Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Auth: Remove support for wildcard audiences #6524
This affects third-party-copy transfers and deletions. The following configuration options are removed: [conveyor] request_oidc_audience = ... [reaper] oidc_audience = ... They were part of the original token implementation and were kept as a contingency option for the Data Challenge 2024. However, they should not be used due to security concerns. Wildcard audiences can make tokens less secure than X.509 certificates. For one thing, an unintentional token leak is more likely to happen (e.g. debugging logs). For another, the token is fully transferred to the storages; a compromised site could be used as a vector to affect data at other sites. Moving forward, Rucio communities which use tokens must coordinate with their sites to ensure that the storages properly identify themselves as the intended recipient of a token (using the domains of the RSE protocols in the audience claim).
- Loading branch information