WLCG AuthZ Call

Thursday 3 Sept 2020, 15:00 → 16:00 Europe/Zurich

Proposed agenda: 

•  Token-based AuthN/Z Hackathon, scheduled for mid-september
• Restricting the audience/Audience guidance from profile doc https://github.com/WLCG-AuthZ-WG/CommonJWTProfile/pull/3
• Guidance on service owners choosing between WLCG IAMs or CERN IdP
• Personal data in UserInfo endpoint

Zoom meeting:

Please ensure you are signed up to project-lcg-authz@cern.ch to receive the meeting password!

Join Zoom Meeting
https://cern.zoom.us/j/94718857994

Meeting ID: 947 1885 7994
Password: <see email>
One tap mobile
+41432107042,,94718857994# Switzerland
+41432107108,,94718857994# Switzerland

Dial by your location
        +41 43 210 70 42 Switzerland
        +41 43 210 71 08 Switzerland
        +41 31 528 09 88 Switzerland
        +33 1 7037 9729 France
        +33 7 5678 4048 France
        +33 1 7037 2246 France
Meeting ID: 947 1885 7994
Find your local number: https://cern.zoom.us/u/abjrVtLBu4

Join by SIP
94718857994@188.184.85.92
94718857994@188.184.89.188

Join by H.323
188.184.85.92
188.184.89.188
Meeting ID: 947 1885 7994
Password: <see email>

Attendees: Hannah, Andrea, Ian, David C, Dave D, Irwin, Jeny, Julie, Maarten, Mischa, Paul, Tom, Brian

Notes:

• Hackathon
  • Doodle circulated in June, hackathon scheduled for 16/17/18 of September https://doodle.com/poll/sa7ewgwuw4zcn7pf 
  • Andrea to create an Indico page :) and define agenda with DOMA TPC group, e.g.
    • audience restriction
    • group based authZ
  • Define objectives for each day
  • Need directory structure with permissions set up
  • User forum suggestion from Tom, parallel activity

Topics:
- WLCG JWT profile compliance
- Audience restrictions and token exchange
- Group-based authorization
- Local user mapping

Pre-requisites:
- All developers registered in WLCG VO
- oidc-agent client configuration in shape to get tokens
- List of endpoints for RUCIO/FTS/SEs
- Directory structure with permissions 

Shared google doc to collect this info: https://docs.google.com/document/d/1Qgg1fM5_KpGL5QwMSQ59FOYWEo-YNxvSBkbK7bis4so/edit#

• Audience Restriction
  • Proposal for selecting audiences from Brian. What is an audience, what kind of string can be used.
  • Protocol to select audiences from issuer
    • Token exchange (standard, supported by oidc-agent) vs scopes (non standard, although scopes are supported in general in most places)
    • OAuth go library doesn't support adding parameters to refresh token flows, or scopes
    • Hoping that heavy load of token exchange will not materialise
      • Alice requires a sizeable infrastructure for a similar use case (tokens per file)
    • Depends significantly on breadth of audience (e.g. per host, per service, per client)
    • Have initial problem that each client needs to honour the audience
      • Some do not take audience into consideration (particularly pure OAuth libraries)
      • JWT libraries do specify MUSTs to do with audience
      • Tokens without audience should be accepted by all clients
      • Since tokens are shared over the network we should use limited audiences to mitigate risk
      • We think this is a non issue
    • We may have put logic into scopes that should really be in audience (not sure this has happened, they are orthogonal concepts)
    • Audience can be requested in the initial token request (this is supported by oidc-agent), which limits need for token exchange
    • Possible hackathon topic to extend Go library
    • Might need to take care if using multiple audiences, how do scopes map onto audiences?

Actions:

• Andrea to create Indico agenda for hackathon and share with DOMA TPC and us
• Ian C to create Zoom room for hackathon
• No meeting in 2 weeks due to hackathon, but will try to squeeze in some discussions during hackathon
• Brian/Paul to add clarifying information on services running on multiple hosts to audience guidelines