Meeting Notes 2025

SESSION #5, Breakout #3

Session Title: OIDFed and Research Requirements

Session Convener: Niels van Dijk

Session Notes Taker(s): Hannah, Phil, Gyongyi

Tags / links to resources / technology discussed, related to this session:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion, action items, next steps:

Q from Scott: what progress is there in development to support OIDFed? 

Neils:

• • • Two OP products that are getting support for OID Fed: Shibboleth OP and Simplsamlphp.
    • ○ Work is progressing; interop event in Finland. 
    • ○ For certain federations, promote OpenID Fed by upgrading their software to support it
    • ○ Other federations, hub and spoke, use a proxy
    • ○ For mesh like federations, provide a proxy or hub to support OPs that are not Fed-aware. Need RPs
  • • RP OpenID Fed is looking bleak.
    • ○ Maybe we need to create an adaptor that adds some OpenID Fed support to existing RPs
    • ○ (Lots of people, including Henri) Author of mod_auth apache module openID (mod_auth_openidc)  is adamant that doesn’t want to implement it at the moment. Not a cash issue, just doing too well.
    • ○ Davide had the idea not to fork something like mod_auth_openidc but to add an adapter to it to support the federation functions needed.
    • ○ Satosa has good support for OpenID Federation. Is what Roland used with his Python software stack to test OpenID Federation.
    •  

Christos: the research aspects. 

• • • Very clear that we will all be going towards OIDFed
  • • Also clear that it won’t be available very soon (e.g. this year)
  • • Expectation that the proxies will implement OIDFed but not the RPs
  • • Eventual aim is that we can remove the proxy all together but eventually they may be removed when wallets are up and running and containing community attributes
  • • Implementation within eduGAIN ongoing
  • • EOSC Federation does not fully refer to authentication, it is also e.g. storage. However there is an urgent need for some identity federation with OIDC now. There will be multiple federations in the future.
  • • The way forward in an ideal way forward would have one trust fabric layer.

Leif: can’t we use an existing infrastructure such as eduGAIN and use Key exchange in eduGAIN to bootstrap this?

Nieils: first place we want to do this is in the identity layer?

Christos:

• • • We are creating a fractal (PS?). Multiple things can be abstracted so the identity layer can be common to implementations.
  • • The other nodes are national infras or thematic infras. Requirement is that they have AArC BPA implementations. Common identity layer brings together all the IdPs and communities
  •  

Leif: the EOSC impelmentation so far seems much more low-budget. NextCloud or OwnCloud (it looks like)

Leif: Infrastructure proxy to connect single services. Mostly they are OwnCloud or one of the Dutch cloud service. 

Christos: in April each node candidate has to provide an infra proxy that will connect. 

Leif: but everyone just seems to want to offer Openstack (ie..a single SP behind their proxy)

Christos: Dutch connecting a few services for SSO, other countries are doing more complex things (PS, not exact). 

Leif: No evidence to support a notion of connecting many services. More likely to see AAI work inside the next cloud instance.

Hannah: Each node is doing different things. Political push to integrate.

Leif: What is the actual usage / use cases: data sharing and sharing resources across borders. It effects: difference between building a thing 30 instances in a file sync share service and between different things.

Christos: Sees and shares Leif’s concern, but right now the requirements are to connect hundreds of services, and they need infrastructure to do that. Finalised on Friday and published this week. 30 nodes, connected via the hub and spoke model, our role is to provide openID federation to remove the hub and gain full trust between the nodes. OpenID Fed spec is not enough to support that, they also need token introspection, so we know what the token can do in their environment. Needs to split tokens across nodes, how do we do that (requirement comes from the research space).

Niels: Where do those requirements come  from (to Christos)

Use case: research comes from a Spanish Node and want to access Jupyter service. Via the spanish node and fetch the date from the Dutch node. The Jupyter notebook already received an access token from the Spanish node and share it with the DUtch node. The Dutch node should be able to go back to the Spanish node to have the issued token validated.  Token introspection is required. OpenID Fed is only the trust part. 

