Notes
- Off the wall question from Paul: in x509 certificates / OIDC Access Tokens we have an expiry time because we think they may be compromised, what happens when we convert between types? When converting a SciToken to a Macaroon they both have expiry times but it's not clear whether the expiry times should be identical. If not, there's a possibility to extend the lifetime of a token.
- This scenario happens frequently in proxies
- More complicated with refresh tokens included, maybe need an upstream check
- Need to consider separate logic for access tokens and refresh tokens
- Macaroons don't have the concept of a refresh token, makes converting a short OAuth2 token to a Macaroon not very useful for long running activities (e.g. jobs)
- Is there anything enforcing this in MyProxy? No. Only on a credential basis, e.g. proxy cannot outlive certificate
- We need more input on Distribution of Trust, lack of agreement on use of OIDC Fed.
Actions
- @Hannah to see whether we can have a BoF at CHEP - we would need a specific topic
- @Hannah extend glossary
- @Mischa to look at "Discovery" (now renamed, "Metadata Lookup")
- @Andrea add WLCG specific URLs
- @Andrea ask Brian whether aud has been restricted in SciTokens to a single value
- @Hannah to ping key people about pre-GDB
- @Hannah ask IanC about visitor cards and get back to the list, "If you plan to attend in person and require a visitor pass, please contact lcg.office AT cern.ch in advance of travel (please don't arrive at CERN without having arranged your pass in advance)."