JWT Profile Meeting

Europe/Zurich
Description

Documents:

Agenda:

  • Go through documents(s) and close out commets
  • DOMA impact for us

Outstanding discussion points:

  • Versioning
  • Token lifetime
  • Standardised list of Audiences

Actions from last week:

  • @Hannah follow up on outstanding actions
    • @Mischa@DavidG trust brokerage 
    • @Maarten operational impact of token verification and validation (in https://docs.google.com/document/d/1xt6NYQSpImrZkrNCE2LvtwM-0HbqcXD8f9eb7Dl6fgo/edit)
  • @Hannah make org optional
  • @Brian check that we are consistent with saying token issuer is VO
  • @Hannah send notes and schedule next call
  • @Andrea to include discovery information in main document
  • @Hannah add notion of revocation into requirements doc (if not there already)
  • @Hannah ask Andrea and Condor people to present in the next call 
Videoconference Rooms
WLCG_AuthZ_Meeting
Name
WLCG_AuthZ_Meeting
Description
WLCG_AuthZ_Meeting
Extension
10669715
Owner
Hannah Short
Auto-join URL
Useful links
Phone numbers

Attendees: Andrea, DavidC, Hannah, Maarten, Mischa, Romain, Nicolas, Paul

Notes:

  • DODAS is CMS distributed framework, not as specific as HTCondor, but could be a good talk of how these things are integrated in practice - could be included in call at end of June (TBC)
  • Schema document
    • Resource provider is not OAuth, do we mind? We can either go for readability or try to be in keeping with the spec. DECISION, add a glossary that defines OAuth and maps to understandable terms
    • Revocation flow and discovery content has been included in the main document
    • We need to consider trust in verification (which OPs and RPs etc are trusted by the group). Technical detail might be too detailed for now but we should say something. For SciTokens the environment is more homogeneous than ours will be, we need something more flexible than the current proposal. 
    • Operational impact of checking keys; if we have a smaller lifetime do we increase load? Presumably yes. OP can advertise multiple keys. Key retention period > lifetime of last access token signed. (Refresh tokens do not need to be signed). We don't want to flood token issuer with key requests. Will need tuning. HTTP get optimising is well documented, leverage caching headers. We should come up with some reasonable guidance. 
    • Revocation is needed if we want refresh. 
    • We need to specify how refresh and delegation works.
  • In the end we will have
    • Catalogue of JWT
    • Schema & apendices
    • Possibly some additional docs... e.g. extended Flows

Actions:

  • @All read through the doc before pre-GDB
  • @Hannah try a first draft of the glossary (some text already in flows document)
  • @Andrea to continue "Flow document" and link to doc, add a little summary saying that we will follow the standard
  • @Hannah add appendices (discovery)
  • @Hannah ask Brian whether verification is standard
  • @Mischa and Andrea to add Trust aspects to Verification, include Brian in discussions
  • @Andrea normalise URLs and examples to WLCG jargon
  • @Hannah make sure to talk about versioning in the next call
  • @All to read through Operational Impacts Section and comment
There are minutes attached to this event. Show them.
The agenda of this meeting is empty