Attendees: Andrea, David C, Kyle, Hannah, Liviu, Linda, Marina, Mischa, Michel, Brian, Paul
- JWT is a specific type of OAuth Token
- AARC is looking into interoperable OAuth profiles, JRA1, and can help push this activity
- Scope - we are looking to define a JWT access token
- Only structure of claims? Minimum set?
- Or also beyond authorisation? OIDC authentication?
- Is JWT sent around or at an introspection endpoint? Do we need to specify?
- Do we need to think about whether we deal with non-opaque tokens?
- JWT Tokens should be self contained but they will need to know where to go to resolve (for example) the identity
- Minimum set?
- Registered claims are well understood
- You are free to define whatever you need
- Efforts by REFEDS OIDC Working Group to map SAML eduPerson attributes to claims. Often they don't exist e.g. group membership and affiliation
- We potentially want to move away from sending these attributes
- Existing profiles?
- EGI using its own mappings, from SURFnet OIDC, seems to be following group authorisation models from before
- SciTokens? OSG? Pure authorisation tokens "this person can do that"
- Do we need to accommodate both?
- Pure scope based authorisation has not existed in WLCG, sites don't have decision making process
- Concern that we may not converge easily
- Let's start a document
- Scope
- What are infrastructures doing now? Need to separate Identity from Authorisation
- What are the tokens used for?
- Eventually try and converge on a profile
- Other infrastructures?
- ALICE? They have been doing this for a while (Miguel?)
Actions:
- Hannah put in place a google document (maybe move to github later)
- OSG, Brian, add text
- EGI, Nicolas, add text
- INDIGO, Andrea, add text
- ALICE, Miguel(?), add text
- DCache, Paul, add text
- XACML, Mischa, add text
There are minutes attached to this event.
Show them.
