WLCG AuthZ Call


Attendees: Mischa, Andrea, Nicolas, Hannah, Mine, Romain


  • Andrea has done a first attempt at seeing a real world example in our schema https://docs.google.com/document/d/1gLDiLu410XPqB1egpiJJiRh3sPTG-KsbpN1p9OQb7rI/edit?usp=sharing 
    • Concern about the security logic of scopes vs path for e.g. copying a file
    • Since scope definition doesn't follow unix logic, might lead to complications
    • We have been following SciTokens path authorisation logic (see https://scitokens.org/technical_docs/Claims)
    • For WLCG typically have a flag that determines whether overwrite is allowed - commonly used
    • Our schema doesn't seem to match well with webdav 
    • We don't have a "metadata" authorisations concept, do we need one?
  • Point made that difficult to follow fragmented discussions between lists
  • 2kb limit
    • We asked on the OIDC R&E WG list about the origin of the apparent issue with tokens above 2kb
    • From Roland Hedberg "It’s a real world problem. And I think where it really hits is when the JWT 
      is part of a URL. Like when you have an id_token_hint in an authorisation request."
    • Including tokens in HTTP Headers seems to be OK
    • public archive http://lists.openid.net/pipermail/openid-specs-rande/Week-of-Mon-20190520/thread.html
  • Not much energy from call participants recently
  • Self imposed deadline to try to have final draft of schema document for September
    • TO-DO list per person perhaps
    • Hannah to liaise with Ian Collier to see whether we can have the pre-GDB 


  • Ask Brian and/or Jim Basney via email r.e. path semantics for storage permissions
  • Ask Paul how DCache implements SciTokens in terms of scopes
  • Hannah include summary of R&E mailing list r.e. 2kb limit (and link to public archive http://lists.openid.net/pipermail/openid-specs-rande/)
  • Andrea to start thread to get feedback 
  • Andrea to ask Fabrizio about tokens in URLs
  • Hannah set up next call (first and second week of July)
There are minutes attached to this event. Show them.
The agenda of this meeting is empty