Add cilogonScopes

dashboard/justin-wsgi-dashboard

@@ -716,11 +716,11 @@ your user name.
   output += '''
 <input type="hidden" name="redirect_uri" 
  value="https://%s/login/cilogon/login">
-<input type="hidden" name="scope" 
- value="openid profile org.cilogon.userinfo wlcg.capabilityset:/duneana wlcg.groups:/dune wlcg.groups:/dune/production">
+<input type="hidden" name="scope" value="%s">
 <button type="submit" 
  style="background: #E1703D; border-radius: 5px; padding: 5px; color: white; font-weight: bold; font-size: 1em; border: 0; cursor: pointer">%s</button>
-</form></p>''' % (environ['SERVER_NAME'], 'Authorize' if authorize else 'Login')
+</form></p>''' % (environ['SERVER_NAME'], justin.cilogonScopes,
+                  'Authorize' if authorize else 'Login')
 
   output += '</td>'
 
@@ -3494,6 +3494,9 @@ def showUser(environ, user, cgiValues):
     if userRow['access_token_len'] > 0:
       output += ('<h2>Your access token</h2>\n<table>')
 
+      output += ('<tr><td>Scopes requested</td><td>%s</td></tr>' 
+               % justin.cilogonScopes)
+
       output += ('<tr><td>Created</td><td>%s UTC</td></tr>' 
                % userRow['access_token_created'])
 
@@ -3503,9 +3506,14 @@ def showUser(environ, user, cgiValues):
       accessTokenDict = json.loads(base64.urlsafe_b64decode(
                             userRow['access_token'].split('.')[1] + '=='))
 
-      output += ('<tr><td colspan=2><pre>%s</pre></td></tr>' %
-                  html.escape(pprint.pformat(accessTokenDict))
-                )
+      for k in accessTokenDict:
+        output += ('<tr><td>%s</td><td>%s</td></tr>' %
+                   (k, insertWBR(str(accessTokenDict[k])).replace(' ','<br>'))
+                  )
+
+#      output += ('<tr><td colspan=2><pre>%s</pre></td></tr>' %
+#                  html.escape(pprint.pformat(accessTokenDict, width=30))
+#                )
 
       if userRow['refresh_token_len'] == 0:
         output += '<tr><td colspan="2">No refresh token!</td></tr>'

docs/security_model.md

@@ -21,12 +21,18 @@ call to CILogon to check the validity of the authentication and obtain a WLCG
 access token, identity token, and refresh token for that user, and extracts
 the users's eduPersonPrincipalName and DUNE wlcg.groups. 
 
+The OAuth scopes requested from CILogon are currently: openid profile 
+org.cilogon.userinfo wlcg.capabilityset:/duneana 
+wlcg.groups:/dune wlcg.groups:/dune/production 
+
 The access token and refresh token are saved in the justIN database, and the
 [justIN finder agent](agents.finder.md) refreshes the access token with
 OIDC calls to CILogon so it is immediately available to the 
 [justIN allocator](services.allocator.md) without any latency.
 Refreshing continues as long as the user has an unexpired web or
-command line session.
+command line session. Users may view their current access token after
+logging in by clicking on the orange button with their username at the top 
+right of any page and looking at the Your Access Token table.
 
 ## DUNE groups and Rucio scopes
 

modules/__init__.py

@@ -100,6 +100,10 @@
 htcondorTRANSFERRING_OUTPUT = 6
 htcondorSUSPENDED           = 7
 
+cilogonScopes       = ('openid profile org.cilogon.userinfo '
+                       'wlcg.capabilityset:/duneana wlcg.groups:/dune '
+                       'wlcg.groups:/dune/production')
+
 # Note that this assumes we are using UTC since we assume elsewhere this
 # will convert from this MySQL date to 0 in Unix seconds
 # Also Unicode date strings coming out of MySQL may not match plain strings