WLCG AuthZ Call


Proposed agenda: 

  • Pre-GDB summary
  • Group Workplan
  • Discussion updating the WLCG Profile, e.g.
    • Incorporating RFC 9068 (JWT Profile for OAuth 2.0 Access Tokens) in our schema: https://www.rfc-editor.org/rfc/rfc9068
    • Merging with SciTokens
    • Defining compute scopes
    • Producing a more inclusive profile/name
  • AOB: 
    • Status of security analysis of OAuth on the grid
    • Continue IAM Token Exchange discussion from October 14th

Zoom meeting:

Please ensure you are signed up to project-lcg-authz@cern.ch to receive the meeting password!

Join Zoom Meeting

Meeting ID: 947 1885 7994
Password: <see email>
One tap mobile
+41432107042,,94718857994# Switzerland
+41432107108,,94718857994# Switzerland

Dial by your location
        +41 43 210 70 42 Switzerland
        +41 43 210 71 08 Switzerland
        +41 31 528 09 88 Switzerland
        +33 1 7037 9729 France
        +33 7 5678 4048 France
        +33 1 7037 2246 France
Meeting ID: 947 1885 7994
Find your local number: https://cern.zoom.us/u/abjrVtLBu4

Join by SIP

Join by H.323
Meeting ID: 947 1885 7994
Password: <see email>

Notes WLCG AuthZ

Participants: Andrea, Andrii, Dave, Enrico, Jim, Julie, Linda, Mischa, Elvin, DaveK, Mihai, Roberta, Maarten, Jeffrey, Francesco, Brian, Mine, Petr, DavidC, Raul


  • Pre-GDB summary
    • Policy
      • We seem to be missing docs on who makes authorization decisions etc. Maybe good to start with a risk assessment
      • Discussion needs to happen within IGTF as well (raised at TAGPMA)
      • IGTF has idea of self assessment, how would this process look for a token issuer? Who are the peers and what are the criteria?
      • US labs only allowed to do some things because DoE trusts IGTF processes
      • Note, we never accredited VOMS which is a bit more parallel to the token issuer
      • Possible actions
        • Add to workplan short document on how “it” all works, what is the token issuer and who authorizes what
        • Do a trial peer review of a self assessment of a token issuer (this would be a good test)
        • We should have a compliance test suite for the WLCG JWT profile (there is already something basic)
      • Which projects could we use to fund policy work?
        • Some existing projects e.g. EC ones
        • Should keep an eye out for good opportunities
    • ARC etc
      • Need to define the division of work
    • Dedicated meetings for token based workflows (or hackathon)
    • Rucio has a conflicting meeting on Thursday afternoons
  • “Token based bulk data transfer”
  • Also forward compatibility with mapping (not just backwards)
  • Try and spin up broader discussion with FIM4R and OIDF group and AEGIS r.e. next WLCG profile
    • Need to decide whether want to align with recent RFC
    • Moving towards a more general profile (possibly longer term)
      • Could use RFC as an excuse to get things going
    • Brian suggests starting email sending now before real work begins
    • What are we asking for from FIM4R etc? Find a way to make more broadly adoptable. Will merge WLCG and Sci-Tokens
  • FIM4R Signup https://fim4r.org/contact/
  • Petr: Could we have similar workflows for job submission as we have for download/upload? Yes, that’s next
  • CE scopes presentation from Brian


  • Schedule next meeting (not Nov 25) for FTS & Rucio (include right people, Mihai, Petr)
  • Brian/Hannah to kick off activity for joint profile
  • Hannah update grid map activities in workplan to “Mapping”
  • Hannah clarify who will volunteer whilst on leave (until June 2022)
  • DaveD to help Hannah/CERN deploy htgettoken instance for testing
There are minutes attached to this event. Show them.
The agenda of this meeting is empty