[Server] add WLCG IAM support: scope export, xrdtoken, and docs.

Normalize JSON-array scope claims for XrdAccToken, add IAM/WLCG
xrdtoken providers, and document CERN SSO vs WLCG IAM configuration.

Assisted-by: Cursor:Opus-4.8 CursorAI

Author: apeters1971

src/XrdOuc/XrdOucOIDC.cc

@@ -217,6 +217,33 @@ bool getStringClaim(const std::string &json, const char *claim, std::string &val
    return getStringClaim(obj, claim, val);
 }
 
+bool getEntityClaimValue(const nlohmann::json &obj, const char *claim,
+                         std::string &val)
+{
+   if (!obj.is_object()) return false;
+   auto it = obj.find(claim);
+   if (it == obj.end()) return false;
+   if (it->is_string())
+      {
+       val = it->get<std::string>();
+       return !val.empty();
+      }
+   if (it->is_array())
+      {
+       val.clear();
+       for (const auto &elem : *it)
+          {
+           if (!elem.is_string()) continue;
+           const std::string one = elem.get<std::string>();
+           if (one.empty()) continue;
+           if (!val.empty()) val.push_back(' ');
+           val += one;
+          }
+       return !val.empty();
+      }
+   return false;
+}
+
 struct EntityClaimMapping {
    std::string jwtClaim;
    std::string attrKey;
@@ -353,7 +380,7 @@ void collectEntityClaims(const std::string &payloadJSON,
    if (!parseJsonObject(payloadJSON, payloadObj)) return;
    for (const auto &mapping : EntityClaimMappings)
       {std::string val;
-       if (getStringClaim(payloadObj, mapping.jwtClaim.c_str(), val)
+       if (getEntityClaimValue(payloadObj, mapping.jwtClaim.c_str(), val)
        &&  isSafeEntityAttrValue(val))
           out[mapping.attrKey] = val;
       }

src/XrdSecoidc/README.md

@@ -162,8 +162,68 @@ sec.protocol oidc \
   -expiry required
 ```
 
+## CERN SSO vs WLCG IAM
+
+CERN operates two related but distinct OIDC ecosystems:
+
+| | CERN SSO (Keycloak) | WLCG IAM (INDIGO IAM) |
+| - | --------------------- | ---------------------- |
+| Role | Login / identity for CERN apps | VO-scoped tokens for WLCG storage/compute |
+| Typical issuer | `https://auth.cern.ch/auth/realms/cern` | VO-specific IAM URL (e.g. `https://wlcg.cloud.cnaf.infn.it/`) |
+| Token for XRootD | `id_token` or SSO `access_token` | WLCG-profile **`access_token` JWT** |
+| Key claims | `sub`, `email`, `preferred_username` | `scope` (`storage.*`), `wlcg.ver`, `sub` |
+| Storage authorization | **No** `storage.*` scopes in SSO tokens | **Yes**, with `XrdAccToken` |
+
+`XrdSecoidc` accepts **both** issuers when configured. Use CERN SSO for
+authentication-only setups. For EOS/XRootD path authorization, clients must
+present an **IAM access token** with WLCG storage scopes — a CERN SSO
+`id_token` from `xrdtoken CERNOIDC` is not sufficient on its own.
+
+### WLCG IAM server configuration
+
+**`xrootd.cf` (authentication + claim export):**
+
+```conf
+xrootd.seclib libXrdSec.so
+xrootd.tls all
+
+sec.protparm oidc -issuer https://wlcg.cloud.cnaf.infn.it/
+sec.protparm oidc -audience <iam-client-id>
+sec.protparm oidc -expiry required
+sec.protparm oidc -entity-claim scope
+sec.protparm oidc -entity-claim wlcg.ver
+sec.protocol oidc
+
+ofs.authorize
+ofs.authlib libXrdAccToken.so
+acctoken.basepath /eos/user
+acctoken.onmissing deny
+```
+
+**INI equivalent:** see `src/XrdSecoidc/configs/wlcg-iam.example.cfg`.
+
+**Client token acquisition:**
+
+```sh
+./utils/xrdtoken WLCG \
+  --client-id <iam-client-id> \
+  --scope "storage.read:/public storage.modify:/alice"
+# or: xrdtoken IAM --issuer https://<vo-iam>/ --client-id ... --scope ...
+```
+
+The stored JWT should contain `wlcg.ver` and a space-separated `scope` claim
+(or a JSON array of scope strings, which is normalized on export).
+
+### Dual-issuer deployments
+
+A single server may configure multiple `[issuer ...]` blocks — for example CERN
+SSO for interactive identity checks and a WLCG IAM issuer for storage tokens.
+Each issuer may define its own `base_path` and `restricted_path` values.
+
 ## Standard CERN SSO configuration
 
+Use this for CERN Keycloak identity only (not WLCG storage scopes):
+
 Inline `xrootd.cf` style:
 
 ```conf
@@ -338,12 +398,13 @@ logs which token source/file the client selected.
 
