Help us make Indico better by taking this survey! Aidez-nous à améliorer Indico en répondant à ce sondage !

Login

WLCG AuthZ Call

Europe/Zurich
Description

Proposed agenda:

  1. Schema document comments https://docs.google.com/document/d/1cNm4nBl9ELhExwLxswpxLLNTuz8pT38-b_DewEyEWug/edit?usp=sharing 
Hide

Attendees: Mischa, Andrea, Nicolas, Hannah, Mine, Romain

Notes:

  • Andrea has done a first attempt at seeing a real world example in our schema https://docs.google.com/document/d/1gLDiLu410XPqB1egpiJJiRh3sPTG-KsbpN1p9OQb7rI/edit?usp=sharing 
    • Concern about the security logic of scopes vs path for e.g. copying a file
    • Since scope definition doesn't follow unix logic, might lead to complications
    • We have been following SciTokens path authorisation logic (see https://scitokens.org/technical_docs/Claims)
    • For WLCG typically have a flag that determines whether overwrite is allowed - commonly used
    • Our schema doesn't seem to match well with webdav 
    • We don't have a "metadata" authorisations concept, do we need one?
  • Point made that difficult to follow fragmented discussions between lists
  • 2kb limit
    • We asked on the OIDC R&E WG list about the origin of the apparent issue with tokens above 2kb
    • From Roland Hedberg "It’s a real world problem. And I think where it really hits is when the JWT 
      is part of a URL. Like when you have an id_token_hint in an authorisation request."
    • Including tokens in HTTP Headers seems to be OK
    • public archive http://lists.openid.net/pipermail/openid-specs-rande/Week-of-Mon-20190520/thread.html
  • Not much energy from call participants recently
  • Self imposed deadline to try to have final draft of schema document for September
    • TO-DO list per person perhaps
    • Hannah to liaise with Ian Collier to see whether we can have the pre-GDB 

Actions:

  • Ask Brian and/or Jim Basney via email r.e. path semantics for storage permissions
  • Ask Paul how DCache implements SciTokens in terms of scopes
  • Hannah include summary of R&E mailing list r.e. 2kb limit (and link to public archive http://lists.openid.net/pipermail/openid-specs-rande/)
  • Andrea to start thread to get feedback 
  • Andrea to ask Fabrizio about tokens in URLs
  • Hannah set up next call (first and second week of July)
There are minutes attached to this event. Show them.
The agenda of this meeting is empty
Powered by Indico v3.3.5-pre