Attendees: Hannah, Andrea, Dave, Alex, Ian, Tom, Jeffrey, Jeny, Jim, Joel, Laurence, Maarten, Mine, Mischa

Notes: 

• Group scope request -> capability use case
  • Requesting a group scope can provision a capability - this was not included in the original spec
  • IAM Implements scope policy. I.e. only users in this group can access these scopes (not linked to how they are requested)
  • In this particular case, Vault will be requesting specific scopes to get tokens with different capabilities for users (and service accounts). 
  • The problem is that Vault does not necessarily know which capabilities are required for a given user. They would know the group because that's part of the role selection. 
  • The problem to solve is how to allow someone to request capabilities for a particular role. Can be solved in multiple ways
    • Scope requests, e.g. "production", "admin" that the token issuer interprets to capabilities
    • Optional group that is also requested in scopes and results in capabilities in tokens and doesn't necessarily return the group (the proposal)
• Scope based capability reduction
  • If a client requests a scope for e.g. path "/" and isn't allowed to get capabilities for "/" but only for "/test/" then the claim for "/test/" should be returned
  • Requires knowledge of hierarchy and knowledge of what clients are able to request
  • This breaks assumption of extract string matching between scopes and claims
  • Page 13 of spec "For all ​storage.*​ scopes (requests), ​$PATH​ MUST be specified (but may be ​/​ to authorize the entire resource associated with the issuer); if not specified for these scopes, the token MUST be rejected."
  • "If an entity is not entitled to a capability, the scope requested may be ignored by the server and the corresponding token may not have the corresponding claims; in this case, section 3.3 of RFC 6749 requires the token issuer to inform the client. A server may also return an error during the authorization request."
• VOMS Admin Deprecation
  • As soon as IAM has the same features as VOMS Admin we should start deprecating VOMS Admin
  • Maarten to contribute to mkgridmap replacement 
  • Issue (Bug) today when user changes institute it is not propagated to VOMS Admin

Actions:

• Dave/Jim/Mine to write summary of use case for groups -> capability scope request
• Everyone to comment on https://github.com/WLCG-AuthZ-WG/common-jwt-profile/pull/6/files?short_path=a71a09b#diff-a71a09bf4c9ab18347bdf04955980f856ec2a397cd247f8bbc99628b3c9b365f
• Andrea to schedule ad hoc meeting to show how scope selection works (in under 2 weeks)
• Dave/Jim/Mine to write summary of use case for scope based capability reduction
• Everyone to comment on https://github.com/WLCG-AuthZ-WG/common-jwt-profile/pull/5/files?short_path=a71a09b#diff-a71a09bf4c9ab18347bdf04955980f856ec2a397cd247f8bbc99628b3c9b365f
• Maarten to contribute to mkgridmap replacement 
• Andrea to define dates
• Hannah remind mailing list about TAGPMA submission, particularly Brian (cannot be combined with Fermilab session)
• Hannah find out deadline for VCHEP submission and schedule