Attendees list

Andrea, Maarten, Petr, Mine, Jeny, DaveD, Brian, Enrico, Marcelo,
Federica, Roberta, DavidC, TomD, Oxana, John De Stefano, Mischa

Scope and token exchange in IAM

Two topics covered in Andrea's presentation. Token exchange postponed to a later call.

OAuth refresh token flow

To refresh an access token, a client application must present a valid RT and valid client credentials to the token issuer.

Token scope can be reduced using the scope parameter.
Token audience can be suggested using the 'audience' parameter.

Q: How do you get the RT in the first place?
A: By including the offline_access scope in an OAuth/OIDC authorization request

Q: Can RTs be time limited?
A: Yes, both in IAM and CILogon

Q: What's the difference with myproxy?
A: similar mechanism, but OAuth use a dedicated credential (the RT) that is only useful for renewal at the token issuer

JWT-based client authentication

Standard mechanism to provide time-limited client credentials under the control of the client application.

Use cases for this?

- Limiting client credentials exposure risks
- Support time-limited token renewal scenarios (RUCIO, VO job framework)

To be further discussed.

Support in IAM coming in 1.8.0

Access Token lifetime in OSG (Mine)

FNAL is proposing to use 6 hours as the default access token lifetime.
This is in line with WLCG JWT recommendations.

Concern that shorter token lifetime (1h) would generate too much load on token issuers.

Brian: more than load (issuing tokens is quite cheap), is token issuer availability that is of concern.

The WLCG WG has always recommended shorter token lifetimes to avoid having a distributed

token revocation mechanism in place (6h is anyway in line with recommendations).

Content of the sub claim (Mine)

IAM uses an opaque UUID.
CILogon uses email.

Harmonization is likely needed.
Discussion postponed to future call.

November pre-GDB planning (Tom)

Plan is to have two half-days pre-GDB in US-friendly time
(Nov. 8 and 9 afternoons)

Agenda to be defined

https://indico.cern.ch/event/876810/

Please send interesting topics for discussion to Tom, Hannah or Andrea.

Andrea: we could have a session to discuss token renewal in more detail

Upcoming discussions

    - Merging SciTokens and WLCG profiles
    - Status of security analysis of OAuth on the grid

Next meeting

Oct, 28th, 1500 CEST