 For quick manual testing, helper scripts are available in `utils/`:
 
-- `utils/xrdtoken create [tokenfile] [CERN|CERNOIDC|GOOGLE|GITHUB]`: creates token
-(`CERN` uses OAuth2 access token flow, `CERNOIDC` requests OIDC scopes and
-requires/stores `id_token`, `GOOGLE` defaults to device flow, `GITHUB` stores
-an opaque OAuth `access_token`).
-- Shortcut: `utils/xrdtoken CERNOIDC [tokenfile]` is equivalent to
-`utils/xrdtoken create [tokenfile] CERNOIDC`.
+- `utils/xrdtoken create [tokenfile] [CERN|CERNOIDC|GOOGLE|GITHUB|IAM|WLCG]`:
+creates token (`CERN` uses OAuth2 access token flow, `CERNOIDC` requests OIDC
+scopes and requires/stores `id_token`, `GOOGLE` defaults to device flow, `GITHUB`
+stores an opaque OAuth `access_token`, `IAM`/`WLCG` request WLCG storage
+scopes and store the IAM `access_token` JWT).
+- Shortcuts: `utils/xrdtoken CERNOIDC [tokenfile]`, `utils/xrdtoken WLCG ...`,
+`utils/xrdtoken IAM ...` (IAM and WLCG are aliases).
 - `utils/xrdtoken show [tokenfile]`: decodes and prints JWT header/payload.
 - If `<tokenfile>` is omitted, default is `${XDG_RUNTIME_DIR}/bt_u<uid>`
 (or `/tmp/bt_u<uid>` when `XDG_RUNTIME_DIR` is unset).
@@ -361,12 +422,22 @@ settings. `GITHUB` supports `--flow device|pkce` (`device` default); PKCE
 requires `--client-secret` (or `GITHUB_OAUTH_CLIENT_SECRET`).
 - Device flow prints a prefilled verification URL when possible; GitHub prints
 the verification page URL and a separate user code to enter manually.
+- For `IAM`/`WLCG`, provide `--client-id` (or `WLCG_IAM_CLIENT_ID`) and a
+required `--scope` with WLCG storage scopes. Override the IAM issuer with
+`--issuer` (or `WLCG_IAM_ISSUER`; default CNAF test instance).
 
