[Server] add XrdSecoidc OIDC plugin, shared validation, and HTTPS bearer auth.

Introduce sec.protocol oidc for mandatory-TLS JWT authentication: RS256
signature checks against per-issuer JWKS, issuer and audience policy, expiry
handling, ordered or forced identity claims, email-map username mapping, INI
configuration with issuer/email-map hot reload, and a bounded validated-token
cache.

Extract shared logic into libXrdOucOIDC for XrdHttp http.oidc bearer
authentication on HTTPS, including configurable entity-claim mapping into
XrdSecEntity attributes, per-issuer base_path and repeatable restricted_path
export, and keep-alive detection when the Authorization token changes
(re-validate JWT and re-login the xrootd Bridge). Move common string parsing
helpers to XrdOucUtils, build XrdSecoidc in client-only trees, and replace
the xrdsso shell helpers with a Python xrdtoken CLI for CERN, CERNOIDC,
Google, and GitHub token acquisition.

Adds unit tests, CMake/packaging wiring, and README documentation.

Assisted-by: Cursor:Opus-4.8 CursorAI
Assisted-by: Cursor:Composer-2.5 CursorAI

[Server] add WLCG IAM support: scope export, xrdtoken, and docs.

Normalize JSON-array scope claims for XrdAccToken, add IAM/WLCG
xrdtoken providers, and document CERN SSO vs WLCG IAM configuration.

Assisted-by: Cursor:Opus-4.8 CursorAI

Author: apeters1971

debian/xrootd-plugins.install

@@ -10,3 +10,4 @@
 /usr/lib/*/libXrdSecsss-6.so
 /usr/lib/*/libXrdSecunix-6.so
 /usr/lib/*/libXrdSecztn-6.so
+/usr/lib/*/libXrdSecoidc-6.so

src/CMakeLists.txt

@@ -62,6 +62,7 @@ add_subdirectory( XrdPosix )
 add_subdirectory( XrdSec )
 add_subdirectory( XrdSecgsi )
 add_subdirectory( XrdSeckrb5 )
+add_subdirectory( XrdSecoidc )
 add_subdirectory( XrdSecpwd )
 add_subdirectory( XrdSecsss )
 add_subdirectory( XrdSecunix )

src/XrdHttp/CMakeLists.txt

@@ -28,11 +28,14 @@ set_target_properties(XrdHttpUtils
     VERSION ${XRootD_LIBVERSION}
 )
 
+set(XrdOucOIDC XrdOucOIDC-${PLUGIN_VERSION})
+
 target_link_libraries(XrdHttpUtils
   PRIVATE
     XrdServer
     XrdUtils
     XrdCrypto
+    ${XrdOucOIDC}
   PUBLIC
     OpenSSL::SSL
     OpenSSL::Crypto

src/XrdHttp/XrdHttpProtocol.cc

@@ -46,6 +46,7 @@
 #include "XrdTls/XrdTlsContext.hh"
 #include "XrdOuc/XrdOucUtils.hh"
 #include "XrdOuc/XrdOucPrivateUtils.hh"
+#include "XrdOuc/XrdOucOIDC.hh"
 #include "XrdHttpCors/XrdHttpCors.hh"
 
 #include <charconv>
@@ -155,6 +156,8 @@ bool xrdctxVer = false;
 
 using namespace XrdHttpProtoInfo;
 
+int XrdHttpProtocol::oidcHttpMode = 0;
+
 /******************************************************************************/
 /*            P r o t o c o l   M a n a g e m e n t   S t a c k s             */
 /******************************************************************************/
@@ -806,6 +809,11 @@ int XrdHttpProtocol::Process(XrdLink *lp) // We ignore the argument here
 
 
 
