WLCG AuthZ Call

Thursday 9 Oct 2025, 16:00 → 17:00 Europe/Zurich

513/R-068 (CERN)

Notes:

Previous Actions:

• Action: Maarten to tidy up and review open issues and pull requests for the token profile, and then circulate a potential 2.0 draft
  • v1.1 was published on Sep 23!
• Action: Maarten to look at reviving the RTE Task Force

Proposed agenda:

• CHEP 2026 talk?

 

Zoom meeting:

Link below, in the videoconference section. Please ensure you are signed in to Indico to see the meeting password!

Next Meeting: 

• Oct 23

Present: Tom Dack (1st 1/2 hour, notes for this time), Adrian Coveney, Maarten L, Linda C, Dave D, Stephan L, Berk B, Enrico V, Roberta M
Apologies: John SdS JR

 

Previous Meetings:

• Focus has been on 1.1 of profile document, and this is now behind us (congrats!)
• Over the coming months (likely early 2026) we will look towards v1.2, identifying changes we feel are needed
• The aim is to roll these changes out with a greater velocity, as opposed to previously
• Remaining open issues will need to be reviewed, with the intention to update and publish a 1.2 version once a "critical mass" of changes has been reached
• Now have a direction of flight for future topics

 

Accounting:

• v1.1 and other activities have taken priority for Maarten over September/early October.
• He intends to work on this over the coming weeks, and will open communications directly with Adrian as issues and solutions are identified
• Maarten hopes to aim the work to be done this month, and then plan delivery from there.
  • Hopefully minimal code changes will be needed, with a deployment campaign to bring CEs up to pace.

 

IAM Autumn Timeline:

• Enrico to email about new version release (1.12.3) imminently
  • This includes various fixes
  • No issues with upgrading from any 1.12 versions
• 1.13 is nearing completion
  • Last touches being added, targeting release in 2 weeks
  • Will not allow access tokens not to be stored in the DB
    • That feature is foreseen for 1.14 instead
    • CERN would be interested in a pre-release of the latter to allow ATLAS to keep increasing the token fraction of their FTS traffic without risking a potential collapse of their IAM service
  • Fix for FTS from last hackathon will not be in this release
  • First OIDC Federation experimental testbed to be added in this release. Aiming for a more tested version and concrete answers by the end of this calendar year.
• Also by the end of this year, aiming to have a proof of concept for a migrated IAM based on new Spring Framework
  • • Notably, not a production release
    • Identify next steps and design internal tasks for developers
• Other project work also ongoing
• Ongoing internal selection within INFN, so hoping to maintain development effort - but to be confirmed mid 2026
• CERN currently running 1.11 - asks about patching fixes for this release
  • Waiting on bug fixes around the new reader role, aiming to upgrade around early November, when a new person has joined the CERN IAM team
  • Enrico and Berk will follow up outside of this meeting to work out next steps, during the regular IAM community meeting
• Next IAM Hackathon:
  • Sometime in Jan - Mar at Imperial College, UK. Details to be confirmed. 

 

AOB:

• CHEP 2026? 
  • Tom may be attending, Berk will be looking to do a broader CERN/WLCG Authentication presentation as well. 
  • Berk will draft an abstract, and the WG can comment
  • Potential for a poster to support as well
• The Proposal for a WLCG standard system JWKS cache is waiting for feedback from Brian
  • We can expect to have a PoC implementation or even a first version in the next months
  • Once we are happy with the specification, we will make it another official publication and refer to that in v1.2