JWT Profile Meeting

Wednesday 4 Jul 2018, 16:00 → 17:30 Europe/Zurich

Documents:

• Schemas at https://docs.google.com/document/d/1cNm4nBl9ELhExwLxswpxLLNTuz8pT38-b_DewEyEWug/edit?usp=sharing 

Agenda:

• Discuss versioning
• Resolve comments

 

Actions from last time:

• @All read through the doc before pre-GDB
• @Hannah try a first draft of the glossary (some text already in flows document)
• @Andrea to continue "Flow document" and link to doc, add a little summary saying that we will follow the standard
• @Hannah add appendices (discovery)
• @Hannah ask Brian whether verification is standard
• @Mischa and Andrea to add Trust aspects to Verification, include Brian in discussions
• @Andrea normalise URLs and examples to WLCG jargon
• @Hannah make sure to talk about versioning in the next call
• @All to read through Operational Impacts Section and comment

Notes

• Off the wall question from Paul: in x509 certificates / OIDC Access Tokens we have an expiry time because we think they may be compromised, what happens when we convert between types? When converting a SciToken to a Macaroon they both have expiry times but it's not clear whether the expiry times should be identical. If not, there's a possibility to extend the lifetime of a token.
  • This scenario happens frequently in proxies
  • More complicated with refresh tokens included, maybe need an upstream check
  • Need to consider separate logic for access tokens and refresh tokens
  • Macaroons don't have the concept of a refresh token, makes converting a short OAuth2 token to a Macaroon not very useful for long running activities (e.g. jobs)
  • Is there anything enforcing this in MyProxy? No. Only on a credential basis, e.g. proxy cannot outlive certificate
    • http://grid.ncsa.illinois.edu/myproxy/authorization.html
• We need more input on Distribution of Trust, lack of agreement on use of OIDC Fed. 

Actions

• @Hannah to see whether we can have a BoF at CHEP - we would need a specific topic
• @Hannah extend glossary
• @Mischa to look at "Discovery" (now renamed, "Metadata Lookup")
• @Andrea add WLCG specific URLs
• @Andrea ask Brian whether aud has been restricted in SciTokens to a single value
• @Hannah to ping key people about pre-GDB
• @Hannah ask IanC about visitor cards and get back to the list, "If you plan to attend in person and require a visitor pass, please contact lcg.office AT cern.ch in advance of travel (please don't arrive at CERN without having arranged your pass in advance)."