WLCG AuthZ Call

Thursday 14 Oct 2021, 15:00 → 16:00 Europe/Zurich

Proposed agenda: 

• Scope and token exchange in IAM
• November pre-GDB planning
• Upcoming discussions
  • Merging SciTokens and WLCG profiles
• AOB: 
  • Status of security analysis of OAuth on the grid

Zoom meeting:

Please ensure you are signed up to project-lcg-authz@cern.ch to receive the meeting password!

Join Zoom Meeting
https://cern.zoom.us/j/94718857994

Meeting ID: 947 1885 7994
Password: <see email>
One tap mobile
+41432107042,,94718857994# Switzerland
+41432107108,,94718857994# Switzerland

Dial by your location
        +41 43 210 70 42 Switzerland
        +41 43 210 71 08 Switzerland
        +41 31 528 09 88 Switzerland
        +33 1 7037 9729 France
        +33 7 5678 4048 France
        +33 1 7037 2246 France
Meeting ID: 947 1885 7994
Find your local number: https://cern.zoom.us/u/abjrVtLBu4

Join by SIP
94718857994@188.184.85.92
94718857994@188.184.89.188

Join by H.323
188.184.85.92
188.184.89.188
Meeting ID: 947 1885 7994
Password: <see email>

20211014-OAuth-Token-Exchange-In-IAM.pdf

Attendees list

Andrea, Maarten, Petr, Mine, Jeny, DaveD, Brian, Enrico, Marcelo,
Federica, Roberta, DavidC, TomD, Oxana, John De Stefano, Mischa

Scope and token exchange in IAM

Two topics covered in Andrea's presentation. Token exchange postponed to a later call.

OAuth refresh token flow

To refresh an access token, a client application must present a valid RT and valid client credentials to the token issuer.

Token scope can be reduced using the scope parameter.
Token audience can be suggested using the 'audience' parameter.

Q: How do you get the RT in the first place?
A: By including the offline_access scope in an OAuth/OIDC authorization request

Q: Can RTs be time limited?
A: Yes, both in IAM and CILogon

Q: What's the difference with myproxy?
A: similar mechanism, but OAuth use a dedicated credential (the RT) that is only useful for renewal at the token issuer

JWT-based client authentication

Standard mechanism to provide time-limited client credentials under the control of the client application.

Use cases for this?

- Limiting client credentials exposure risks
- Support time-limited token renewal scenarios (RUCIO, VO job framework)

To be further discussed.

Support in IAM coming in 1.8.0

Access Token lifetime in OSG (Mine)

FNAL is proposing to use 6 hours as the default access token lifetime.
This is in line with WLCG JWT recommendations.

Concern that shorter token lifetime (1h) would generate too much load on token issuers.

Brian: more than load (issuing tokens is quite cheap), is token issuer availability that is of concern.

The WLCG WG has always recommended shorter token lifetimes to avoid having a distributed

token revocation mechanism in place (6h is anyway in line with recommendations).

Content of the sub claim (Mine)

IAM uses an opaque UUID.
CILogon uses email.

Harmonization is likely needed.
Discussion postponed to future call.

November pre-GDB planning (Tom)

Plan is to have two half-days pre-GDB in US-friendly time
(Nov. 8 and 9 afternoons)

Agenda to be defined

https://indico.cern.ch/event/876810/

Please send interesting topics for discussion to Tom, Hannah or Andrea.

Andrea: we could have a session to discuss token renewal in more detail

Upcoming discussions

    - Merging SciTokens and WLCG profiles
    - Status of security analysis of OAuth on the grid

Next meeting

Oct, 28th, 1500 CEST