WLCG AuthZ Call

Thursday 24 Jul 2025, 16:00 → 17:00 Europe/Zurich

513/R-068 (CERN)

Previous Actions:

• Action: Tom to send an email to request topics and issues for discussion, and then we can plan a schedule of meetings upcoming
  • Done - initial plan to focus on Accounting & Tokens
  • Will ping for further requests
• Action: Maarten to tidy up and review open issues and pull requests for the token profile, and then circulate a potential 2.0 draft
• Action: Maarten to look at reviving the RTE Task Force

Proposed agenda:

• Profile updates & Pull requests
• Token Accounting Cont.

 

Open PRs:

• https://github.com/WLCG-AuthZ-WG/common-jwt-profile/pull/57
• storage.read and storage.stage descriptions
   
• https://github.com/WLCG-AuthZ-WG/common-jwt-profile/pull/58
• request path authorization
   
• https://github.com/WLCG-AuthZ-WG/common-jwt-profile/pull/60
• token lifetime guidance revision

 

Zoom meeting:

Link below, in the videoconference section. Please ensure you are signed in to Indico to see the meeting password!

Next Meeting: 

• TBC

Attendees: Maarten, Berk, Patrick, Hannah, Dave K, Tom, Mia, Volodymyr, Stephan L, Mischa, Federica, Roberta, Enrico, Matthew, Donald, Dave D

Notes: 

• 3 pull requests are active
  • https://github.com/WLCG-AuthZ-WG/common-jwt-profile/pull/57
  • https://github.com/WLCG-AuthZ-WG/common-jwt-profile/pull/58
  • https://github.com/WLCG-AuthZ-WG/common-jwt-profile/pull/60 -> our initial thoughts are OK as a default but are not mandatory
• Whilst we tried hard, we did run into some issues with implementing our first ideas
• Currently tokens are being used in production for compute and data management but we have some way to go
• The profile should be updated to reflect reality. We would like to publish a newer version in Zenodo. It will have to be v 2.0 as some of the changes are not backwards compatible. 
• Must be careful that downstream systems are able to accept tokens that signal v 2.0 (e.g. dcache currently does not)
• There are lots of open issues with good discussion and they are not fully solved but we should try and go ahead with some merges and create extra issues for problems that remain
• Token lifetimes:
  • Much discussion with wider community. General agreement that WLCG use cases are outside the scope of global efforts e.g. for EOSC/AARC. 
  • Dropping all guidelines in v 2.0 will mean that it will be very hard to enforce guidelines later 
  • On the plus side we have many technical constraints over the token workflows but it is complex for end users and highly flexible
  • Should update default lifetimes to match document from AARC project https://docs.google.com/document/d/1U9vvJfWuE8oO7u0FcGVGr3KySvBqwjnkzKO8TKzgoX4/edit?tab=t.0
  • Issue that clients cannot be in groups
• Path authorization
  • Minor change requested by Stephan 
•  
• ACTIONs
  • Maarten to rephrase clock skew section
  • Hannah to raise a github ticket for INDIGO IAM r.e. creating tokens with iat and nbf in the past ?
  • Next steps
    • Maarten send to mailing list with a 1.5 month window for comment (end of Aug)