17:00 15th March
Attendees: Romain, Maarten Brian, Paul, Mischa, Hannah
- Token Verification
- Largely standard.
- Discussion over whether certificate should be IGTF. Must bear in mind that the trust built through IGTF is an important factor.
- Which role should IGTF play? Could be a key signer (parallel to OIDC Federation future role)
- OIDC endpoint recommended for token validation, this is not necessarily in the standard for OAuth but is generally supported, pre RFC https://tools.ietf.org/html/draft-ietf-oauth-discovery-10
- We should future-proof our decisions to consider federation between infrastructures
- Scitokens may need to check compliance with the RFC
- Token Validation
- which claims should the clients understand?
- suggestion to have optional and required
- clients MUST support the minimum version but can ignore everything else
- there is a generally accepted minimum set for JWT claims
- Authorisation schema
- Suggesting scp claim
- Perhaps need to have sanity checks to avoid unsafe authorisations
- Should still be flexible
- Need to have a similar language, e.g. does write also cover delete, is queue just write?
- We need to define claims (mandatory & optional) and scopes (where relevant)
- How do we get parties to agree to adopt the schema?
- Needs to be a period of consultation
- Need continuous input from working group during adoption and transition
- Must involve the wider community
- Next Call Topics
- Identify Roadmap, potential blockers
- IGTF role
Actions:
@Hannah set up a call with IGTF people (Jim, David) & this WG to talk about certificate usage
@Brian to add recommended minimum claims set to document
@Andrea to add Identity Schema
@All to contribute to the list of “actions” for authorisation
@All to review the doc and add comments
@Hannah to set up the next call
There are minutes attached to this event.
Show them.
