WLCG Authorization WG


The shift towards federated identities and the adoption of new authorization standards by industry constitute a strong signal for WLCG to adapt its authorization infrastructure. It is necessary to continue to connect with users globally as well as peer organisations, infrastructures and cloud services.

Although it is clear that WLCG has to evolve away from X.509 at least for end users, there has been no community wide strategy. Several independent efforts to provide an authorization infrastructure supporting federated identity and authorization without certificates have been started and it is essential that a common vision be agreed upon. Different solutions are being implemented in the Research & Education sector and a number of translation services will be required to allow interoperable services.

The objective of this working group is to understand & meet the requirements of an AuthZ service for WLCG experiments focused on serving the 99% of our researchers.

There are several main activities

  1. Design and testing of a WLCG Membership Management and Token Translation service, facilitated by pilot projects with the support of AARC (AAI Pilot Projects)
  2. Definition of a token based authorization schema for downstream WLCG services and token issuers (JWT)
  3. Definition of token based workflows


e-group and mailing list, project-lcg-authz@cernNOSPAMPLEASE.ch

Development tips

CE token configuration

Current Work

Token based bulk data transfer workflows

Many workflows for WLCG rely on one service calling another, for example Rucio & FTS. Each service in these workflows may expect different tokens with specific groups/capabilities for authorization. The mechanisms to provision the correct tokens to the correct services must be defined, taking into account operational impact. Please see the Slides for an overview.

Leader: Andrea/Francesco

Output: Specification/Documentation

Design and test command line workflow tools

Physics workflows typically start on the command line. The WLCG community will need a user friendly mechanism to provision tokens locally, and that these tokens be correctly scoped for the workflow in question. There are several options under consideration such as OIDC-agent, myToken and htgettoken with Vault. Requirements include:

  • Users should not need to manage additional passwords
  • Browser interaction should be limited (i.e. once per 10 days)
  • Users should not need to manage client credentials
  • The use of public clients (i.e. clients that do not require a client secret) should be well controlled

A next step is to install htgettoken with Vault for the WLCG IAMs to allow for user feedback.


Output: Report with recommendations following user feedback

Update the WLCG Profile

The WLCG JWT Profile was published in September 2019 on Zenodo. Since then practical experience and feedback has been gathered. The Profile will be updated to incorporate points such as:

  • Leverage RFC 9068 wherever possible
  • Make the profile more inclusive and open for use by other communities, i.e. not call it "WLCG"
  • Specify fine grained compute scopes

Leader: Brian B

Output: New version of the JWT Profile

Analyse the impact of Tokens on the WLCG Security Model

A thorough study of the security impact of Tokens and their use in WLCG will be made. This may be via direct comparison with the risks of X.509.


Output: Report with recommendations

Traceability & Suspension

Work is needed to ensure traceability requirements (from the traceability working group) are respected. Additionally, mechanisms to suspend users and revoke tokens must be defined and tested.

Leader: David C

Output: Report with recommendations

Provide backwards compatibility tools

Certain tools, e.g. grid mapfile generation, must be replicated for the new infrastructure.

Leader: Maarten L

Output: Tools

Guidance on capability vs group usage

Guidance is needed to help services understand whether groups or capabilities are more suitable for their use case, and to clarify some aspects of when groups and capabilities may be used in parallel.


Output: Documentation

Recommendations on client registration

The topic of usability of client registration has been raised several times. Registering clients is a manual process and requires generating a clientID and secret from a WLCG IAM instance - this is significantly different from the previous certificate based authorisation model. Discussion is needed to understand what is acceptable for our community and provide recommendations.


Output: Report with recommendations


This is a rough timeline of priorities for the coming months

Work item Oct 21 Nov 21 Dec 21 Jan 22 Feb 22 Mar 22 Apr 22 May 22 Jun 22
Token based bulk data transfer X X X - - - - - -
Command Line Tools X X X X X X X X X
Update WLCG Profile - - X X X X - - -
Security Analysis - - - - - X X X
Suspension mechanisms
Backwards Compatibility Tools
Capability vs group usage
Client Registration

Face-to-Face Meetings

Video-Conference Meetings

See the Indico Category https://indico.cern.ch/category/68/

Particular meetings to note:

Presentations have been recorded where possible and are available at https://videos.cern.ch/deposit/project/aefb5d6eab4747008b54f305a9d721c5

Public Facing Documents

WG Documents

Internal / Draft documents

Related Presentations

Reference Documents

Topic attachments
I Attachment History Action Size Date Who Comment
PDFpdf 20191105_CHEP_WLCG_AuthZ.pdf r1 manage 16690.8 K 2020-02-03 - 11:47 HannahShort CHEP2019 Slides
PDFpdf AARC-AARC2SA1PilotIntakeWLCG-070318-1102-2218.pdf r1 manage 62.2 K 2018-03-07 - 11:02 HannahShort AARC Pilot Intake Form
PDFpdf AuthZ-WG-180328.pdf r1 manage 947.4 K 2018-04-05 - 12:03 HannahShort Slides from WLCG Workshop March 2018
PDFpdf AuthZ_pre-GDB_Requirements.pdf r1 manage 80.2 K 2018-03-07 - 10:56 HannahShort AuthZ Requirements (snapshot)
PDFpdf JWT_Shared_Profile_for_WLCG.pdf r1 manage 526.9 K 2018-04-05 - 11:52 HannahShort  
PDFpdf JWT_use_within_the_Community_v1.0.pdf r1 manage 538.0 K 2018-11-12 - 09:18 HannahShort JWT Catalogue v1.0
PNGpng Screen_Shot_2018-09-20_at_12.36.42.png r1 manage 130.4 K 2018-09-20 - 12:38 HannahShort lifetime of grid jobs from CERN Batch (2 week sample)
PDFpdf WLCGAAIPrivacyPolicy2.pdf r1 manage 59.8 K 2020-08-11 - 12:24 HannahShort WLCG Privacy Policy
PDFpdf WLCG_AuthZ_WG_CHEP2019_Abstract.pdf r1 manage 47.3 K 2019-04-12 - 10:28 HannahShort CHEP 2019 Abstract
PDFpdf WLCG_Authorisation_Requirements.pdf r1 manage 110.6 K 2018-09-28 - 16:10 HannahShort WLCG Requirements, frozen September 2018
PDFpdf WLCG_Authorisation_from_X_509_to_Tokens-Submitted.pdf r1 manage 328.6 K 2020-03-27 - 09:00 HannahShort CHEP2019 Proceedings
Unknown file formatdocx WLCG_Common_JWT_Profiles.docx r1 manage 77.9 K 2018-08-15 - 11:00 HannahShort JWT Schema Snapshot August 2018
PDFpdf WLCG_Token_based_Authentication__Authorisation_-_CodiMD.pdf r1 manage 37.6 K 2020-02-03 - 11:45 HannahShort Supporting material for VO Interviews
Edit | Attach | Watch | Print version | History: r56 < r55 < r54 < r53 < r52 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r56 - 2022-11-10 - MaartenLitmaath
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    LCG All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2023 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback