JWT Profile Meeting




  • Discuss versioning
  • Resolve comments


Actions from last time:

  • @All read through the doc before pre-GDB
  • @Hannah try a first draft of the glossary (some text already in flows document)
  • @Andrea to continue "Flow document" and link to doc, add a little summary saying that we will follow the standard
  • @Hannah add appendices (discovery)
  • @Hannah ask Brian whether verification is standard
  • @Mischa and Andrea to add Trust aspects to Verification, include Brian in discussions
  • @Andrea normalise URLs and examples to WLCG jargon
  • @Hannah make sure to talk about versioning in the next call
  • @All to read through Operational Impacts Section and comment


  • Off the wall question from Paul: in x509 certificates / OIDC Access Tokens we have an expiry time because we think they may be compromised, what happens when we convert between types? When converting a SciToken to a Macaroon they both have expiry times but it's not clear whether the expiry times should be identical. If not, there's a possibility to extend the lifetime of a token.
    • This scenario happens frequently in proxies
    • More complicated with refresh tokens included, maybe need an upstream check
    • Need to consider separate logic for access tokens and refresh tokens
    • Macaroons don't have the concept of a refresh token, makes converting a short OAuth2 token to a Macaroon not very useful for long running activities (e.g. jobs)
    • Is there anything enforcing this in MyProxy? No. Only on a credential basis, e.g. proxy cannot outlive certificate
  • We need more input on Distribution of Trust, lack of agreement on use of OIDC Fed. 


  • @Hannah to see whether we can have a BoF at CHEP - we would need a specific topic
  • @Hannah extend glossary
  • @Mischa to look at "Discovery" (now renamed, "Metadata Lookup")
  • @Andrea add WLCG specific URLs
  • @Andrea ask Brian whether aud has been restricted in SciTokens to a single value
  • @Hannah to ping key people about pre-GDB
  • @Hannah ask IanC about visitor cards and get back to the list, "If you plan to attend in person and require a visitor pass, please contact lcg.office AT cern.ch in advance of travel (please don't arrive at CERN without having arranged your pass in advance)."
There are minutes attached to this event. Show them.
The agenda of this meeting is empty