JWT Profile Meeting




  • Go through actions
  • Specific discussion points:
    • AARC Syntax
    • AOB?? 

Outstanding Actions:

  • @Hannah rename Identity Schema to Attribute Schema in JWT Doc

  • @Andrea improve description of claims request flow, equivalent to role selection

  • @Hannah work out whether HR identity vetting and affiliation end date information is in SSO tokens (or can be in future)

  • @WG add LoA aspects into JWT schema


Attendees: Miguel, Andrea, Linda, Hannah, Nicolas, Brian, Maarten, Michel, David
Apologies: Romain


  • HR DB Integration & Privacy notice
    • DB connection rather than SSO - pilots agree this is not problematic
    • Must be hosted at CERN
    • HR must approve Privacy Statement
      • CERN template to be used - collect information from pilots
      • Provisioning needs to be included
        • IAM this functionality is more restricted than VOMS Admin
        • Checkin provisions VOMS and then VOMS privacy statement should be valid
  • JWT Catalogue updates
    • Miguel/ALICE contributed
  • LoA (Level of Assurance) in schema
    • OIDC and OAuth have specific claims for this
    • There are several profiles in the sector - RAF uses the eduPersonAssurance claim rather than the standard
    • If we only need assurance of authentication then maybe OIDC is OK
    • Q: where is our assurance coming from? This should help us answer what is needed
      • Identity Vetting is covered by HR DB
      • Affiliation is covered by HR DB
      • Authentication method varies - would need to propagate LoA from authentication point (even behind CERN SSO)
    • Suggestion to use labels and vocabulary from RAF and claims from OIDC
    • Decision to put a placeholder in the schema already, with the expectation that things will change
  • Versioning
    • Should reflect that it's a WLCG version
    • Not necessarily numerically consecutive but might be helpful for namespace and comparison
    • Could add profile name (e.g. "WLCG") for namespacing, could also contain URI
    • Brian believes there will not be so many versions and that string comparison might not be too difficult, however still interest in numeric versioning plus profile string
    • Could also embed the version in the profile
    • Need to be sensitive to length of token
  • Suggestion to have another pre-GDB in December
    • Complete schema
    • Assess pilots (should be running at CERN)
    • Pilots deployed within CERN and HR DB Connection
    • Proof of concept workflows for command line
    • NB: IAM lost a person, may be delays
  • HR DB library not existing and structure changing. Andrea has legacy code in VOMS Admin that he will extract. Can potentially do in a way that is usable by e.g. Check-in
  • WLCG AAI Privacy Notice: https://docs.google.com/document/d/1E35DEuptjz0CSWvmegECRjCvCMtCb2UFhtUXPeGA2To/edit?usp=sharing 
  • Request from Dave K to present at HEPiX (to Andrea) - could potentially go (clashes with DI4R)
    • Andrea willing to attend
    • 20 minutes
    • Should make sure to coordinate with Paolo's talk
    • CHEP talk could be largely reused


  • @Nicolas/@Andrea both pilots to let Hannah know what kind of VM/Container required for deployment
  • @Hannah to collect privacy statement data from pilots and combine with existing VOMS admin data
  • @Maarten to put Hannah in loop for VOMS admin privacy notice work
  • @Maarten to get CERN accounts for Nicolas & colleagues
  • @Hannah to remind people to update JWT Token Catalogue
  • @Nicolas to add schema placeholder for LoA
  • @Brian to propose versioning methodology on the mailing list
  • @Hannah to ask Ian C if we can take December pre-GDB 11th
  • @Maarten to check clashing meetings in December
  • @Andrea to send email to list to say that willing to present at HEPiX, just check no clashing proposal. Adapt CHEP talk for HEPiX 
There are minutes attached to this event. Show them.
The agenda of this meeting is empty