CMS Token Transition

¹ Morgridge Institute for Research, 330 N Orchard Street, Madison WI, USA
² CERN, European Organization for Nuclear Research, Espl. des Particules 1, 1217 Geneve, Switzerland
³ INFN, Perugia, Umbria, Italy
⁴ Fermilab National Accelerator Laboratory, Wilson Road, Batavia, IL 60510, USA
⁵ University of California at San Diego, San Diego, CA, USA
⁶ University of Notre Dame, Notre Dame, IN, USA
⁷ University of Wisconsin, Madison, WI, USA

¹ Corresponding author: bbockelman@morgridge.org
² Corresponding author: lammel@cern.ch

Published online: 7 October 2025

Abstract

Within the LHC community, a momentous transition has been occurring in authorization. For nearly 20 years, services within the Worldwide LHC Computing Grid (WLCG) have been authorized based on mapping an identity, derived from an X.509 credential, or a group/role, derived from a VOMS extension issued by the experiment. A fundamental shift is occurring to capabilities: the credential, a bearer token, asserts the authorizations of the bearer, not the identity. By the HL-LHC era, the CMS experiment plans for the transition to tokens, based on the WLCG Common JSON Web Token profile, to be complete. Services in the technology architecture include the INDIGO Identity and Access Management server to issue tokens; a HashiCorp Vault server to store and refresh access tokens for users and jobs; a managed token bastion server to push credentials to the HTCondor CredMon service; and HTCondor to maintain valid tokens in long-running batch jobs. We will describe the transition plans of the experiment, current status, configuration of the central authorization server, lessons learned in commissioning token-based access with sites, and operational experience using tokens for both job submissions and file transfers.