WLCG AuthZ Call


Proposed agenda: 

  • Presentation: myToken 
  • AOB: 
    • WoTBAn&Az 2021
    • Upcoming meetings (which weeks?)
      • Continue token flows for Rucio
      • Traceability and suspension
      • Scope and token exchange in IAM
    • Status of security analysis of OAuth on the grid

Zoom meeting:

Please ensure you are signed up to project-lcg-authz@cern.ch to receive the meeting password!

Join Zoom Meeting

Meeting ID: 947 1885 7994
Password: <see email>
One tap mobile
+41432107042,,94718857994# Switzerland
+41432107108,,94718857994# Switzerland

Dial by your location
        +41 43 210 70 42 Switzerland
        +41 43 210 71 08 Switzerland
        +41 31 528 09 88 Switzerland
        +33 1 7037 9729 France
        +33 7 5678 4048 France
        +33 1 7037 2246 France
Meeting ID: 947 1885 7994
Find your local number: https://cern.zoom.us/u/abjrVtLBu4

Join by SIP

Join by H.323
Meeting ID: 947 1885 7994
Password: <see email>

Participants: Uros, Hannah, Marcus, Andrea, Andrii, Linda, DaveD, Enrico, Federica, Gabriel, Irwin, Jim, Julie, DaveK, Maarten, Masood, Mine, Mischa, Petr, Roberta, John, Brian, Marcelo, Mihai, Jeffrey, James


  • MyToken Presentation from Uros
    • Alternative to hashicorp vault solution for central exchangeable token manager
    • Qs
      • Does AT generation always involve a trip to the token issuer?
        • Uros: Currently yes
        • Gabriel: Actually, as it currently is, creation of a mytoken from an existing mytoken does not require itneraction with the OP
      • How are AT requests authenticated?
        • We use Refresh Tokens from the mytoken server
      • How are audiences/scopes for tokens requested? 
        • MT token can be downscoped by specifying only specific scopes
      • Do Bearer Mytokens use the JWT format or are they opaque? Do they follow the WLCG JWT profiles?
        • They are JWTs but don't have to be
      • How is token restriction implemented? Is it something done on the server side, or can be done on the client side? What is the protocol used to restrict the token?
        • You can ask client to give you a restricted token but also can be done on the server
        • Done server side
      • What is the protocol on the MT server used to register mytoken clients?
        • There is no client authentication between my token CLI and mytoken server
        • Only authentication against IAM
        • Users do not need to manage any client credentials 
        • Can specify a password for token encryption, or use gpg, or not use encryption at all. Integration with gpg is good for long term security 
      • Why need a trip to IAM for every MT? 
        • For each my token request (can specify which scopes), my token does a full authentication with IAM
      • Does Mytoken use OAuth 2.0 Token Exchange (RFC 8693)?
        • Gabriel: currently mytoken works complelty without token exchange
      • What is the difference between my token and vault approach?
        • It is very similar.  However, one difference that has come out in the discussion is that the MyToken server can itself downscope to create new MyTokens that can only get more restricted access tokens, without having to contact the token issuer
        • Jim: I think the use of JWTs by mytoken is a benefit versus Vault opaque tokens.
        • my token doesn't support kerberos auth 
      • How can a new WLCG AT (e.g. for a new scope list or different audience) be provisioned without token exchange? Which grant is used?
        • Once initial refresh token is obtained for the subject, it is then used in authorization code flow for new requests for specific scopes or audiences 
        • Any restrictions for audience or scopes would be defined in IAM
        • Could also use token exchange
      • Have you done any load testing?  How many my tokens can be issued  per second?
        • Not yet
        • May be more expensive to generate and sign MTs
        • Andrea: believes it could be done in a way that is as fast as a macaroon
      • Currently working on high availability 
      • Does device code flow?
        • Currently only using authorization code flow 
        • Device code flow doesn't seem to be necessary atm 
      • https://mytoken.data.kit.edu/.well-known/mytoken-configuration
      • Support audience specification?
        • Yes, supports specifying scopes, claims audience etc. 
      • Currently being used in EOSC Synergy for long running infrastructure monitoring
  • Workshop on Token-Based Authentication and Authorization "We are inviting presentation/panel proposals of 40 minutes or less for the workshop. Would you and/or others on your team be interested in presenting an update of token-based authentication and authorization work for WLCG?" https://sciauth.org/workshop/
    • Fermilab also did one last year, not sure we have enough content for a full 40 minutes
    • Could do IAM development roadmap 
    • Do a joint WLCG session that includes
      • Lightning talks: Fermilab update, CERN, OSG
      • IAM development roadmap
  • OSG workshop also in October https://indico.fnal.gov/event/50597/ opportunity for stakeholders to give feedback
    • Not looking for contributions
    • Sign up for discussion :)
There are minutes attached to this event. Show them.