Francesco Giacomini
Francesco Giacomini
Thanks, Sam, for your nice work and all the best for your next challenge.
Me neither :-) but I'll try. Give me a few days.
Do we ignore backwards compatibility? G069 says "To retain compatibility with [AARC-G002], implementations MAY additionally send the same information using the eduperson_entitlement claim."
Remove comments from the yml file. Remember to update documentation about the environment variables.
There is already discussion along these lines in the context of the WLCG JWT profile (see e.g. https://github.com/WLCG-AuthZ-WG/common-jwt-profile/pull/46). Ignoring for a moment the technical feasibility, I personally have some reservations...
> I'm not sure I understand the issue around denying access, do you have a specific example @giacomini? People belonging to a certain country (something that unfortunately has happened). >...
There is no plan to base (which would mean rewrite) IAM on top of KC; KC has proved not to be an easy platform to extend. About naked impersonation, we...
We probably need to have an anonymous `/stats` endpoint (name to be decided) that we populate with some basic information. Based on your experience, can you give some indication on...
> Could it be possible to add an option to _prevent_ the automatic linking through the browser? > > That is, configure IAM _not_ to offer that functionality? Yes, but...
> Hi all, a user could still present the wrong IGTF certificate, or one from a problematic CA (e.g. based on a SHA-1 root that is not supported everywhere). So...