Attendees: Hannah, Andrea, Ian, David C, Dave D, Irwin, Jeny, Julie, Maarten, Mischa, Paul, Tom, Brian

Notes:

• Hackathon
  • Doodle circulated in June, hackathon scheduled for 16/17/18 of September https://doodle.com/poll/sa7ewgwuw4zcn7pf 
  • Andrea to create an Indico page :) and define agenda with DOMA TPC group, e.g.
    • audience restriction
    • group based authZ
  • Define objectives for each day
  • Need directory structure with permissions set up
  • User forum suggestion from Tom, parallel activity

Topics:
- WLCG JWT profile compliance
- Audience restrictions and token exchange
- Group-based authorization
- Local user mapping

Pre-requisites:
- All developers registered in WLCG VO
- oidc-agent client configuration in shape to get tokens
- List of endpoints for RUCIO/FTS/SEs
- Directory structure with permissions 

Shared google doc to collect this info: https://docs.google.com/document/d/1Qgg1fM5_KpGL5QwMSQ59FOYWEo-YNxvSBkbK7bis4so/edit#

• Audience Restriction
  • Proposal for selecting audiences from Brian. What is an audience, what kind of string can be used.
  • Protocol to select audiences from issuer
    • Token exchange (standard, supported by oidc-agent) vs scopes (non standard, although scopes are supported in general in most places)
    • OAuth go library doesn't support adding parameters to refresh token flows, or scopes
    • Hoping that heavy load of token exchange will not materialise
      • Alice requires a sizeable infrastructure for a similar use case (tokens per file)
    • Depends significantly on breadth of audience (e.g. per host, per service, per client)
    • Have initial problem that each client needs to honour the audience
      • Some do not take audience into consideration (particularly pure OAuth libraries)
      • JWT libraries do specify MUSTs to do with audience
      • Tokens without audience should be accepted by all clients
      • Since tokens are shared over the network we should use limited audiences to mitigate risk
      • We think this is a non issue
    • We may have put logic into scopes that should really be in audience (not sure this has happened, they are orthogonal concepts)
    • Audience can be requested in the initial token request (this is supported by oidc-agent), which limits need for token exchange
    • Possible hackathon topic to extend Go library
    • Might need to take care if using multiple audiences, how do scopes map onto audiences?

Actions:

• Andrea to create Indico agenda for hackathon and share with DOMA TPC and us
• Ian C to create Zoom room for hackathon
• No meeting in 2 weeks due to hackathon, but will try to squeeze in some discussions during hackathon
• Brian/Paul to add clarifying information on services running on multiple hosts to audience guidelines