WLCG AuthZ Call


Proposed agenda:

  1. Token Content: Schema at https://docs.google.com/document/d/1cNm4nBl9ELhExwLxswpxLLNTuz8pT38-b_DewEyEWug/edit?usp=sharing 

Outstanding Actions:


Attendees: Andrea, Maarten, Romain, Hannah, Nicolas, Mischa


  • There is significant overlap between profiles
  • Suggestion to create a single WLCG Profile where groups/capabilities/PPI can be requested via scope requests
    • Slight hiccup over nbf (required by sci-tokens but wouldn't make sense in certain flows)
  • In OIDC there are two tokens, semantically different. To trigger this you would include the OIDC scope and get the tokens returned with claims according to your scope request
  • Basic claims should be limited and opaque 
  • To request specific claims (e.g. capability scopes, groups, personally identifying information) clients should use scope requests
    • We will need to define how claims can be requested
    • The token issuer will be able to restrict scope requests for clients
  • Concern that tokens may inflate with large numbers of groups, discussion on whether more fine grained control can be 
  • Even if a client only has an access token, they can still request PII by calling a second endpoint
  • Discussion whether there are security implications of being able to include the data in either token
  • Updates
    • Romain asked Management Board about data retention = they want 1 month, this is not the source of truth
    • Privacy Statements need to be updated and discussed with HR


  • Define the scopes that will be used to request claims


  • Andrea to start a thread with a summary of discussion
There are minutes attached to this event. Show them.
The agenda of this meeting is empty