 Example:
 
 ```sh
 ./utils/xrdtoken create
 ./utils/xrdtoken CERNOIDC
+./utils/xrdtoken WLCG \
+  --client-id "<iam-client-id>" \
+  --scope "storage.read:/public storage.modify:/alice"
+./utils/xrdtoken IAM \
+  --issuer https://wlcg.cloud.cnaf.infn.it/ \
+  --client-id "<iam-client-id>" \
+  --scope "storage.read:/"
 ./utils/xrdtoken create GOOGLE \
   --client-id "<google-oauth-client-id>" \
   --client-secret "<google-oauth-client-secret>"

src/XrdSecoidc/configs/wlcg-iam.example.cfg

@@ -0,0 +1,25 @@
+# Example OIDC configuration for a WLCG IAM issuer (CERN/WLCG token profile).
+#
+# Replace <iam-client-id> with the OAuth client ID registered at your IAM
+# instance. Production VO deployments use VO-specific issuer URLs; the CNAF
+# test instance is shown below.
+#
+# Use together with XrdAccToken (ofs.authlib libXrdAccToken.so) so storage.*
+# scopes and wlcg.ver from the access token are enforced.
+
+[global]
+expiry = required
+entity-claim = scope
+entity-claim = wlcg.ver
+
+[issuer "https://wlcg.cloud.cnaf.infn.it/"]
+audience = <iam-client-id>
+base_path = /eos
+restricted_path = /public/
+restricted_path = /shared/
+
+# Production VO issuers differ, for example:
+# [issuer "https://atlas-wlcg.cern.ch/"]
+# audience = <vo-iam-client-id>
+# base_path = /eos/atlas
+# restricted_path = /public/

tests/XrdSec/XrdSecOIDC.cc

@@ -915,6 +915,33 @@ TEST(XrdSecOIDCTest, PreferredUsernameWinsOverSub)
   freeKeys(IssuerPolicies[0]->jwksKeys);
 }
 
+TEST(XrdSecOIDCTest, EntityClaimsExportScopeJsonArray)
+{
+  ResetGlobalsForTest();
+  std::string emsg;
+  ASSERT_TRUE(storeEntityClaimEntry("scope", emsg)) << emsg;
+
+  KeyMaterial km = MakeKeyAndJWKS();
+  ASSERT_NE(km.pkey, nullptr);
+  InstallTestKey(km);
+
+  const std::string hdr = R"({"alg":"RS256","kid":"k1","typ":"JWT"})";
+  const std::string payload = "{" + IssuerClaim() +
+      R"(,"aud":"xrootd","exp":)" +
+      std::to_string(static_cast<long long>(NowSeconds() + 600)) +
+      R"(,"sub":"alice","scope":["storage.read:/public","storage.modify:/alice"],"wlcg.ver":"1.0"})";
+  const std::string token = MakeJWT(km.pkey, hdr, payload);
+
+  std::string identity;
+  std::map<std::string, std::string> entityAttrs;
+  ASSERT_TRUE(validateToken(token.c_str(), identity, emsg, nullptr, &entityAttrs)) << emsg;
+  EXPECT_EQ(entityAttrs["token.scope"],
+            "storage.read:/public storage.modify:/alice");
+
+  EVP_PKEY_free(km.pkey);
+  freeKeys(IssuerPolicies[0]->jwksKeys);
+}
+
 TEST(XrdSecOIDCTest, EntityClaimsPopulateMappedAttributes)
 {
   ResetGlobalsForTest();

utils/xrdtoken

@@ -22,7 +22,7 @@ from http.server import BaseHTTPRequestHandler, HTTPServer
 from pathlib import Path
 from typing import Any, Optional
 
-PROVIDERS = frozenset({"CERN", "CERNOIDC", "GOOGLE", "GITHUB"})
+PROVIDERS = frozenset({"CERN", "CERNOIDC", "GOOGLE", "GITHUB", "IAM", "WLCG"})
 
 
 @dataclass
@@ -38,7 +38,7 @@ class ProviderSettings:
 
 def usage() -> str:
     return """Usage:
-  xrdtoken create [tokenfile] [CERN|CERNOIDC|GOOGLE|GITHUB] [--provider CERN|CERNOIDC|GOOGLE|GITHUB] [--flow device|pkce] [--client-id ID] [--client-secret SECRET] [--scope SCOPE] [--auth-ep URL] [--device-ep URL] [--token-ep URL]
+  xrdtoken create [tokenfile] [CERN|CERNOIDC|GOOGLE|GITHUB|IAM|WLCG] [--provider CERN|CERNOIDC|GOOGLE|GITHUB|IAM|WLCG] [--flow device|pkce] [--issuer URL] [--client-id ID] [--client-secret SECRET] [--scope SCOPE] [--auth-ep URL] [--device-ep URL] [--token-ep URL]
   xrdtoken show   [tokenfile]
 
 Defaults:
@@ -71,6 +71,14 @@ Defaults:
     client-id : must be provided (enable Device flow in the OAuth app settings)
     client-secret : not required for device flow; required for --flow pkce
     stored token : access_token (opaque GitHub OAuth token, not a JWT)
+  IAM / WLCG (aliases):
+    flow      : device
+    issuer    : https://wlcg.cloud.cnaf.infn.it/ (override with --issuer or WLCG_IAM_ISSUER)
+    device-ep : <issuer>/devicecode
+    token-ep  : <issuer>/token
+    scope     : required WLCG storage scopes (e.g. storage.read:/public storage.modify:/alice)
+    client-id : must be provided (or WLCG_IAM_CLIENT_ID / OIDC_CLIENT_ID)
+    stored token : access_token (WLCG-profile JWT for XrdSecoidc + XrdAccToken)
   tokenfile : ${XDG_RUNTIME_DIR}/bt_u<uid> (fallback: /tmp/bt_u<uid>)"""
 
 
@@ -87,8 +95,39 @@ def default_tokenfile() -> Path:
     return Path(f"/tmp/bt_u{uid}")
 
 
+def iam_issuer_base(issuer: Optional[str] = None) -> str:
