Open paulmillar opened 1 month ago
Would it be an idea to implement the same for macaroons? Or is that already possible?
Macaroons don't pass through gPlazma, the door handles them directly. Therefore adding support for them with explain login
doesn't make sense (at least, not to me). Minting a macaroon is like "freezing" the result of some (successful) login. Using the macaroon is like unfreezing that login result.
You can find out more about this frozen login result by calling dCache's user introspection endpoint with a macaroon; e.g.,
curl -H "Authorization: Bearer $MACAROON" https://frontend-door.dcache.example.org/api/v1/user
The
explain login
command currently accepts a list of principals.Based on an idea from @onnozweers, it would be much easier (and more closely reflects reality) if the
explain login
command accepted an OIDC access token as a command-line argument. It would then generate a login report, based on that input.