WLCG AuthZ Call

Friday 30 Sept 2022, 15:00 → 16:00 Europe/Zurich

Previous Actions:

• Open tickets from VO Admin training from Andrea in Dec. Petr will try to ping the important ones of these for addressing

Proposed agenda:

• https://github.com/WLCG-AuthZ-WG/common-jwt-profile/pull/19 Guidance on refresh token lifetime, renewal, revocation 
• WLCG Workshop Planning

Zoom meeting:

Link below, in the videoconference section. Please ensure you are signed in to Indico to see the meeting password!

Next Meeting: 

• 14th Oct

Apologies:

Present: Tom D (Minutes), Dimitrios C, Maarten L, Petr V, John SdS Jr, Martin B, Linda C, Jim B, Mine A, Stefano DP, Federica A, Julie Marsh, Andrei T, Francesco G, Doug B, Roberta M, Dave D, Liz S-K, Jeffrey G, Xin Z

Notes: (please send corrections)

 

WLCG Workshop - 2 slots of 1 hour each on the Tuesday: https://indico.cern.ch/event/1162261/timetable/#20221108

Discussion topics suggested:

• status of the IAM services
• VO readiness & plans for using IAM
• status of DIRAC, Check-in, HTCondor
• EGI site readiness
• data management plans (maybe better in DOMA session)
• resource trust evolution (CAs, cloud, ...)

Doug: missing section on Storage, and service access using tokens (workflow, job scheduling, etc).

Scheduling has been set up to not fully block remote participation

Do we need any content from Fermilab and Dune?
Could add some slides from Fermi for the overview - will need a "scene-setting" presentation

Dirac Andrei, HTCondor Brian, EGI relevant parties - need to be clear about repercussions if one player runs into a stumbling block. 

Ensure that we are considering how other communities are taking their steps, as well as how we are doing. Focusing on discussing and informing.
Rucio workshop following this will have their own token-context session.  - but some slides within this session would still be appreciated.

 

Maarten: to email WG and start steps to identify speakers and contributors and inform decisions on what sessions we need.

 

Mine: VOMs Admin Service at Fermilab

EOL, and Senior Management would like to turn off. Is it possible to provide a different solution to satisfy CERN's needs?

Maarten: suggests pursuing what CMS does, which provides a web-service URL with the mapping required. Something similar should be possible in this use-case too. Should be a much easier setup. 

Follow-up with EOS team to make something happen which resembles what CMS does

Maarten can start an email thread with the correct people to start this moving, and then followed by a ticket as needed. Will sort this on Monday, will copy in Steve T & Julie. 

After sorting this, Fermilab will switch VOMs admin off - please flag if this is an issue

 

Jim: Guidance on Refresh Token Lifetime, Renewal, Revocation

CILogon keen to update lifetimes, particularly for Robot support, but keen for the profile to be updated before any implementation takes place. This follows on from discussions earlier this year. 

Some discussion around this in the issue: https://github.com/WLCG-AuthZ-WG/common-jwt-profile/pull/19

PR proposes an additional paragraph which will allow Robots to operate longer than 30 days. This allows for a grace period where the old refresh token is still valid after the new one issued, so that if something happens to the new refresh token (eg storage failure) the robot does not get stuck. This will allow for seamless indefinite operation.

Current IAM behavior does not conform as refresh tokens may last longer than 30 days, default has no expiry but should be configurable (Francesco to check). 

Onerous on a client to have them make a positive action to revoke the old refresh token. Francesco will investigate code options to implement this within the IAM. 

Refresh tokens are revoked but not deleted, and flags raised when an old one is attempted to be used. 

Concerns for scalability around many tokens - could potentially be better viewed as an expiration (no need to keep track of old tokens) rather than a revocation (keep track of which ones have been revoked).

Rather than needing a grace period, request the new token before the expiry of the old one and keep the old one valid until its expiration. This will have the same effect without extra steps. 

Dave: The extra option needed for oidc-agent to be able to replace the refresh token is `oidc-add —pw-store`

Jim: will update the PR to reflect the discussion, having the client delete the old refresh token and the server keeping the old refresh token until it expires, where it MAY reduce the expiration time. 

 

Brief discussion and overview of mail thread "Tokens with groups and explicit AuthZ statements"

Suggestion to request Paul to submit a PR in order to produce a concrete change to be considered

Tom:  to reply to the mail thread requesting Paul produce a PR for further discussion

 

Actions:

• Maarten: to email WG about the WLCG Workshop, and start steps to identify speakers and contributors and inform decisions on what sessions we need.
• Maarten & Mine: Maarten to start an email thread with EOS about Fermilab switchin off VOMs admin. 
• Jim: Update PR paragraph based on discussion and circulate once done. 
• Tom:  to reply to the mail thread requesting Paul produce a PR for further discussion