WLCG AuthZ WG, JWT Profile Discussion

Europe/Zurich
Description

Kick start discussion for an interoperable JWT profile to be used by infrastructures participating in WLCG.

Attendees to include EGI, OSG, AARC, and anyone else interested.

Objective of this activity is to publish an agreed schema for use by interoperating research and e-infrastructures in the context of WLCG (but may be more widely applicable).  

 

Videoconference Rooms
WLCG_AuthZ_Meeting
Name
WLCG_AuthZ_Meeting
Description
WLCG_AuthZ_Meeting
Extension
10669715
Owner
Hannah Short
Auto-join URL
Useful links
Phone numbers
Registration
Participants

Attendees: Andrea, David C, Kyle, Hannah, Liviu, Linda, Marina, Mischa, Michel, Brian, Paul

  • JWT is a specific type of OAuth Token
  • AARC is looking into interoperable OAuth profiles, JRA1, and can help push this activity
  • Scope - we are looking to define a JWT access token 
    • Only structure of claims? Minimum set?
    • Or also beyond authorisation? OIDC authentication?
    • Is JWT sent around or at an introspection endpoint? Do we need to specify?
  • Do we need to think about whether we deal with non-opaque tokens?
    • JWT Tokens should be self contained but they will need to know where to go to resolve (for example) the identity
  • Minimum set?
    • Registered claims are well understood 
    • You are free to define whatever you need
    • Efforts by REFEDS OIDC Working Group to map SAML eduPerson attributes to claims. Often they don't exist e.g. group membership and affiliation 
      • We potentially want to move away from sending these attributes
  • Existing profiles?
    • EGI using its own mappings, from SURFnet OIDC, seems to be following group authorisation models from before
    • SciTokens? OSG? Pure authorisation tokens "this person can do that" 
    • Do we need to accommodate both?
  • Pure scope based authorisation has not existed in WLCG, sites don't have decision making process 
  • Concern that we may not converge easily
  • Let's start a document
    • Scope 
    • What are infrastructures doing now? Need to separate Identity from Authorisation 
    • What are the tokens used for?
    • Eventually try and converge on a profile
  • Other infrastructures?
    • ALICE? They have been doing this for a while (Miguel?) 

Actions:

  • Hannah put in place a google document (maybe move to github later) 
  • OSG, Brian, add text
  • EGI, Nicolas, add text
  • INDIGO, Andrea, add text
  • ALICE, Miguel(?), add text
  • DCache, Paul, add text
  • XACML, Mischa, add text
There are minutes attached to this event. Show them.
The agenda of this meeting is empty