md-nav__item"> <a href="#migration-from-cern-get-sso-cookie" class="md-nav__link"> Migration from cern-get-sso-cookie </a> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="#auth-get-sso-token" class="md-nav__link"> auth-get-sso-token </a> </li> <li class="md-nav__item"> <a href="#auth-get-user-token" class="md-nav__link"> auth-get-user-token </a> </li> </ul> </nav> </div> </div> </div> <div class="md-content" data-md-component="content"> <article class="md-content__inner md-typeset"> <a href="https://gitlab.cern.ch/authzsvc/docs/authzsvc-docs/-/blob/master/docs/applications/command-line-tools.md" title="Edit this page" class="md-content__button md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20.71 7.04c.39-.39.39-1.04 0-1.41l-2.34-2.34c-.37-.39-1.02-.39-1.41 0l-1.84 1.83 3.75 3.75M3 17.25V21h3.75L17.81 9.93l-3.75-3.75L3 17.25Z"/></svg> </a> <h1 id="command-line-tools">Command line tools</h1> <p>We provide some command line tools in order to get a valid SSO session token without using a web browser.</p> <div class="admonition warning"> <p class="admonition-title">Warning</p> <p>We generally don't recommend Kerberos or cookie-based tools to secure or call web APIs. The only supported cases are migrations from <code>cern-get-sso-cookie</code> to <code>auth-get-sso-cookie</code>, and this support will stop in the long term. We will request API owners to stop accepting cookies and migrate them to better alternatives, such as JWT tokens from the CERN SSO. API clients will be able to get credentials using <a href="../../user-documentation/oidc/api-access/">API Access tokens</a>.</p> </div> <h2 id="overview">Overview</h2> <table> <thead> <tr> <th>Tool</th> <th>Input credentials</th> <th>Output credentials</th> <th>2FA supported</th> <th>Works for interactive sessions <br> (user in front of a computer)</th> <th>Works for automated flows <br> (e.g. acronjobs)</th> </tr> </thead> <tbody> <tr> <td><a href="#auth-get-sso-cookie"><code>auth-get-sso-cookie</code></a></td> <td>⚠️ Kerberos ticket</td> <td>⚠️ SSO cookies</td> <td>🚫 no</td> <td>✅ yes</td> <td>✅ yes</td> </tr> <tr> <td><a href="#auth-get-sso-token"><code>auth-get-sso-token</code></a></td> <td>⚠️ Kerberos ticket</td> <td>OIDC token</td> <td>🚫 no</td> <td>✅ yes</td> <td>✅ yes</td> </tr> <tr> <td><a href="https://gitlab.cern.ch/authzsvc/tools/auth-get-sso-cookie#auth-get-user-token"><code>auth-get-user-token</code></a></td> <td>browser-based SSO login with any usual credentials (password, Kerberos, 2FA)</td> <td>OIDC token</td> <td>✅ yes</td> <td>✅ yes</td> <td>🚫 no</td> </tr> <tr> <td><a href="https://github.com/indigo-dc/oidc-agent"><code>oidc-agent</code></a>*</td> <td>different SSO login flows supported, with locally managed refresh tokens for persistent sessions</td> <td>OIDC token</td> <td>✅ yes</td> <td>✅ yes</td> <td>✅ yes</td> </tr> </tbody> </table> <p>(*) This tool is not part of the CERN package, but it is also available on LXPLUS.</p> <h2 id="installing-the-package">Installing the package</h2> <p>These command line tools are already installed on <code>lxplus.cern.ch</code> clusters.</p> <p>If you want to install them on other machines, the RPM packages are available in the <code>authz[OS]-stable</code> internal repository (Koji tag) - for example:</p> <ul> <li>RHEL 9: <a href="https://linuxsoft.cern.ch/internal/repos/authz9el-stable/x86_64/os/Packages/">https://linuxsoft.cern.ch/internal/repos/authz9el-stable/x86_64/os/Packages/</a></li> <li>AlmaLinux 9: <a href="https://linuxsoft.cern.ch/internal/repos/authz9al-stable/x86_64/os/Packages/">https://linuxsoft.cern.ch/internal/repos/authz9al-stable/x86_64/os/Packages/</a></li> <li>CentOS 8: <a href="http://linuxsoft.cern.ch/internal/repos/authz8-stable/x86_64/os/Packages/">http://linuxsoft.cern.ch/internal/repos/authz8-stable/x86_64/os/Packages/</a></li> <li>CentOS Stream 8: <a href="http://linuxsoft.cern.ch/internal/repos/authz8s-stable/x86_64/os/Packages/">http://linuxsoft.cern.ch/internal/repos/authz8s-stable/x86_64/os/Packages/</a></li> <li>etc.</li> </ul> <p>After adding the RPM source, you will be able to install the package:</p> <div class="highlight"><pre><span></span><code>yum<span class="w"> </span>install<span class="w"> </span>auth-get-sso-cookie </code></pre></div> <h2 id="auth-get-sso-cookie">auth-get-sso-cookie</h2> <p>This utility is a replacement for <code>cern-get-sso-cookie</code> for the new SSO.