I'm glad your message made it to the list this time. That's really great news that you've got SciTokens SSH working with a Hydra-based token issuer! I'll respond to your questions inline below.
> 1) I tried to use the master of https://github.com/scitokens/scitokens-cpp.git
> and found it links (as a submodule) a December 2018 snapshot
> of jwt-cpp (commit c9b7a6c, apparently not connected to any version tag of
> jwt-cpp). Was this state of jwt-cpp carefully researched ?
> Is there any plan to rebase it, or reason not to ?
> Anyhow, I did tweak scitokens-cpp to build against the current
> master of https://github.com/Thalhammer/jwt-cpp.git and could
> send the changes for review if needed.
Good question! I don't know the answer, so I'll ask Derek to fill in the details. If it's convenient for you to send your changes in a pull request, we could discuss it over on GitHub.
> 2) Not being an Oauth2 priest (just a catholic deacon...), I am a bit
> confused with the relation and meaning of the 'scope' vs. 'scp' claims.
> Did 'scp' replace 'scope'? Can anyone please help me understand ?
> Is Scitoken using and planning to keep using 'scope' ?
> For now I changed the verify recipe to check 'scp' instead of 'scope'
> (and ignore the "ext" and "client_id" claims).
The "scp" claim came from an early draft of the OAuth 2.0 Token Exchange spec, and it changed to "scope" prior to becoming RFC 8693. Replacing "scp" with "scope" throughout the SciTokens code and docs is a work-in-progress, but it's our intention to be using "scope" everywhere rather than "scp".
> 3) Turning to https://github.com/XSEDE/oauth-ssh.git, I found that (at
> least on my reasonably up-to-date Debian 10 installation) the PAM
> conversation function used to read the auth token returns
> 1023 bytes maximum (shouldn't that be PAM_MAX_RESP_SIZE == 512, btw?).
> The token I get from hydra is instead typically around
> 1100 bytes, so it gets chopped. I worked around this by reading the token
> in chunks via multiple pam_get_item()s, but I'm wondering whether I'm
> missing anything that would give me shorter tokens, or whether you bumped
> into this issue already...
Oh, I think we've just been lucky so far that our tokens have been under 1023 bytes during our testing. For example, the token I get from https://demo.scitokens.org/ is only 691 bytes. I think your fix to read the token in chunks is a good one. If you could put that in a pull request also, that'd be very welcome.
Thanks for being an early adopter and providing detailed feedback!
Regards from Champaign-Urbana,
Jim
>> The "scp" claim came from an early draft of the OAuth 2.0 Token Exchange
>> spec, and it changed to "scope" prior to becoming RFC 8693. Replacing
>> "scp" with "scope" throughout the SciTokens code and docs is a
>> work-in-progress, but it's our intention to be using "scope" everywhere
>> rather than "scp".
> Hmmm: I wonder then whether I'm missing some config knob and/or update of
> hydra. I'm using, as in the published examples, the hydra:v1.4.2 Docker
> image, which is "just" 6 months old. Could a more recent version
> be spitting out 'scope' instead of 'scp' ? Assuming I understand correctly
> that that JSON text is composed inside hydra.
I wasn't aware of it until now, but it appears that ORY is also struggling with this "scp" versus "scope" naming issue. Here's a discussion about it from May:
https://github.com/ory/fosite/issues/362#issuecomment-636250680
As far as I can tell, the config knob for hydra isn't implemented yet, so they're still issuing the old "scp" claim, but hopefully they'll come into compliance with the current specifications and support "scope" soon.
Regards,
Jim