Skip to content

Command line tools

We provide some command line tools in order to get a valid SSO session token without using a web browser.

Warning

These tools are not recommended for securing or calling web APIs. Only migrations from cern-get-sso-cookie to auth-get-sso-cookie will be supported, and this support will stop in the long term. We will request API owners to stop accepting cookies and migrate them to better alternatives, such as JWT tokens from the CERN SSO. API clients will be able to get credentials using API Access tokens.

Installing the package

The command line tools package is available in the authz7-stable internal repository (Koji tag).

  • CentOS 7: http://linuxsoft.cern.ch/internal/repos/authz7-stable/x86_64/os/Packages/

  • CentOS 8: http://linuxsoft.cern.ch/internal/repos/authz8-stable/x86_64/os/Packages/

  • CentOS Stream 8: http://linuxsoft.cern.ch/internal/repos/authz8s-stable/x86_64/os/Packages/

After adding the rpm source, you will be able to install the package:

yum install auth-get-sso-cookie

This utility is a replacement for cern-get-sso-cookie for the new SSO.

auth-get-sso-cookie acquires CERN Single Sign-On cookie using Kerberos credentials allowing for automated access to CERN SSO protected pages using tools alike wget, curl or similar.

Usage

You will need a valid Kerberos TGT to run the utility: run kinit <user> before the script.

Use this tool to get a valid SSO and application cookie from a protected URL. This cookie will be valid for 10 hours.

Warning

Every time you get new cookies, this will start a new SSO session but it won't log off any other session. To avoid starting too many sessions, please reuse your cookies as much as possible while they are valid.

$ auth-get-sso-cookie --help
usage: auth-get-sso-cookie [-h] [-u URL] [-o OUTFILE] [--nocertverify]
                              [--verbose] [--debug]

Acquires the CERN Single Sign-On cookie using Kerberos credentials

optional arguments:
  -h, --help            show this help message and exit
  -u URL, --url URL     CERN SSO protected site URL to get cookie for.
  -o OUTFILE, --outfile OUTFILE
                        File to store the cookie for further usage
  --nocertverify        Disables peer certificate verification. Useful for
                        debugging/tests when peer host does have a self-signed
                        certificate for example.
  --verbose, -v         Provide more information on authentication process
  --debug, -vv          Provide detailed debugging information
auth-get-sso-cookie -u <url> -o <cookies_file>

Example:

$ auth-get-sso-cookie -u https://openstack.cern.ch -o cookies.txt
$ curl -L -b cookies.txt https://openstack.cern.ch

It is possible to migrate from cern-get-sso-cookie to auth-get-sso-cookie and make your integrations compatible with the old and the new SSO at the same time using Kerberos credentials (this compatibility will be limited to a transition period until the old SSO is decommissioned). Certificate credentials are not supported by the new tool, neither in the old SSO.

Steps to migrate to the new tool:

  1. Install the RPM package: yum install auth-get-sso-cookie

  2. Replace all your calls to cern-get-sso-cookie with auth-get-sso-cookie, or create a symlink as described below.

If you have too many calls to replace in your code or you prefer not to change it, it can be easier to uninstall cern-get-sso-cookie and add a symbolic link to auth-get-sso-cookie.

  1. yum remove cern-get-sso-cookie
  2. ln -s /usr/bin/auth-get-sso-cookie /usr/bin/cern-get-sso-cookie

auth-get-sso-token

Use this tool to get a valid SSO token for a protected URL. The obtained token will be valid for 20 minutes.

Info

The scope of this tool is to have an easy way for debugging/testing authentication for APIs and web applications from the command line. It can also work for securing APIs as an alternative to cern-get-sso-cookie, but it is not supported for production services. We recommend using API Access for most integrations.

$ auth-get-sso-token --help
usage: auth-get-sso-token [-h] [--url URL] [--clientid CLIENTID] [--nocertverify] [--verbose] [--debug]

Acquires a user token for a public client using Kerberos credentials

optional arguments:
  -h, --help            show this help message and exit
  --url URL, -u URL     Application or Redirect URL. Required for the OAuth request.
  --clientid CLIENTID, -c CLIENTID
                        Client ID of a public client
  --nocertverify        Disables peer certificate verification. Useful for debugging/tests when peer host does have a self-signed certificate for example.
  --verbose, -v         Provide more information on authentication process
  --debug, -vv          Provide detailed debugging information

Example:

$ TOKEN=$(./auth-get-sso-token -u http://localhost:5000 -c get-sso-token-test)
$ curl -X PUT "https://localhost:5000/api/foobar" -H  "authorization: Bearer $TOKEN" -d "{\"foo\": \"bar\"}"