+  // Bearer OIDC authentication over HTTPS (shared with sec.protocol oidc).
+  if (ishttps && ssldone && oidcHttpMode && HandleOidcAuthentication()) {
+    return -1;
+  }
+
   // Now we have everything that is needed to try the login
   // Remember that if there is an exthandler then it has the responsibility
   // for authorization in the paths that it manages
@@ -1005,6 +1013,7 @@ int XrdHttpProtocol::Config(const char *ConfigFN, XrdOucEnv *myEnv) {
       else if TS_Xeq("tlsreuse", xtlsreuse);
       else if TS_Xeq("auth", xauth);
       else if TS_Xeq("tlsclientauth", xtlsclientauth);
+      else if TS_Xeq("oidc", xoidc);
       else if TS_Xeq("maxdelay", xmaxdelay);
       else {
         eDest.Say("Config warning: ignoring unknown directive '", var, "'.");
@@ -1990,6 +1999,7 @@ void XrdHttpProtocol::Reset() {
   ishttps = false;
   ssldone = false;
 
+  oidcBearerTokKey.clear();
   Bridge = 0;
   ssl = 0;
   sbio = 0;
@@ -3001,6 +3011,51 @@ int XrdHttpProtocol::xtlsclientauth(XrdOucStream &Config) {
   return 1;
 }
 
+int XrdHttpProtocol::xoidc(XrdOucStream &Config) {
+  char *val = Config.GetWord();
+  if (!val || !val[0])
+     {eDest.Emsg("Config", "http.oidc argument not specified"); return 1;}
+
+  std::string parms;
+  bool needInit = false;
+
+  if (!strcmp(val, "on") || !strcmp(val, "optional"))
+     {oidcHttpMode = 1;
+      needInit = !XrdOucOIDC::IsConfigured();
+     }
+  else if (!strcmp(val, "require"))
+     {oidcHttpMode = 2;
+      needInit = !XrdOucOIDC::IsConfigured();
+     }
+  else if (val[0] == '-')
+     {oidcHttpMode = 1;
+      parms = val;
+      char *w = nullptr;
+      while ((w = Config.GetWord()))
+           {parms.push_back(' ');
+            parms += w;
+           }
+      needInit = true;
+     }
+  else
+     {eDest.Emsg("Config", "invalid http.oidc parameter -", val); return 1;}
+
+  if (needInit)
+     {std::string emsg;
+      const char *initParms = parms.empty() ? nullptr : parms.c_str();
+      if (!XrdOucOIDC::Init(eDest.logger(), initParms, emsg))
+         {eDest.Emsg("Config", "http.oidc initialization failed:", emsg.c_str());
+          return 1;
+         }
+     }
+  else if (!XrdOucOIDC::IsConfigured())
+     {eDest.Emsg("Config", "http.oidc requires OIDC configuration via sec.protocol oidc or inline parameters");
+      return 1;
+     }
+
+  return 0;
+}
+
 int XrdHttpProtocol::xauth(XrdOucStream &Config) {
   char *val = Config.GetWord();
   if(val) {

src/XrdHttp/XrdHttpProtocol.hh

@@ -170,6 +170,10 @@ private:
   /// @return 0 if successful, otherwise error
   int HandleAuthentication(XrdLink* lp);
 
+  /// Validate a Bearer OIDC token and populate SecEntity.
+  /// @return 0 if successful or not applicable, otherwise error
+  int HandleOidcAuthentication();
+
   /// After the SSL handshake, retrieve the VOMS info and the various stuff
   /// that is needed for autorization
   int GetVOMSData(XrdLink *lp);
@@ -229,8 +233,12 @@ private:
   static int xtlsreuse(XrdOucStream &Config);
   static int xauth(XrdOucStream &Config);
   static int xtlsclientauth(XrdOucStream &Config);
+  static int xoidc(XrdOucStream &Config);
   static int xmaxdelay(XrdOucStream &Config);
 
+  /// 0=disabled, 1=optional bearer OIDC, 2=require bearer OIDC
+  static int oidcHttpMode;
+
   static bool isRequiredXtractor; // If true treat secxtractor errors as fatal
   static XrdHttpSecXtractor *secxtractor;
 
