WLCG AuthZ Call

Thursday 21 Jan 2021, 15:00 → 16:00 Europe/Zurich

Proposed agenda: 

• Announcements/Info
  • ARC collaboration, waiting on data transfer Token Workflow doc - what do we need to do here? 
  • vCHEP Submission
  • IAM Users Meeting
• Discussions:
  • id token claim for use by vault with kerberos (Dave and Andrea)
  • Use cases for Groups vs Capabilities vs Mixed authorisation
    • Decided last time that a new scope was required to select a set of capabilities, possibly e.g. wlcg.capabilityset:production
    •  https://github.com/WLCG-AuthZ-WG/common-jwt-profile/pull/10
• Ongoing points:
  • Plan for VOMS Admin deprecation (Andrea to add Dates) 
  • IAM support migration to CERN IT-CDA (Hannah, in progress)
  • ATLAS IAM progress

Zoom meeting:

Please ensure you are signed up to project-lcg-authz@cern.ch to receive the meeting password!

Join Zoom Meeting
https://cern.zoom.us/j/94718857994

Meeting ID: 947 1885 7994
Password: <see email>
One tap mobile
+41432107042,,94718857994# Switzerland
+41432107108,,94718857994# Switzerland

Dial by your location
        +41 43 210 70 42 Switzerland
        +41 43 210 71 08 Switzerland
        +41 31 528 09 88 Switzerland
        +33 1 7037 9729 France
        +33 7 5678 4048 France
        +33 1 7037 2246 France
Meeting ID: 947 1885 7994
Find your local number: https://cern.zoom.us/u/abjrVtLBu4

Join by SIP
94718857994@188.184.85.92
94718857994@188.184.89.188

Join by H.323
188.184.85.92
188.184.89.188
Meeting ID: 947 1885 7994
Password: <see email>

Participants: Hannah, Andrea, DavidC, DavidK, Brian, Dave, Enrico, Irwin, Jeffrey, Jeny, Jim, Julie, Maarten, Mischa, Petr, Marco

• ARC
  • We already have defined workflows for other software, we probably need to involved them in the DOMA group
  • We should understand whether they need anything non standard, e.g. exchange
  • https://www.nordugrid.org/arc/arc6/misc/oidc_tokens.html
  • Probably similar to e.g. HTCondor work, mostly done in the US
  • Need discussion on which scopes should be required
  • Future Hackathon to focus on token propagation workflow
  • We should have a future meeting where HTCondor etc present
• vCHEP
  • DaveD to submit on command line
  • Andrea to submit contribution on IAM evolution
  • CERN SSO team submitting as well (could include WLCG IAM instances)
  • What’s left?
    • Bearer token discovery
    • Token flows for managed data transfer (DOMA TPC)
• IAM Users Meeting https://indico.cern.ch/event/970568/
• ID Token Claim for Kerberos
  • You need a claim from an OIDC token to map to a kerberos identifier
  • Must be unique and can map
  • For CiLogon have created a new claim called vault.uid (possibly better to rename, easy to change)
  • At Fermilab also want to be able to map to robot principals. uid/something/something 
  • CiLogon token issuer is removing @fnal.gov when token is coming from FNAL IdP (robot support)
  • We need something similar for CERN, CERN SSO must forward an identifier that IAM can forward inside tokens (i.e. hshort@cern.ch)
  • Probably best unique ID is coupling of issuer + subject
  • Suggestion for vault to store a mapping to go from uniqueID to kerberos claim, not rely on the claim being the same as the kerberos principle directly 
  • CERN SSO should release a claim that contains the kerberos principal (only for valid users)
  • preferred_username is not a good choice for a persistent claim (From https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims "The RP MUST NOT rely upon this value being unique, as discussed in Section 5.7.")
  • Current system propagates HR name changes (e.g. middle name removal) which causes bugs down stream with DNs
• Capability Set PR
  • Need a few lines on motivation (i.e. client doesn't know which scopes to request, perhaps scopes are templated for the user)
  • May not be trivial to implement
  • How to remove scopes? Suggest that should not be included as rather complicated
  • Deduplication
  • What happens if issuer doesn't understand the capability set? How can we let the user know that the capability set was not granted fully?
  • Capability set coming back as an aggregate might be a future point to discuss
  • Jim - we also need to define the iss claim (complex in multi VO issuer) 
• Comment from Brian, can we avoid using WLCG in schema? (for next time)

Actions

• Hannah start Google doc to gather thoughts on token propagation workflows (done)
• Hannah to start CE scope requirement discussion on Github (done)
• Brian send URL about how to contribute to Globus retirement
• Hannah set up Overleaf for vCHEP submission (done)
• Andrea forward IAM Users Meeting invitation
• Hannah, DaveD and Andrea set up CERN SSO claim that can contain kerberos principal, and define claim name
• DaveD add examples/motivation for why capability set needed, e.g. production role, multi-VO issuer
• DaveD to add grammar rules for capability set 
• Hannah send update on IAM transition to CERN progress (done)
• Hannah schedule next call