Choose timezone
Your profile timezone:
WLCG AuthZ Call
→
Europe/Zurich
Description
Previous Actions:
Proposed agenda:
- Refresh Token Expiration/Rotation:
https://github.com/WLCG-AuthZ-WG/common-jwt-profile/issues/18 - IAM Support @ CERN
- AOB:
Zoom meeting:
Link below, in the videoconference section. Please ensure you are signed in to Indico to see the meeting password!
Next Meeting:
- May 5th
Videoconference
WLCG AuthZ Call
- Zoom Meeting ID
- 61554826915
- Description
- Zoom room for WLCG AuthZ Call
- Host
- Tom Dack
- Alternative hosts
- Maarten Litmaath, Hannah Short
- Useful links
- Join via phone
- Zoom URL
-
Present: Tom Dack, Dave D, Douglas B, Federica A, Francesco G, Irwin G, Jim B, John S, Julie M, Maarten L, Maiken P, Mary H, Petr V, Roberta M, Stefano DP, Thomas H
Refresh Tokens:
- IAM does not enforce lifetimes
- Opens scope for abuse with unending refresh tokens
- Increases storage, and requires keeping them secure indefinitely - nightmare of management
- Francesco - potential for tokens expiring once they stop being used
- Difference between issuing a new token and an updated one
- Need a solution for handling replaced token should one be revoked
- Francesco to investigate implementing tokens updating, and changing default token lifetime
- To be investigated and updated with the group later
- Not urgent - jobs aren't failing, it is just an increased risk
- Related issue of how many tokens to keep active
- Is maximum lifetime 30 days full stop, or 30 days since last use
- Assuming max lifetime is 30 days full stop, you will need token rotation
- What happens to the old one when a new one is issued
- CILogon stops accepting the old one immediately once a new one is
- If there are multiple copies of a token in use, all of them must have been updated by that time
- Better allow the old one still to be used during a grace period of N hours, possibly up to 1 day
- Recording which refresh token was used to get a JWT - useful for incident handling
- Tune based on operational experience
- CILogin includes ClientID but not Refresh Token ID
- https://www.rfc-editor.org/rfc/rfc6819.html#section-5.2.2.3
- Need sensible blocking criteria/lists - need tools for fine grained approach
Synchronisation scripts
- Being investigated for changes required
Production in May
- Confusion around Hannah returning to work - early June
- She will likely need to coordinate the support effort
- Reorganisation of CERN IT 1st May. Should not affect IAM, but may do
- No significant availability/reliability issues reported, so seems promising to continue as is for now
- Service has been stable
There are minutes attached to this event.
Show them.
The agenda of this meeting is empty