@@ -376,7 +384,9 @@ protected:
   /// The Bridge that we use to exercise the xrootd internals
   XrdXrootd::Bridge *Bridge;
 
-  
+  /// SHA-256 fingerprint of the validated OIDC bearer token on this connection.
+  std::string oidcBearerTokKey;
+
   /// Area for coordinating request and responses to/from the bridge
   /// This also can process HTTP/DAV stuff
   XrdHttpReq CurrentReq;

src/XrdHttp/XrdHttpSecurity.cc

@@ -19,9 +19,17 @@
 // along with XRootD.  If not, see <http://www.gnu.org/licenses/>.
 //------------------------------------------------------------------------------
 
+#include <cstdio>
+#include <cstring>
+#include <map>
+#include <string>
+
+#include <openssl/evp.h>
+
 #include "XrdHttpProtocol.hh"
 #include "XrdHttpTrace.hh"
 #include "XrdHttpSecXtractor.hh"
+#include "XrdOuc/XrdOucOIDC.hh"
 #include "Xrd/XrdLink.hh"
 #include "XrdCrypto/XrdCryptoX509Chain.hh"
 #include "XrdCrypto/XrdCryptosslAux.hh"
@@ -49,6 +57,46 @@ const char *TraceID = "Security";
 
 using namespace XrdHttpProtoInfo;
 
+namespace
+{
+
+std::string bearerTokenKey(const char *tok, int tlen)
+{
+   unsigned char md[EVP_MAX_MD_SIZE];
+   unsigned int mdLen = 0;
+   if (!tok || tlen <= 0
+   ||  !EVP_Digest(tok, static_cast<size_t>(tlen), md, &mdLen, EVP_sha256(), nullptr))
+      return {};
+   char hex[EVP_MAX_MD_SIZE * 2 + 1];
+   for (unsigned int i = 0; i < mdLen; ++i)
+      snprintf(hex + i * 2, sizeof(hex) - i * 2, "%02x", md[i]);
+   return std::string(hex, mdLen * 2);
+}
+
+bool extractBearerToken(const XrdHttpReq &req, std::string &token)
+{
+   const std::string &cgi = req.hdr2cgistr;
+   const char *key = "authz=";
+   size_t pos = cgi.find(key);
+   if (pos != std::string::npos)
+      {size_t start = pos + strlen(key);
+       size_t end = cgi.find('&', start);
+       token = (end == std::string::npos ? cgi.substr(start)
+                                         : cgi.substr(start, end - start));
+       return !token.empty();
+      }
+
+   for (const auto &hdr : req.allheaders)
+      {if (!strcasecmp(hdr.first.c_str(), "authorization"))
+          {token = hdr.second;
+           return !token.empty();
+          }
+      }
+   return false;
+}
+
+} // namespace
+
 /******************************************************************************/
 /*                          I n i t S e c u r i t y                           */
 /******************************************************************************/
@@ -86,6 +134,81 @@ bool XrdHttpProtocol::InitSecurity() {
    return true;
 }
 
