Attendees: Hannah, Andrea, Maarten, Brian, Irwin, Jeny, Julie, Tom, Mine
Notes:
- Bearer token doc done
- Client Tools
- Demo not quite ready, the oidc-agent part is pending
- Prototype developed by Andrea, using Device Code Flow with browser (no need to authenticate twice since session established in browser)
- Do need to go to browser twice, particularly for consent part
- How can we remove the need to do the action (authenticate/consent/other) twice?
- Doesn’t seem right to silently allow people through, we also don’t want people to be exposed to additional risk
- Suggestion to add logic to consent, e.g. if they are the owner of the client then no consent needed (not supported by Keycloak)
- We need some kind of balance between different legalities (e.g. under GDPR consent is invalid in a work context)
- The VO terms of use and privacy policy already cover consent at a higher level
- This workflow is really Inform rather than Consent
- Summary: we need some kind of information screen as people go to a new client for the first time (not called consent) but this shouldn’t be shown if you are the client owner (this is not supported in Keycloak)
- Can we think of a way that oidc-agent is used by multiple people? i.e. client credentials are shared
- Vault already planned to be used, sounds likely that can combine oidc-agent and Vault (add to list)
- Centrally run oidc-agent with Vault - there may be a gap for places (e.g. labs) that cannot deploy Vault (though backup flow is the individual oidc-agent registration). Unclear whether Vault would need to be deployed locally by each lab (linked directly to an LDAP)
- Q from Mine: HTCondor cannot process WLCG Groups, are we going to use groups to submit jobs or just capabilities?
- Since pilot jobs, capabilities seems relevant. Wait until there is a use case before developing.
- Problem with CMS IAM instance, letsencrypt certificate was not refreshed and expired
- Need to get a Sectigo certificate for VOMS compatibility?
- CMS people have had a look at IAM, a bit of feedback
- People working on new services are quite happy
- Several things have only gone as far as prototypes due to lack of users (assumed green light)
- VOMS admin requests to cut out as many manual things as possible for the user (i.e. not have a VO admin click OK)
- Some feedback from GDB said that we need to have a manual step
- Why should they use this rather than the CERN OIDC endpoint?
- Could move everything to the CERN IdP
- There should be some documentation somewhere (in IT?)
Actions:
- Hannah publish bearer doc
- Hannah set up dedicated meetings on big topics (Andrea away next meeting)
- Hannah to follow up with CERN OpenShift about letsencrypt issue
- Hannah to follow up about getting grid certificates for Openshift applications
There are minutes attached to this event.
Show them.