Dear experts,
I needed to debug why an HTCondor CE in Thailand suddenly was no longer accepting WLCG tokens from the ALICE experiment at CERN and found it was due to hitting the 4-second timeout for getting the JWKS of the issuer, as demonstrated here:
$ date; curl -s https://alice-auth.cern.ch/.well-known/openid-configuration | wc -c; date
Sat Mar 7 10:05:12 PM +07 2026
3232
Sat Mar 7 10:05:18 PM +07 2026
There you have it: 6 seconds! And therefore no way to make this succeed, except for a short time, by copying a valid SciTokens cache file from another CE...
We would be perfectly happy with increasing their timeout, for example to 10 seconds, but there is no way to do so.
It would be great if there were an environment variable to override the default value, e.g. SCITOKENS_JWKS_TIMEOUT. That should not be tricky to add, I would say?
In #114 it was suggested that:
increasing the default timeout is reasonable
That never got implemented, but could be worth reconsidering, possibly in addition.
Dear experts,
I needed to debug why an HTCondor CE in Thailand suddenly was no longer accepting WLCG tokens from the ALICE experiment at CERN and found it was due to hitting the 4-second timeout for getting the JWKS of the issuer, as demonstrated here:
There you have it: 6 seconds! And therefore no way to make this succeed, except for a short time, by copying a valid SciTokens cache file from another CE...
We would be perfectly happy with increasing their timeout, for example to 10 seconds, but there is no way to do so.
It would be great if there were an environment variable to override the default value, e.g.
SCITOKENS_JWKS_TIMEOUT. That should not be tricky to add, I would say?In #114 it was suggested that:
That never got implemented, but could be worth reconsidering, possibly in addition.