</p> <p><code>auth-get-sso-cookie</code> acquires CERN Single Sign-On cookie using Kerberos credentials allowing for automated access to CERN SSO protected pages using tools alike wget, curl or similar.</p> <div class="admonition info"> <p class="admonition-title">2FA authentication is currently <em>not</em> supported.</p> </div> <h3 id="usage">Usage</h3> <p>You will need a valid Kerberos TGT to run the utility: run <code>kinit <user></code> before the script.</p> <p>Use this tool to get a valid SSO and application cookie from a protected URL. This cookie will be valid for 10 hours.</p> <div class="admonition warning"> <p class="admonition-title">Warning</p> <p>Every time you get new cookies, this will start a new SSO session but it won't log off any other session. To avoid starting too many sessions, please reuse your cookies as much as possible while they are valid.</p> </div> <div class="highlight"><pre><span></span><code>$ auth-get-sso-cookie --help usage: auth-get-sso-cookie [-h] [-u URL] [-o OUTFILE] [--nocertverify] [--verbose] [--debug] [--auth-server AUTH_SERVER] Acquires the CERN Single Sign-On cookie using Kerberos credentials. (Note that 2FA authentication is currently not supported.) optional arguments: -h, --help show this help message and exit -u URL, --url URL CERN SSO protected site URL to get cookie for. -o OUTFILE, --outfile OUTFILE File to store the cookie for further usage --nocertverify Disables peer certificate verification. Useful for debugging/tests when peer host does have a self-signed certificate for example. --verbose, -v Provide more information on authentication process --debug, -vv Provide detailed debugging information --auth-server AUTH_SERVER, -s AUTH_SERVER Authentication server (default: auth.cern.ch) </code></pre></div> <div class="highlight"><pre><span></span><code>auth-get-sso-cookie -u <url> -o <cookies_file> </code></pre></div> <p>Example:</p> <div class="highlight"><pre><span></span><code>auth-get-sso-cookie -u https://openstack.cern.ch -o cookies.txt curl -L -b cookies.txt https://openstack.cern.ch </code></pre></div> <h3 id="migration-from-cern-get-sso-cookie">Migration from cern-get-sso-cookie</h3> <p>It is possible to migrate from <code>cern-get-sso-cookie</code> to <code>auth-get-sso-cookie</code> and make your integrations compatible with the old and the new SSO at the same time using Kerberos credentials (this compatibility will be limited to a transition period until the old SSO is decommissioned). Certificate credentials are not supported by the new tool, neither in the old SSO.</p> <p>Steps to migrate to the new tool:</p> <ol> <li> <p>Install the RPM package: <code>yum install auth-get-sso-cookie</code></p> </li> <li> <p>Replace all your calls to <code>cern-get-sso-cookie</code> with <code>auth-get-sso-cookie</code>, or create a symlink as described below.</p> </li> </ol> <p>If you have too many calls to replace in your code or you prefer not to change it, it can be easier to uninstall <code>cern-get-sso-cookie</code> and add a symbolic link to <code>auth-get-sso-cookie</code>.</p> <ol> <li><code>yum remove cern-get-sso-cookie</code></li> <li><code>ln -s /usr/bin/auth-get-sso-cookie /usr/bin/cern-get-sso-cookie</code></li> </ol> <h2 id="auth-get-sso-token">auth-get-sso-token</h2> <p>This is a legacy tool and it will be removed in the future. It is NOT compatible with accounts that have "always-on 2FA". Please use one of the following available alternatives:</p> <ul> <li>When getting access tokens for a user (interactive workflows): auth-get-user-token.</li> <li>For automated workflows: OAuth2 Client Credentials Grant or the API-Access endpoint.</li> </ul> <p>Use this tool to get a valid SSO token for a protected URL. The obtained token will be valid for 20 minutes.</p> <div class="admonition info"> <p class="admonition-title">Info</p> <p>The scope of this tool is to have an easy way for debugging/testing authentication for APIs and web applications from the command line. It can also work for securing APIs as an alternative to <code>cern-get-sso-cookie</code>, but it is not supported for production services. We recommend using <a href="../../user-documentation/oidc/api-access/">API Access</a> for most integrations.