Access Token source¶
You’ll need an OIDC Access Token to authenticate to the SSH server.
You might want to check out the oidc-agent for that. It is a daemon that can provide valid access tokens from any number of configured OIDC Providers (OPs).
Once you get the oidc-agent
running, configure an account for your preferred OP. For example, you can generate an account configuration for the EGI AAI named egi
as follows:
oidc-gen --pub --iss https://aai.egi.eu/oidc --scope "openid profile email offline_access eduperson_entitlement eduperson_scoped_affiliation eduperson_unique_id" egi
To use your EGI identity for SSH login, you can set the oidc-agent account in an environment variable:
export OIDC_AGENT_ACCOUNT=egi
If you have another way to retrieve OIDC access tokens, don’t worry. You can pass the token directly to the SSH command through an environment variable:
export ACCESS_TOKEN=<paste your token here>
Configuration options¶
mccli
supports multiple ways of retrieving an Access Token.
They are shown below, in the order they are checked. The first source that is found will be used. If no source is specified, it will try to retrieve the supported token issuer from the service.
Options
- --token <TOKEN>¶
Pass token directly.
- --oa-account, --oidc <SHORTNAME>¶
Name of configured account in oidc-agent.
- --iss, --issuer <URL>¶
URL of token issuer. Configured account in oidc-agent for this issuer will be used.
Environment variables
Instead of the options above, environment variables can provide default values for the different sources.
- [ACCESS_TOKEN, OIDC, OS_ACCESS_TOKEN, OIDC_ACCESS_TOKEN, WATTS_TOKEN, WATTSON_TOKEN]¶
provide a default for
--token
- [OIDC_AGENT_ACCOUNT]¶
provide a default for
--oa-account