Auth: Use the FTS instance domain as audience rucio#6590

The discussion on how the Audience claim should be handled is still on-going. However, the FTS team has expressed their wish to stop supporting the WLCG wildcard audience. For the time being, it was agreed to use the domain of the targeted FTS instance, mimicking how it’s done for tokens destined at storages.
dchristidis · Mar 29, 2024 · 64037ef · 64037ef
1 parent a814398
commit 64037ef
Showing 1 changed file with 1 addition and 3 deletions.
diff --git a/lib/rucio/transfertool/fts3.py b/lib/rucio/transfertool/fts3.py
@@ -832,9 +832,7 @@ def __init__(self, external_host, oidc_account=None, oidc_support: bool = False,
         self.token = None
         if oidc_support:
             fts_hostname = urlparse(external_host).hostname
-            # FIXME: At the time of writing, it is not yet finalised what
-            # audience and/or scope is required by FTS.
-            token = request_token(audience='https://wlcg.cern.ch/jwt/v1/any', scope='fts')
+            token = request_token(audience=fts_hostname, scope='fts')
             if token is not None:
                 self.logger(logging.INFO, 'Using a token to authenticate with FTS instance %s', fts_hostname)
                 self.token = token