Use bearer token discovery protocol to find SciToken


The WLCG has published a bearer token discovery protocol:

which describes how a given process should find a bearer token in its environment if it's not explicitly given one.

I'd like to have HTCondor use this protocol if the corresponding parameter (SCITOKENS_FILE) is not set. This will allow condor to find tokens in a similar manner to other tools under development.


Mark Coatsworth
March 19, 2021, 8:11 PM

Code review was written up in ToddM’s original comment, but not flagged as such.

Brian Bockelman
December 19, 2020, 10:29 PM

- latest commit in the branch should have addressed the review concerns. Fatal errors now stop processing and we do a better job of logging the failure reasons.

Todd L Miller
December 15, 2020, 8:01 PM
  • Ah, somehow I hadn’t connected the variable name noheader_whitespace to HTTP headers. That makes a lot of sense now; thanks for the explanation.

  • OK, that makes a lot of sense. It might be worthwhile to record that reason in the source.

Brian Bockelman
December 15, 2020, 7:45 PM
  • For prohibiting \r and \n, this would cause an invalid string for a HTTP header (covered in RFC 6750). You’re right that the protocol recommends (i.e., SHOULD) to stop and error out on an invalid token and this carries on happily. That’s probably worthwhile to follow.

  • There’s not a maximum size limit but a practical one - a number of web servers start rejecting the request around 16KB. The error handling around this could be better - looks like it simply truncates currently.

  • Agreed. I have no clue if the rest of the code is ifdef’d out on Windows already but the env var seems harmless.

Thanks for the input, will work on an update.

Todd L Miller
December 14, 2020, 10:34 PM

PR-142 does not entirely conform to the protocol.

  • I didn’t see anything in the protocol about \rand/or \n being special. If their presence inside the purported token renders it invalid, it is the protocol’s recommendation that the implementation stop and return an error; this implementation instead proceeds to check the next possible token location. This occurs if the invalid token is found in the environment or in a file.

  • The protocol does not specify a maximum size for the token file. Does SciTokens itself specify a maximum size for a file containing a token?

  • The entire protocol is undefined for Windows, although it’s probably harmless to execute the steps based on environment variables on that platform.

Time remaining



Todd L Miller