+/******************************************************************************/
+/*               H a n d l e O I D C A u t h e n t i c a t i o n              */
+/******************************************************************************/
+
+int
+XrdHttpProtocol::HandleOidcAuthentication()
+{
+#undef  TRACELINK
+#define TRACELINK Link
+
+  if (!oidcHttpMode || !XrdOucOIDC::IsConfigured()) return 0;
+
+  // Client-certificate identity is fixed for the TLS connection.
+  if (SecEntity.name && strncmp(SecEntity.prot, "oidc", 4) != 0) return 0;
+
+  std::string bearer;
+  if (!extractBearerToken(CurrentReq, bearer))
+     {if (oidcHttpMode == 2 && oidcBearerTokKey.empty())
+         {TRACEI(REQ, " OIDC bearer token required but not provided.");
+          SendSimpleResp(401, nullptr, nullptr, "Authentication required", 0, false);
+          return 1;
+         }
+      return 0;
+     }
+
+  int tlen = 0;
+  const char *tok = XrdOucOIDC::StripToken(bearer.c_str(), tlen);
+  if (!tok || tlen <= 0)
+     {TRACEI(REQ, " OIDC bearer token malformed.");
+      SendSimpleResp(401, nullptr, nullptr, "Authentication failed", 0, false);
+      return 1;
+     }
+
+  const std::string tokKey = bearerTokenKey(tok, tlen);
+  if (tokKey.empty())
+     {TRACEI(REQ, " OIDC bearer token fingerprint failed.");
+      SendSimpleResp(500, nullptr, nullptr, "Authentication failed", 0, false);
+      return 1;
+     }
+
+  if (!oidcBearerTokKey.empty() && tokKey == oidcBearerTokKey) return 0;
+
+  std::string tokStr(tok, static_cast<size_t>(tlen));
+  std::string identity, emsg;
+  std::map<std::string, std::string> entityAttrs;
+  if (!XrdOucOIDC::ValidateToken(tokStr.c_str(), identity, emsg, nullptr,
+                                 &entityAttrs))
+     {TRACEI(REQ, " OIDC token validation failed: " << emsg);
+      SendSimpleResp(401, nullptr, nullptr, "Authentication failed", 0, false);
+      return 1;
+     }
+
+  if (!oidcBearerTokKey.empty() || Bridge)
+     {if (Bridge && !Bridge->Disc())
+         {TRACEI(REQ, " OIDC token changed but bridge is busy.");
+          SendSimpleResp(503, nullptr, nullptr, "Authentication busy", 0, false);
+          return 1;
+         }
+      Bridge = nullptr;
+      DoingLogin = false;
+      DoneSetInfo = false;
+      if (!oidcBearerTokKey.empty())
+         TRACEI(REQ, " OIDC bearer token changed; re-authenticating.");
+     }
+
+  if (SecEntity.name) free(SecEntity.name);
+  SecEntity.name = strdup(identity.c_str());
+  strncpy(SecEntity.prot, "oidc", sizeof(SecEntity.prot));
+  for (const auto &attr : entityAttrs)
+     SecEntity.eaAPI->Add(attr.first, attr.second, true);
+  oidcBearerTokKey = tokKey;
+  TRACEI(REQ, " OIDC authenticated as: " << SecEntity.name);
+  return 0;
+}
+
 /******************************************************************************/
 /*                 H a n d l e A u t h e n t i c a t i o n                    */
 /******************************************************************************/

src/XrdOuc/CMakeLists.txt

@@ -1,3 +1,4 @@
+find_package(CURL REQUIRED)
 find_package(nlohmann_json 3.10.2 QUIET)
 
 if(nlohmann_json_FOUND)
@@ -81,3 +82,16 @@ add_library(${XrdN2No2p} MODULE XrdOucN2No2p.cc)
 target_link_libraries(${XrdN2No2p} PRIVATE XrdUtils)
 
 install(TARGETS ${XrdN2No2p} LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR})
+
+#-------------------------------------------------------------------------------
+# Shared OIDC JWT validation library
+#-------------------------------------------------------------------------------
+set(XrdOucOIDC XrdOucOIDC-${PLUGIN_VERSION})
+add_library(${XrdOucOIDC} SHARED XrdOucOIDC.cc)
+target_link_libraries(${XrdOucOIDC} PRIVATE XrdUtils OpenSSL::Crypto CURL::libcurl)
+set_target_properties(${XrdOucOIDC}
+  PROPERTIES
+    SOVERSION ${XRootD_VERSION_MAJOR}
+    VERSION ${XRootD_LIBVERSION}
+)
+install(TARGETS ${XrdOucOIDC} LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR})