Trying to authorize a client with oauth-ssh-token through Globus with the command (where client-id is the uuid of the "client secrets" generated from an app registration):
oauth-ssh-token authorize hostnaname.foo.com --identity user@globusid.org --client-id 1234567-12334-1234-1234-123456789
Please go to this URL and login: https://auth.globus.org/v2/oauth2/authorize?redirect_uri=https%3A%2F%2Fauth.globus.org%2Fv2%2Fweb%2Fauth-code&client_id=48b0122345-11234-1234-1234-12345677&access_type=offline&state=_default&code_challenge=M4MUeWXiSz11uxkVKOQGQhn9d98zW9A0IQKsdfmcg7g&code_challenge_method=S256&response_type=code&scope=https%3A%2F%2Fauth.globus.org%2Fscopes%2F1234567-12334-1234-1234-123456789%2Fssh&session_message=The+SSH+service+requires+that+you+authenticate+using+this+identity%3A&session_required_identities=789876544-12345677-4318-876e-08f3d2f7138d
Please enter the code you get after login here:
I copy/paste the url into a browser, but Globus returns an error about an unknown scope:
Unknown scope(s)
Sorry, but we encountered a problem while servicing your request.
client_id=48b0122345-11234-1234-1234-12345677 requested unknown scopes: ['https://auth.globus.org/scopes/1234567-12334-1234-1234-123456789']
Occurred at time:
2023-09-22T20:56:59.557105+00:00
Error ID:
f5b5939495dc4c6cbfe585ef48b2f1fb
Error code:
UNKNOWN_SCOPE_ERROR
Looking at how scope is set in globus_auth.py,
scope = SCOPE_FORMAT.format(fqdn=fqdn)
It looks like the scope is just the fqdn passed to the command, which I think correlates to the app registration of SSH@fqdn as instructed in the server setup.
Has the scope requirements changed? Or am I now registering an app incorrectly and not creating the correct scope?
Trying to authorize a client with oauth-ssh-token through Globus with the command (where client-id is the uuid of the "client secrets" generated from an app registration):
I copy/paste the url into a browser, but Globus returns an error about an unknown scope:
Looking at how scope is set in globus_auth.py,
It looks like the scope is just the fqdn passed to the command, which I think correlates to the app registration of SSH@fqdn as instructed in the server setup.
Has the scope requirements changed? Or am I now registering an app incorrectly and not creating the correct scope?
Jeff