WLCG AuthZ Call

Name: WLCG AuthZ Call
Start: 2020-04-30T15:00:00+02:00
End: 2020-04-30T16:00:00+02:00
Location: No location set

Thursday 30 Apr 2020, 15:00 → 16:00 Europe/Zurich

Description

Proposed agenda:

Q from Fermilab, which optional claims should be populated? https://zenodo.org/record/3460258#.XqrLQi-w0UE
Discuss common way to locate jwts (From Dave D: I'm thinking of something analogous to $X509_USER_PROXY and the /tmp/x509up_u`id -u` file for proxy certificates.) https://docs.google.com/document/d/1kRA8IY5K7FtPPstv4YSq_Ai3NNwiU4WNNmSi7dNhjrA/edit?usp=sharing
Is there a better time for this recurring call?
AOB
- CMS Auth instance https://cms-auth.web.cern.ch
- GDB next week

Zoom meeting:

Topic: WLCG AuthZ Call
Time: Apr 30, 2020 03:00 PM Zurich

Join Zoom Meeting
https://cern.zoom.us/j/94921415659?pwd=TUhkMTZNMWk4RUUvSlQyM01DcS9GUT09

Meeting ID: 949 2141 5659
Password: 075474
One tap mobile
+41432107108,,94921415659# Switzerland
+41315280988,,94921415659# Switzerland

Dial by your location
+41 43 210 71 08 Switzerland
+41 31 528 09 88 Switzerland
+41 43 210 70 42 Switzerland
+33 7 5678 4048 France
+33 1 7037 2246 France
+33 1 7037 9729 France
Meeting ID: 949 2141 5659
Find your local number: https://cern.zoom.us/u/ac0xEcACgz

Join by SIP
94921415659@zoomcrc.com

Join by H.323
162.255.37.11 (US West)
162.255.36.11 (US East)
115.114.131.7 (India Mumbai)
115.114.115.7 (India Hyderabad)
213.19.144.110 (EMEA)
103.122.166.55 (Australia)
209.9.211.110 (Hong Kong
China)
64.211.144.160 (Brazil)
69.174.57.160 (Canada)
207.226.132.110 (Japan)
Meeting ID: 949 2141 5659
Password: 075474

Hide

Attendees: Dave D, Andrea, Brian, Burt, Ian C, Tom D, Will F, Irwin G, Jason, Jeny, Linda, Mischa, Liz, Mine, Jeffrey, Hannah

Notes:

OIDC claims are standardised
- Should be requested via scopes
- Which bits of data should attribute authority collect https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims ?
  - sub, name, family name, given name, email (similar to Research and Scholarship Attribute Bundle REFEDS)
  - would be requested via "profile" scope, if the scope is not requested then you don't get the data
- eduperson_assurance why optional? If it is known it should be populated.
- In general only need to be prepared for required claims
- Can always use token introspection endpoint to get e.g. mail and name for traceability
This time is OK for the recurring call, i.e. 15:00 Geneva

Actions:

Brian to tidy Location Doc
Hannah organise next call
Hannah and Andrea to share slides for GDB update next week

There are minutes attached to this event. Show them.

The agenda of this meeting is empty