This text is intended as a starting point for the discussion.
We will edit the text together during the session and then transfer the final version back to the IVOA wiki afterwards.

GWS Session

Brian Major introduction on GMS and Authorization (authz).
Difference bethween auth and Authz: who am i, what i can do.
GMS based on groups.
An example is the use of an authenticated TAP service.
GMS is based on isMember request. Is a user member of a group?
There are two API functions in GMS:
isMemberof
getMembership (get all membership for a user and cache it for a while) can work only on a single GMS, maybe we can remove it (?)
why should I need the "getMembership"?
TOM: is that a protective call? How the security works? Only the user themself can do the call.
Steve Groom: asking about having authentication on datasets rather than entire endpoint. flow is similar to what is shown, with the service determining what group(s) are needed to check, instead of group being explicitly supplied by user in URI
James Tocknell: GMS and token expiration. What is the status of the group {I miss the description of the use case} the OAuth token can expire.
GMS works on the scenario where di group information is very private. The CDP approach avoid to have trust network between organzation, it is the user to decide the level of privacy
Question: (GT) can we procedd with the RFC even if we do not have the tocken CDP?
Sonia: is presentig a GSM based on tokens (RAP based) based on JWT token relay, using JSON web tokens (self contained and signed). The use case is based on file server access. The protolc is OAuth token excange (RFC 8693)
Group of groups (parent.children) need to stadnardize separator (now it is a ".") . Groups are stareod in a DB.
Brian Questions: groups of groups. why do we need to see the herachy from outside? there are uses cases where users should download files from all the sub groups. Groups are associated to observatory programs.
Pat Question: the way we implement GMS is a just a questions. If we
Dave: the token is restricted to make some specific operation? Yes because in the token we use the scope. and that token is valid only for a specific service. It is an improvement from X509. But this restriction implies the client should know all the services to contact.
When a suer delegate the credential would know to which extent her token is used. Could be implemented at the CDP level.
Pat: when a user delegate to a site she is trusting the site and everyone the skite trust. Chain of trust.
Users should be able to revoke scope.
Proxy certificates are not working for kubernates properly.
IA2 developed a web page where users can connect to download tokens for cli usage.
SUMMARY:
keep the list of all groups
we have two implementation one based on tokens
ACTIONS:
Are we willing to work on the new CDP document
Participants:
  • DaveMorris @ Edinburgh interested in implementing GMS and CDP
  • INAF IA2 CDP
  • Sara Bertocco
Sonia: in our use case the list of groups makes sense because we would like to show the list of groups in our portal
Will Sonia's slides (OAuth2 implementation of GMS) be posted somewhere? don't see them yet
Topic revision: r1 - 2020-05-20 - GiulianoTaffoni
 
This site is powered by the TWiki collaboration platformCopyright © 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback