WLCG AuthZ Call
→
Europe/Zurich
Description
Proposed agenda:
- Token Content: Schema at https://docs.google.com/document/d/1cNm4nBl9ELhExwLxswpxLLNTuz8pT38-b_DewEyEWug/edit?usp=sharing
Outstanding Actions:
Registration
Participants
Attendees: Andrea, Maarten, Romain, Hannah, Nicolas, Mischa
Notes:
- There is significant overlap between profiles
- Suggestion to create a single WLCG Profile where groups/capabilities/PPI can be requested via scope requests
- Slight hiccup over nbf (required by sci-tokens but wouldn't make sense in certain flows)
- In OIDC there are two tokens, semantically different. To trigger this you would include the OIDC scope and get the tokens returned with claims according to your scope request
- Basic claims should be limited and opaque
- To request specific claims (e.g. capability scopes, groups, personally identifying information) clients should use scope requests
- We will need to define how claims can be requested
- The token issuer will be able to restrict scope requests for clients
- Concern that tokens may inflate with large numbers of groups, discussion on whether more fine grained control can be
- Even if a client only has an access token, they can still request PII by calling a second endpoint
- Discussion whether there are security implications of being able to include the data in either token
- Updates
- Romain asked Management Board about data retention = they want 1 month, this is not the source of truth
- Privacy Statements need to be updated and discussed with HR
TODOs:
- Define the scopes that will be used to request claims
Actions:
- Andrea to start a thread with a summary of discussion
There are minutes attached to this event.
Show them.
The agenda of this meeting is empty