Skip to content

[8.0] IdP clients per user group #8270

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: rel-v8r0
Choose a base branch
from
Open

[8.0] IdP clients per user group #8270

wants to merge 1 commit into from

Conversation

atsareg
Copy link
Contributor

@atsareg atsareg commented Jul 18, 2025

This PR adds the possibility to define IdP client credentials per user group to allow using the same IdProvider for several VOs without the need to define separate IdProvider per VO. If no setting is added for a group, generic client credentials will be taken. So, existing IdP configurations will be still valid. Example IdP configuration:

  Resources
  {
    IdProviders
    {
      <IdProvider name>
      {
        client_id = <client_id>
        client_secret = <client_secret>
        dirac_pilot
        {
          client_id = <client_id_for_dirac_VO>
          client_secret = <client_secret_for_dirac_VO>
        }
        biomed_pilot
        {
          client_id = <client_id_for_biomed_VO>
          client_secret = <client_secret_for_biomed_VO>
        }
      }
    }
  }

BEGINRELEASENOTES

*Framework
NEW: Possibility to define several OAuth2 clients for a given IdP for different DIRAC groups

ENDRELEASENOTES

@DIRACGridBot DIRACGridBot added the alsoTargeting:integration Cherry pick this PR to integration after merge label Jul 18, 2025
aldbr
aldbr approved these changes Aug 4, 2025
View reviewed changes
Copy link
Contributor

@aldbr aldbr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@chaen
Copy link
Contributor

chaen commented Aug 4, 2025

For my education, what is the gain of doing it like this instead of using one IdP per vo ?
Also, given the examples you write, it is aimed at the pilot submission. But how does it work when you need tkens for other purposes which use a different group (VOMS2CS, FTS3, etc) ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aldbr aldbr aldbr approved these changes

Assignees
No one assigned
Labels
alsoTargeting:integration Cherry pick this PR to integration after merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@atsareg @chaen @aldbr @DIRACGridBot