+    base = (
+        issuer
+        or os.environ.get("WLCG_IAM_ISSUER")
+        or os.environ.get("OIDC_ISSUER")
+        or "https://wlcg.cloud.cnaf.infn.it/"
+    )
+    return base.rstrip("/")
+
+
+def endpoints_from_issuer(issuer: str) -> tuple[str, str, str]:
+    base = iam_issuer_base(issuer)
+    return (
+        f"{base}/devicecode",
+        f"{base}/token",
+        f"{base}/authorize",
+    )
+
+
 def provider_defaults(provider: str) -> ProviderSettings:
     provider = provider.upper()
+    if provider in {"IAM", "WLCG"}:
+        device_ep, token_ep, auth_ep = endpoints_from_issuer("")
+        return ProviderSettings(
+            client_id=os.environ.get("WLCG_IAM_CLIENT_ID")
+            or os.environ.get("OIDC_CLIENT_ID")
+            or "",
+            flow="device",
+            scope="",
+            auth_ep=auth_ep,
+            device_ep=device_ep,
+            token_ep=token_ep,
+        )
     if provider == "CERN":
         return ProviderSettings(
             client_id="public-client",
@@ -120,7 +159,7 @@ def provider_defaults(provider: str) -> ProviderSettings:
             token_ep="https://github.com/login/oauth/access_token",
             scope="read:user",
         )
-    die(f"unsupported provider '{provider}' (expected CERN, CERNOIDC, GOOGLE, or GITHUB)")
+    die(f"unsupported provider '{provider}' (expected CERN, CERNOIDC, GOOGLE, GITHUB, IAM, or WLCG)")
 
 
 def parse_oauth_response(body: str) -> dict[str, Any]:
@@ -194,6 +233,8 @@ def chosen_token(provider: str, token_resp: dict[str, Any]) -> str:
     id_token = token_resp.get("id_token") or ""
     if provider == "CERNOIDC":
         return id_token
+    if provider in {"IAM", "WLCG"}:
+        return access_token
     if provider == "GOOGLE" and id_token:
         return id_token
     return access_token
@@ -224,6 +265,7 @@ def parse_create_options(argv: list[str], provider: str) -> tuple[ProviderSettin
     parser = argparse.ArgumentParser(add_help=False)
     parser.add_argument("--provider")
     parser.add_argument("--flow")
+    parser.add_argument("--issuer")
     parser.add_argument("--client-id")
     parser.add_argument("--client-secret")
     parser.add_argument("--scope")
@@ -239,6 +281,11 @@ def parse_create_options(argv: list[str], provider: str) -> tuple[ProviderSettin
         provider = args.provider.upper()
     if args.flow:
         settings.flow = args.flow.lower()
+    if args.issuer:
+        device_ep, token_ep, auth_ep = endpoints_from_issuer(args.issuer)
+        settings.device_ep = device_ep
+        settings.token_ep = token_ep
+        settings.auth_ep = auth_ep
     if args.client_id is not None:
         settings.client_id = args.client_id
     if args.client_secret is not None:
@@ -442,9 +489,24 @@ def cmd_create(argv: list[str]) -> None:
         if settings.flow == "pkce" and not settings.client_secret:
             die("GITHUB pkce flow requires --client-secret (or GITHUB_OAUTH_CLIENT_SECRET)")
 
-    if provider in {"CERN", "CERNOIDC"} and settings.flow != "device":
+    if provider in {"CERN", "CERNOIDC", "IAM", "WLCG"} and settings.flow != "device":
         die(f"{provider} provider currently supports only --flow device")
 
+    if provider in {"IAM", "WLCG"}:
+        if not settings.client_id:
+            settings.client_id = (
+                os.environ.get("WLCG_IAM_CLIENT_ID")
+                or os.environ.get("OIDC_CLIENT_ID")
+                or ""
+            )
+        if not settings.client_id:
+            die("IAM/WLCG provider requires --client-id (or WLCG_IAM_CLIENT_ID)")
+        if not settings.scope:
+            die(
+                "IAM/WLCG provider requires --scope with WLCG storage scopes "
+                "(e.g. 'storage.read:/public storage.modify:/alice')"
+            )
+
     if provider in {"GOOGLE", "GITHUB"} and settings.flow == "pkce":
         token_resp = pkce_flow(provider, settings)
     else:
@@ -467,6 +529,8 @@ def cmd_create(argv: list[str]) -> None:
             print("Stored token type: access_token (non-JWT possible)")
     if provider == "CERNOIDC":
         print("Stored token type: id_token (JWT)")
+    if provider in {"IAM", "WLCG"}:
+        print("Stored token type: access_token (WLCG-profile JWT)")
     if provider == "GITHUB":
         print("Stored token type: access_token (GitHub OAuth token, not a JWT)")
     expires_in = token_resp.get("expires_in")