WLCG AuthZ Call


Proposed agenda: 

  •  Token-based AuthN/Z Hackathon, scheduled for mid-september
  • Restricting the audience/Audience guidance from profile doc https://github.com/WLCG-AuthZ-WG/CommonJWTProfile/pull/3
  • Guidance on service owners choosing between WLCG IAMs or CERN IdP
  • Personal data in UserInfo endpoint

Zoom meeting:

Please ensure you are signed up to project-lcg-authz@cern.ch to receive the meeting password!

Join Zoom Meeting

Meeting ID: 947 1885 7994
Password: <see email>
One tap mobile
+41432107042,,94718857994# Switzerland
+41432107108,,94718857994# Switzerland

Dial by your location
        +41 43 210 70 42 Switzerland
        +41 43 210 71 08 Switzerland
        +41 31 528 09 88 Switzerland
        +33 1 7037 9729 France
        +33 7 5678 4048 France
        +33 1 7037 2246 France
Meeting ID: 947 1885 7994
Find your local number: https://cern.zoom.us/u/abjrVtLBu4

Join by SIP

Join by H.323
Meeting ID: 947 1885 7994
Password: <see email>

Attendees: Hannah, Andrea, Ian, David C, Dave D, Irwin, Jeny, Julie, Maarten, Mischa, Paul, Tom, Brian


  • Hackathon
    • Doodle circulated in June, hackathon scheduled for 16/17/18 of September https://doodle.com/poll/sa7ewgwuw4zcn7pf 
    • Andrea to create an Indico page :) and define agenda with DOMA TPC group, e.g.
      • audience restriction
      • group based authZ
    • Define objectives for each day
    • Need directory structure with permissions set up
    • User forum suggestion from Tom, parallel activity

- WLCG JWT profile compliance
- Audience restrictions and token exchange
- Group-based authorization
- Local user mapping

- All developers registered in WLCG VO
- oidc-agent client configuration in shape to get tokens
- List of endpoints for RUCIO/FTS/SEs
- Directory structure with permissions 

Shared google doc to collect this info: https://docs.google.com/document/d/1Qgg1fM5_KpGL5QwMSQ59FOYWEo-YNxvSBkbK7bis4so/edit#

  • Audience Restriction
    • Proposal for selecting audiences from Brian. What is an audience, what kind of string can be used.
    • Protocol to select audiences from issuer
      • Token exchange (standard, supported by oidc-agent) vs scopes (non standard, although scopes are supported in general in most places)
      • OAuth go library doesn't support adding parameters to refresh token flows, or scopes
      • Hoping that heavy load of token exchange will not materialise
        • Alice requires a sizeable infrastructure for a similar use case (tokens per file)
      • Depends significantly on breadth of audience (e.g. per host, per service, per client)
      • Have initial problem that each client needs to honour the audience
        • Some do not take audience into consideration (particularly pure OAuth libraries)
        • JWT libraries do specify MUSTs to do with audience
        • Tokens without audience should be accepted by all clients
        • Since tokens are shared over the network we should use limited audiences to mitigate risk
        • We think this is a non issue
      • We may have put logic into scopes that should really be in audience (not sure this has happened, they are orthogonal concepts)
      • Audience can be requested in the initial token request (this is supported by oidc-agent), which limits need for token exchange
      • Possible hackathon topic to extend Go library
      • Might need to take care if using multiple audiences, how do scopes map onto audiences?


  • Andrea to create Indico agenda for hackathon and share with DOMA TPC and us
  • Ian C to create Zoom room for hackathon
  • No meeting in 2 weeks due to hackathon, but will try to squeeze in some discussions during hackathon
  • Brian/Paul to add clarifying information on services running on multiple hosts to audience guidelines 
There are minutes attached to this event. Show them.
The agenda of this meeting is empty