Need for community or namespace like information in tokens #3
Comments
|
This issue as raised is somewhat dense, and might be easier to parse with added examples of what a namespace might look like, even if completely fabricated at this point. It may also cross realms with the concepts of "audience" and "scope" at some level. But I would be for it: I don't see how it could hurt, and I think it might explicitly make tokens easier to parse per VO or group. |
|
If we need a JSON substructure, we could look at https://www.rfc-editor.org/rfc/rfc9396.html#name-enriched-authorization-deta (OAuth 2.0 Rich Authorization Requests). |
|
The WLCG common JWT profile has a wlcg.groups claim requested through scopes which allows multiple levels of groupings. That approach works well for the purpose of having "subVOs" as are used for example in the "fermilab" token issuer while still allowing other subgoups within them. |
|
Google doc to document proposal: https://docs.google.com/document/d/1TUxmaHVWJqHdVgQ3aBlfZ58jMW7ghyut6xLSHqJ1FLA/edit |
SciTokens doesn't support groups. SciTokens is about capability-based authorization, not group-based authorization. In SciTokens, accounting would be expressed as "authorization to charge to an account". For example: |
All 3 profiles need information about the community/VO/etc. inside the token.
For WLCG so far the issuer more or less corresponded with the VO.
Does SciTokens also need a VO/accounting group.
Which features do we need to add:
The text was updated successfully, but these errors were encountered: