Introduction

The shift towards federated identities and the adoption of new authorization standards by industry is a strong signal for WLCG to adapt its authorization infrastructure. It is necessary to continue to connect with users globally as well as peer organisation, infrastructures and cloud services.

Although it is clear that WLCG has to evolve away from X.509 at least for end users, there has been no community wide strategy. Several independent efforts to provide an authorization infrastructure supporting federated identity and authorization without certificates have been started and it is essential that a common vision be agreed upon. Different solutions are being implemented in the Research & Education sector and a number of translation services will be required to allow interoperable services.

The objective of this working group is to understand & meet the requirements of an AuthZ service for WLCG experiments – focused on serving the 99% of our researchers.

There are two main activities

1. Design and testing of a WLCG Membership Management and Token Translation service, facilitated by pilot projects with the support of AARC (AAI Pilot Projects)
2. Definition of a token based authorization schema for downstream WLCG services and token issuers (JWT)

Contact

e-group and mailing list, project-lcg-authz@cernNOSPAMPLEASE.ch

Face-to-Face Meetings

• July 26 2017 https://indico.cern.ch/event/656027/ Kickoff meeting, GDB
• November 2017 https://indico.cern.ch/event/578976/ pre-GDB, Requirements Gathering
• March 28 2018 WLCG Workshop https://indico.cern.ch/event/658060/
• July 17 2018 pre-GDB https://indico.cern.ch/event/651343/
• July 18 2018 Summary in GDB https://indico.cern.ch/event/651355/
• December 11 2018 pre-GDB https://indico.cern.ch/event/651348/
• March 13 2019 Summary in GDB https://indico.cern.ch/event/739876/
• March 19 2019 HOW Workshop Session https://indico.cern.ch/event/759388/contributions/3324311/
• September 10th 2019 pre-GDB at Fermilab https://indico.cern.ch/event/739896/
• January 16-17 2020 Token Hackathon https://indico.cern.ch/event/870616/

Video-Conference Meetings

• September 2017 https://indico.cern.ch/event/669715/
• October 2017 https://indico.cern.ch/event/670330/
• December 6th 2017 JWT https://indico.cern.ch/event/684620/
• December 14th 2017 AAI Pilot Projects https://indico.cern.ch/event/680452/ Indigo IAM and EGI Checkin demos
• January 26th 2018 AAI Pilot Projects https://indico.cern.ch/event/696286/ Demo assessments
• February 15th 2018 JWT https://indico.cern.ch/event/704478/
• February 21st 2018 AAI Pilot Projects https://indico.cern.ch/event/706302/ CRIC Authorization Workflow & AARC Pilots plan
• March 15th 2018 JWT https://indico.cern.ch/event/710409/
• March 19th 2018 AAI Pilot Projects https://indico.cern.ch/event/712343/
• April 10th 2018 JWT https://indico.cern.ch/event/719148/
• April 26th 2018 AAI Pilot Projects https://indico.cern.ch/event/719155/
• May 7th 2018 JWT https://indico.cern.ch/event/725955/
• May 28th 2018 AAI Pilot Projects https://indico.cern.ch/event/731164/ SciTokens and Condor
• June 6th 2018 JWT https://indico.cern.ch/event/734316/
• June 20th 2018 WLCG AuthZ https://indico.cern.ch/event/737125/
• July 4th 2018 JWT https://indico.cern.ch/event/739090/
• September 14th 2018 JWT https://indico.cern.ch/event/752366/
• September 20th 2018 VO Interviews https://indico.cern.ch/event/752370/
• October 12th 2018 https://indico.cern.ch/event/762965/
• October 24th 2018 https://indico.cern.ch/event/766771/
• November 7th 2018 https://indico.cern.ch/event/769147/
• November 29th 2018 https://indico.cern.ch/event/769148/
• December 13th 2018 https://indico.cern.ch/event/779671/ (VO Meetings, ALICE and LHCb)
• January 16th 2019 https://indico.cern.ch/event/784179/ (VO Meetings, CMS and ATLAS) (CANCELLED)
• January 29th 2019 https://indico.cern.ch/event/787893/
• February 1st 2019 https://indico.cern.ch/event/792989/ (VO Meetings, CMS and ATLAS)
• March 5th 2019 https://indico.cern.ch/event/791175/ DEMOS
• March 14th 2019 https://indico.cern.ch/event/804338/
• March 26th 2019 https://indico.cern.ch/event/802097/
• April 8th 2019 https://indico.cern.ch/event/812344/ (with OpenID Foundation R&E Working Group)
• April 11th 2019 https://indico.cern.ch/event/804340/ (with ARC expert)
• (CANCELLED, HOLIDAYS) April 25th 2019 https://indico.cern.ch/event/804342/
• (CANCELLED, NOT ENOUGH PEOPLE) May 2nd 2019 https://indico.cern.ch/event/813902/
• May 14th 2019 https://indico.cern.ch/event/813903/
• May 23rd 2019 https://indico.cern.ch/event/813904/
• June 6th 2019 https://indico.cern.ch/event/813905/
• July 5th 2019 https://indico.cern.ch/event/828016/
• August 5th 2019 https://indico.cern.ch/event/834835/
• October 16th 2019 https://indico.cern.ch/event/854205/
• January 28th 2020 https://indico.cern.ch/event/881002/ (Fermilab Questions)
• March 19th 2020 https://indico.cern.ch/event/899152/
• April 2nd 2020 https://indico.cern.ch/event/899155/
• April 16th 2020 https://indico.cern.ch/event/899156/
• April 30th 2020 https://indico.cern.ch/event/899157/
• May 14th 2020 https://indico.cern.ch/event/915109/
• May 28th 2020 https://indico.cern.ch/event/920007/
• June 11th 2020 https://indico.cern.ch/event/925980/
• June 25th 2020 https://indico.cern.ch/event/930063/
• July 9th 2020 https://indico.cern.ch/event/933362/
• September 3rd 2020 https://indico.cern.ch/event/941901/
• October 1st 2020 https://indico.cern.ch/event/959444/
• October 15th 2020 https://indico.cern.ch/event/961865/
• ... and every two weeks. Please see the Indico Category https://indico.cern.ch/category/68/

Presentations have been recorded where possible and are available at https://videos.cern.ch/deposit/project/aefb5d6eab4747008b54f305a9d721c5

Public Facing Documents

• WLCG JWT Schema v1.0 on Zenodo
• Software supporting the WLCG JWT Schema on Github
• CHEP2019 Proceedings on EPJ Web of Conferences
• Bearer Token Discovery specification on Zenodo

WG Documents

• (PUBLISHED) WLCG Authorisation Requirements Version 1.0, September 2018, Version 0.1, Working Doc
• (PUBLISHED) Catalogue of JWT usage in Infrastructures Version 1.0, November 2018, Google Doc
• (FINAL) VO Interview Qs Google Doc
• (FINAL) Supporting Information for VOs Hackmd page
• VO Interviews
  • LHCB
  • ATLAS
  • ALICE
  • CMS
• CHEP2019 Abstract pdf, Google Doc
• CHEP2019 Proceedings pdf

Internal / Draft documents

• Client Tools Google Doc
• Timeline
• Github Repository
• Token Issuer Deployment

Related Presentations

• Beyond X.509: Token-based Authentication and Authorization for HEP (Plenary) https://indico.cern.ch/event/587955/contributions/3012583/
• Federated Identity Management for Research https://indico.cern.ch/event/587955/contributions/2936916/
• EOSC-hub AAI: A federated authentication and authorisation infrastructure for international scientific collaboration at scale https://indico.cern.ch/event/587955/contributions/2936245/
• Capability-Based Authorization for HEP (SciTokens) https://indico.cern.ch/event/587955/contributions/2936866/
• WLCG Authorisation; from X.509 to Tokens, CHEP 2019 https://indico.cern.ch/event/773049/contributions/3473383/
• Beyond X.509: token-based authentication and authorization in practice, CHEP 2019 https://indico.cern.ch/event/773049/contributions/3473393/

Reference Documents

• VOMS Admin key features from Maria Dimou
• CERN Authorisation Service Plan from Paolo Tedesco
• Requirements matching to solutions exercise Google Doc
• AARC Pilot Intake Form
• The Road to the New CERN Authentication System, IT CDA
• lifetime of grid jobs from CERN Batch (2 week sample) PRELIMINARY DATA: