WLCG AuthZ Call


Proposed agenda:

  1. Feedback from ARC (see pdf attached)
  2. WLCG Claim Names (using ver and groups doesn't seem the way to go) 
  3. Schema document comments https://docs.google.com/document/d/1cNm4nBl9ELhExwLxswpxLLNTuz8pT38-b_DewEyEWug/edit?usp=sharing 

Attendees: Maarten, Balazs, Brian, Hannah, Jeny, Linda, Mischa, Romain

Apologies: Nicolas



  • ARC feedback
    • one main suggestion to mirror data scopes in compute scopes
    • Important to keep number of scopes small
    • Maybe we need a namespace to differentiate between data and compute scopes
    • suggested “modify” is for modifying job metadata rather than launching or cancelling job 
    • aiming for symmetry would be nice, let’s not give up yet
    • need to be aware of implementation cost and token size (above 2k is difficult)
      • GA4GH restricts tokens to 2k and adds flag if token is larger
    • this will be difficult to change after the fact
    • maybe a power user might be able to kill all jobs for a VO
    • we need to be careful not to accidentally allow anyone to upload a pilot job
      • need namespace or separate tokens per function
  • OIDF Feedback
    • Agree that adding WLCG to ver and groups claim seems reasonable
  • How do we inform the version endpoint that we want a version 43 token rather than a version 42 token?
    • Must use scopes since that’s the only thing available
    • Or in client registration?
    • Or better a mix
      • version specified in client registration 
      • plus override in scopes request (would also allow OP to advertise which versions it supports)



  • @Hannah add suggestion on token size (2k recommendation)
  • @Hannah to make some demo tokens and check their size https://demo.scitokens.org 
  • @Hannah to add wlcg. in front of ver and group throughout the doc
  • @Hannah send a message to ask who can meet on the 25th
There are minutes attached to this event. Show them.
The agenda of this meeting is empty