WLCG AuthZ Call

Thursday 28 Sept 2023, 16:00 → 17:00 Europe/Zurich

Previous Actions:

• Action, Maarten: Start a VO information in token (for accounting purposes) discussion on the Mailing list late August to revisit and converge on a plan once summer holidays are more likely to be over
  • No need to follow up yet - just for tracking
• Action, all: comments and contributions for CHEP paper before 22/09
  • Completed - thank you!
• Action, Tom: submit CHEP paper
  • Completed

Proposed agenda:

• Follow up on token profile discussions

 

Zoom meeting:

Link below, in the videoconference section. Please ensure you are signed in to Indico to see the meeting password!

Next Meeting: 

• October 12th

Present: Tom D (Minutes), Angela CB, Francesco G, JG, Dimitrios C, Maarten L, Dave D, Mischa S, Federica A, Mine AC, Roberta M, Linda C, Berk B

Apologies: John SdS. Jr

Actions:

CHEP paper submitted

Token Profile Recap

Three main profiles relevant:

• WLCG (already a mixture of profiles)
• SciTokens
• EGI Tokens (based on AARC Profile)

Mischa has had many conversations, and all so far in strong favor of working to a unified token profile - but will need discussion on the process.

Likely that we will not have identical tokens, but format for compatibility should be agreed, such as: versioning, groups, et

Two main decisions likely to be needed:

• Where to discuss this - too many large groups to engage, needs a smaller focused group
• Will need unanimous agreement on topics and decisions, with full engagement from involved parties

OpenID R&E working group may be a good place to discuss - place to centralize claim names.
Maybe an issue with the IPR statement.
Will need to have people who can work on this, and who can identify the differences and requirements from different groups.

No clear answer  - first step is to identify where to start conversation.
Mischa suggests Nikhef list, to remain "neutral". Maarten agrees - the first step is to get the conversation going and collecting people's thoughts and input on the matter.
After this initial conversation phase, we could then look to move to a platform like AEGIS and review and discuss more widely.
An initial step which has a useful common basis agreed between WLCG, EGI and SciTokens would be a big step forward.

A lot of profiles have originated from time where there is less experience, and so changes in formats to recognize experience and problems encountered - such as too large Tokens.

Other issues include no-callbacks - callback to UserInfo endpoints within the WLCG infrastructure can't work. This is where optional components to the profile need to be included, so methods for eg Introspection can still be supported by the same profile.

Initial complaints actually coming from SysAdmins who are not happy with supporting multiple token types.
Avoiding the profile knowledge in the main codebase would make development easier, and means fewer changes to support new profiles etc.

Agree a direction and requirements between the communities to get the momentum going and identify what a shared profile will look like.
Important to identify which communities should be involved, beyond the obvious. 

AARC-Tree Project starting in January
This is planning to include a "best practice token policy" document, which we should ensure we are engaged with.
Understanding how WLCG requirements (lifetime, rates) will need to be reflected and considered with this.
DC24 is the next big stop in moving forward and learning with this.
The considerations for WLCG lifetimes etc will need to be documented in the token profile and policy document. 

Things will be reflected and learnt over the coming years, but it is clear that the current 1.0 profile will not be the one implemented for everyone.
The aim is for a newer, updated version this Autumn

First iteration would be an update to the WLCG profile, then look towards how to make things more compatible in the future.

TTT (Token Trust and Traceability) Working Group will be looking to update documents and policy concerns based around token implementation. This group is aimed at WLCG and EGI at least. Try to avoid that WLCG looks different from things in EGI and OSG.
Currently meeting approximately monthly via doodle. Hopefully a first admin guide by winter this year.
Anyone is welcome - must subscribe explicitly - and can join as an observer.

Understanding the risks from the security perspective, so information can be shared with site admins and that procedures are understood and clear.
Document and policies need to be updated for new technologies - they are all still proxy centered. 

IAM Security Update

Update to security patch - smooth deployment of 1.8.1 update, which fixed a notable vulnerability which would allow any scope to be requested (including admin scopes).
Unfortunate discovery of shrinking lifetimes for ALICE and ATLAS tokens - token renewal was not working.
Had been violating a rule which would normally have been enforced from the start by third-party product MitreID, used by IAM under the hood.
Either needed to define new clients, or could update existing clients. However, creating a new client is just a first step - the new client information must be propagated throughout various configurations to reflect new changes.  
Some usability improvements desired - for example concerning anonymous clients with OIDCAgent.
The full impact of the security fix was missed, otherwise it would have been documented in the release notes. 
Related issue: https://indico.cern.ch/event/1325762/