Neils: Is aware of this user case. OpenID Fed is not just about OpenID Connect. You need an authorization federation

Neils: OpenID Federation can be used to establish trust between authorization servers. 

Proxied token introspection and OPenID Fed are both required long term. Eventually we may be able to remove the proxies.

Mads: what is required by researchers: not only the access to the infrastructure but to get access to the data. To be able to have access to data controllers… Is it inside the scope that we are asking in this session?

Leif: data will not move, the workload will move. Than it is in scope in WIMSIE standard.

Licia: the EC asked all the different country nodes (30) for requirements they are filtering down.

Christos: reporting on what we’ve been asked to report. 

Neils: are you saying the EU are giving you detailed requirements on token introspection?

Christos: EuroHPC case they move data. EuroHPC platform: the researchers should be able to go to the portal and select resources. 

Mads: The real problem is that almost all HPC site has no preparation for data protection. The problem is how to get access to the data? And the trust relationship between the HPC infrastructures which still needs to be built.

Leif: Is this being done today, is that CILogon.

Scott: OSG and Pelican and some others are doing this today. Use case is getting data to the GPUs and they use a lot of tokens to do it. (Maybe this is solved by some)

Mads: moving the data not important, how we move the data and how we track that is important. Moving data is the HPC problem, so here we need to decide on access granting and trust relationships.

Neils: there is a more generic scenario about how you manage authorization

Christos: practical side, in the next few years what can we implement. 

GO69 (group syntax) will be used for EOSC cases.

Can I publish my URLs so that other people can trust it? 

Leif: what about REIF?

Neils: you need a trustworthy way to publish that (PS, the namespace identifier?). You want to stick that identifier on institutions to help make authorization decisions (bit like trust_marks). 

Christos: yes that is interesting, but right now: you want to create a project, text box to add URN namespaces. 

Neils: thinking about something similar in eduGAIN PoC. Have trust mark issuer (TMI), trust anchor will trust the TMI, but it is up to the TMI to issue whatever they want (trust anchor, eduGAIN for instance, just trusts them to do that correctly). Trust the onboarding process by these federations is of sufficient quality, then you can use this…for trust (PS, did not catch that specific example University Alliances, ELIXIR, Erasmus+ entities). 

Christos: if we have the trust fabric we can label them that I want this.

Niels: the mechanism would remain the same.

Hannah: two other research user cases which are easier: each middleware has a list of trusted issuers (static list) and OpenID Federation can help with that (we missed EU Grid PMA serving a list of trusted issuers – need to add this back in), each middleware has done that themselves). OpenID Fed will help, do not see blockers. 

People are really hesitant that AAI is a blocker because of the proxies..Having a redundant set of tokens maybe a way forward

Christos: local authorisation scalability problem. ATLAS project will have 10 authorization servers set around the world, it is within the ATLAS domain. If between trust domains then it is OIDF makes sense as it is between trust domains. Then you need a trust fabric where OIDF can help.

Neils: Then your black to your problem, a number of sites are making statements and you need to know who to trust in those cases (not all in the same domain). OpenID Fed can help with this trust, bit you will need a profile to make that happen.

Christos: But you can use a local fed to manage trust, and then have redundancy by using more than one issuer (or auth server etc). 

Leif: if you have 10 issuers, treat them as an internal federation.

Neils: Christos use case, and mine in the eduGAIN space have some overlap, but trying to understand what overlap. Christos is building an authorization federation eduGAIN is building an identity federation. Some things are the same, using trust_marks to identify OPS and RPs (in different ways). Your authorization use case needs to be encoded in the spec in some way.

Christos: building a trust federation and on top of that build an authorization federation. 

Niels: we need a trust fabric which is the ecosystem where both trust federation and authorization federation are.

Organization onboarding – they need a technical… couldn’t catch more.

Leif: gets a 6th sense that there is a 2 part validation here. Key validation, only care about a bag of keys. Then validation of the token contents itself – which is so application specific. Maybe we should solve the roots of trust issue. We tend to end up needing a list of trusted roots.

(PS, brain exploded). Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.