Need for community or namespace like information in tokens

GUT-profile-WG / GUT-profile

Repository for the G(rand) U(nified) T(oken) profile

4 stars 1 forks source link

Need for community or namespace like information in tokens #3

Open msalle opened 7 months ago

msalle commented 7 months ago

All 3 profiles need information about the community/VO/etc. inside the token. For WLCG so far the issuer more or less corresponded with the VO. Does SciTokens also need a VO/accounting group.

Which features do we need to add:

add extra claim to convey namespace or VO? Should the (scoped) values be combined in a JSON substructure ?
should we restrict to only 1 VO/accounting group/… per token? Also if we decide to go for a namespace?

deesto commented 4 months ago

This issue as raised is somewhat dense, and might be easier to parse with added examples of what a namespace might look like, even if completely fabricated at this point. It may also cross realms with the concepts of "audience" and "scope" at some level. But I would be for it: I don't see how it could hurt, and I think it might explicitly make tokens easier to parse per VO or group.

jbasney commented 4 months ago

If we need a JSON substructure, we could look at https://www.rfc-editor.org/rfc/rfc9396.html#name-enriched-authorization-deta (OAuth 2.0 Rich Authorization Requests).

DrDaveD commented 4 months ago

The WLCG common JWT profile has a wlcg.groups claim requested through scopes which allows multiple levels of groupings. That approach works well for the purpose of having "subVOs" as are used for example in the "fermilab" token issuer while still allowing other subgoups within them.

hestem commented 3 months ago

Google doc to document proposal: https://docs.google.com/document/d/1TUxmaHVWJqHdVgQ3aBlfZ58jMW7ghyut6xLSHqJ1FLA/edit