ATLAS & CMS would like to use exclusively tokens
- this seems to be more tricky than expected especially when combined with X.509 access that we still need during transition to tokens
Long discussion about union of group + scope based authorization defined in WLCG JWT profile
- we still did not update profile according discussion that was done in the past (email thread)
- it seem current dCache implementation can be indeed configured to satisfy ATLAS & CMS expectation
  - prefer storage.* scope
  - reject access for tokens without storage.* scope
  - this configuration is technically not compatible with WLCG JWT profile v1.0
- WLCG JWT profile needs to be updated / improved
Fermilab is going to provide configuration example for dCache
- it is possible to distinguish clients that comes with tokens including storage.* scope
- gplazma.oidc.provider -authz-id configuration option is used only when storage.* scope is present in token

as presented e.g. during last DOMA General it is necessary to write proposal what we would like to test during DC24
- these proposals must be finalized before next DOMA General which will be held on August 30
support for tokens not yet available (even implemented) for TAPE REST
- tapes are out of the scope of this proposal
- generally, tapes are not part of DC24
  - sites/T1 can still make their own proposal if they would like to do test with tapes during DC24 (e.g. some sites moves to dCache+CTA)
started to work on transfers with tokens document draft