Attendees: Andrea, David C, Kyle, Hannah, Liviu, Linda, Marina, Mischa, Michel, Brian, Paul

• JWT is a specific type of OAuth Token
• AARC is looking into interoperable OAuth profiles, JRA1, and can help push this activity
• Scope - we are looking to define a JWT access token 
  • Only structure of claims? Minimum set?
  • Or also beyond authorisation? OIDC authentication?
  • Is JWT sent around or at an introspection endpoint? Do we need to specify?
• Do we need to think about whether we deal with non-opaque tokens?
  • JWT Tokens should be self contained but they will need to know where to go to resolve (for example) the identity
• Minimum set?
  • Registered claims are well understood 
  • You are free to define whatever you need
  • Efforts by REFEDS OIDC Working Group to map SAML eduPerson attributes to claims. Often they don't exist e.g. group membership and affiliation 
    • We potentially want to move away from sending these attributes
• Existing profiles?
  • EGI using its own mappings, from SURFnet OIDC, seems to be following group authorisation models from before
  • SciTokens? OSG? Pure authorisation tokens "this person can do that" 
  • Do we need to accommodate both?
• Pure scope based authorisation has not existed in WLCG, sites don't have decision making process 
• Concern that we may not converge easily
• Let's start a document
  • Scope 
  • What are infrastructures doing now? Need to separate Identity from Authorisation 
  • What are the tokens used for?
  • Eventually try and converge on a profile
• Other infrastructures?
  • ALICE? They have been doing this for a while (Miguel?) 

Actions:

• Hannah put in place a google document (maybe move to github later) 
• OSG, Brian, add text
• EGI, Nicolas, add text
• INDIGO, Andrea, add text
• ALICE, Miguel(?), add text
• DCache, Paul, add text
• XACML, Mischa, add text