</p> </div> <div class="highlight"><pre><span></span><code>$ auth-get-sso-token --help usage: auth-get-sso-token [-h] [--url URL] [--clientid CLIENTID] [--nocertverify] [--verbose] [--debug] Acquires a user token for a public client using Kerberos credentials optional arguments: -h, --help show this help message and exit --url URL, -u URL Application or Redirect URL. Required for the OAuth request. --clientid CLIENTID, -c CLIENTID Client ID of a public client --nocertverify Disables peer certificate verification. Useful for debugging/tests when peer host does have a self-signed certificate for example. --verbose, -v Provide more information on authentication process --debug, -vv Provide detailed debugging information </code></pre></div> <p>Example:</p> <div class="highlight"><pre><span></span><code>TOKEN=$(./auth-get-sso-token -u http://localhost:5000 -c public-client) curl -X PUT "https://localhost:5000/api/foobar" -H "authorization: Bearer $TOKEN" -d "{\"foo\": \"bar\"}" </code></pre></div> <h2 id="auth-get-user-token">auth-get-user-token</h2> <p>Use this tool to get a valid SSO token for a client that accepts Device Authorization Grant. The obtained token will be valid for 20 minutes.</p> <div class="admonition info"> <p class="admonition-title">Info</p> <p>For confidential clients (OIDC SSO registrations that have a clientId and a secret), you need to use the parameter AUDIENCE.</p> </div> <p>Example:</p> <div class="highlight"><pre><span></span><code>auth-get-user-token -c my-public-client -o token.txt -x token=$(<token.txt) curl -X PUT "https://myapi.cern.ch/api/foobar" -H "authorization: Bearer $token" -d "{\"foo\": \"bar\"}" </code></pre></div> <p>In case the client is confidential:</p> <ol> <li>create a second application <a href="https://application-portal.web.cern.ch/">in the application portal</a>, for example <code>my-new-public-client</code></li> <li>allow token exchange between <code>my-new-public-client</code> and the existing confidential client on the SSO registration tab of <code>my-new-public-client</code> in the application portal</li> <li>run: <code>auth-get-user-token -c my-new-public-client -a my-confidential-client -o token.txt -x</code>, where -a is the audience: Exchange token for another target client ID</li> </ol> <p>For more details, please see our <a href="https://gitlab.cern.ch/authzsvc/tools/auth-get-sso-cookie#auth-get-user-token">Gitlab repository</a>.</p> </article> </div> </div> </main> <footer class="md-footer"> <nav class="md-footer__inner md-grid" aria-label="Footer" > <a href="../qa-environment/" class="md-footer__link md-footer__link--prev" aria-label="Previous: QA Environment" rel="prev"> <div class="md-footer__button md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"/></svg> </div> <div class="md-footer__title"> <div class="md-ellipsis"> <span class="md-footer__direction"> Previous </span> QA Environment </div> </div> </a> <a href="../../user-documentation/faqs/" class="md-footer__link md-footer__link--next" aria-label="Next: FAQs" rel="next"> <div class="md-footer__title"> <div class="md-ellipsis"> <span class="md-footer__direction"> Next </span> FAQs </div> </div> <div class="md-footer__button md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11H4Z"/></svg> </div> </a> </nav> <div class="md-footer-meta md-typeset"> <div class="md-footer-meta__inner md-grid"> <div class="md-copyright"> Made with <a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener"> Material for MkDocs </a> </div> </div> </div> </footer> </div> <div class="md-dialog" data-md-component="dialog"> <div class="md-dialog__inner md-typeset"></div> </div> <script id="__config" type="application/json">{"base": "../..", "features": [], "search": "../../assets/javascripts/workers/search.5bf1dace.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.config.lang": "en", "search.config.pipeline": "trimmer, stopWordFilter", "search.config.separator": "[\\s\\-]+", "search.placeholder": "Search", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version.title": "Select version"}}</script> <script src="../../assets/javascripts/bundle.37e9125f.min.js"></script> </body> </html>

CINXE.COM

Command line tools - Authentication and Authorization Service