Notes

• Off the wall question from Paul: in x509 certificates / OIDC Access Tokens we have an expiry time because we think they may be compromised, what happens when we convert between types? When converting a SciToken to a Macaroon they both have expiry times but it's not clear whether the expiry times should be identical. If not, there's a possibility to extend the lifetime of a token.
  • This scenario happens frequently in proxies
  • More complicated with refresh tokens included, maybe need an upstream check
  • Need to consider separate logic for access tokens and refresh tokens
  • Macaroons don't have the concept of a refresh token, makes converting a short OAuth2 token to a Macaroon not very useful for long running activities (e.g. jobs)
  • Is there anything enforcing this in MyProxy? No. Only on a credential basis, e.g. proxy cannot outlive certificate
    • http://grid.ncsa.illinois.edu/myproxy/authorization.html
• We need more input on Distribution of Trust, lack of agreement on use of OIDC Fed. 

Actions

• @Hannah to see whether we can have a BoF at CHEP - we would need a specific topic
• @Hannah extend glossary
• @Mischa to look at "Discovery" (now renamed, "Metadata Lookup")
• @Andrea add WLCG specific URLs
• @Andrea ask Brian whether aud has been restricted in SciTokens to a single value
• @Hannah to ping key people about pre-GDB
• @Hannah ask IanC about visitor cards and get back to the list, "If you plan to attend in person and require a visitor pass, please contact lcg.office AT cern.ch in advance of travel (please don't arrive at CERN without having arranged your pass in advance)."