Finish Token Components section

matyasselmeci · matyasselmeci · commit 5fcc534e3124 · 2022-03-14T00:12:04.000-05:00
diff --git a/docs/security/tokens/overview.md b/docs/security/tokens/overview.md
@@ -8,14 +8,6 @@ that is intended as the replacement for X.509 for accessing compute and storage
 This document will describe "bearer tokens," which are one of the components of Token AAI;
 bearer tokens are the type of token that server software such as HTCondor and XRootD will primarily interact with.
 
-Bearer tokens are credential strings in the [JSON Web Token (JWT)](https://jwt.io) format.
-A JWT consists of a JSON header, a JSON payload, and a signature that can be verified.
-The payload contains a number of fields, called "claims", that describe the token and what it can access.
-
-There are two JWT-based token standards that can be used with OSG software: [SciTokens](https://scitokens.org)
-and [WLCG Tokens](https://github.com/WLCG-AuthZ-WG/common-jwt-profile/blob/master/profile.md).
-These standards describe the claims that are used in the payload of the JWT.
-
 A bearer token (sometimes called an "access token") is a short-lived credential,
 performing a similar role as a grid proxy did in X.509.
 X.509 proxies established identity (the DN in your subject) and group membership (VOMS FQANs).
@@ -29,21 +21,114 @@ it could have a token for read access to an input dataset, and a token for write
 
 Token Components
 ----------------
-SciTokens and WLCG Tokens are similar standards and have some common fields (known as "claims"):
 
--   Each token must have an issuer ("iss") claim.
-    This identifies the organization that issued the token.
-    An issuer looks like an HTTPS URL;
-    this URL must be valid and publicly accessible because it is used by services to validate the token.
+Bearer tokens are credential strings in the [JSON Web Token (JWT)](https://jwt.io) format.
+A JWT consists of a JSON header, a JSON payload, and a signature that can be verified.
+The payload contains a number of fields, called "claims", that describe the token and what it can access.
+
+There are two JWT-based token standards that can be used with OSG software: [SciTokens](https://scitokens.org)
+and [WLCG Tokens](https://github.com/WLCG-AuthZ-WG/common-jwt-profile/blob/master/profile.md).
+These standards describe the claims that are used in the payload of the JWT.
+
+SciTokens and WLCG Tokens are similar standards and have some common claims:
+
+**Issuer ("iss")**
+
+The issuer identifies the organization that issued the token.
+An issuer looks like an HTTPS URL;
+this URL must be valid and publicly accessible because it is used by services to validate the token.
+Token issuers will be described below.
+
+**Subject ("sub")**
+
+The subject identifies an entity (which could be a human or a robot) that owns the token.
+Unlike the subject of an X.509 certificate, a token subject does not need to be globally unique,
+only unique to the issuer.
+Subjects will be elaborated on below.
+
+**Issued-at ("iat"), not-before ("nbf"), expiration ("exp")**
+
+These claims are Unix timestamps that specify when the token was issued, and its lifespan.
+
+**Audience ("aud")**
+
+The audience is a server (or a JSON list of servers) that the token may be used on;
+it is typically a hostname, host:port, or URI.
+For example a token used for submitting a job to a CE would have
+`<CE FQDN>:<CE PORT>` in the `aud` claim.
+The special values `ANY` (SciTokens) or `https://wlcg.cern.ch/jwt/v1/any` (WLCG Tokens) allow the token to be
+used on any server.
+
+**Scope ("scope")**
+
+The scope limits the actions that can be made using the token.
+The format of the scope claim differs between SciTokens and WLCG Tokens;
+scopes in use by OSG services will be listed below.
+    
+
+### Issuer ###
+
+To generate bearer tokens, a collaboration must adminster at least one "token issuer" to issue tokens to their users.
+In addition to generating and signing tokens, token issuers provide a public endpoint that can be used to validate an
+issued token,
+e.g. an OSG Compute Entrypoint (CE) will contact the token issuer to authorize a bearer token used for pilot job
+submission.
+
+The issuer is listed in the `iss` claim; this should be an HTTPS URL of a web server.
+This server must have the public key that can be used to validate the token in a well-known location,
+as described by the [OpenID Connect Discovery standard](https://openid.net/specs/openid-connect-discovery-1_0.html).
+If the issuer is down, or the the public key cannot be downloaded, the token cannot be verified
+and will be rejected.
+
+A collaboration may have more than one token issuer,
+but a single token issuer should never serve more than one collaboration.
+The issuer claim should be able to uniquely identify the collaboration that identifies the token.
+
+
+### Subject ###
+
+The subject is listed in the `sub` claim and should be unique, stable identifier that corresponds to a user (human)
+or a service (robot or pilot job submission).
+A subject does not need to be globally unique but it must be unique to the issuer.
+The subject, when combined with the issuer, will give a globally unique identity
+that can be used for mapping, banning, accounting, monitoring, auditing, or tracing.
+
+!!! note
+    Due to privacy concerns, the subject may be a randomly generated string, hash, UUID, etc.,
+    that does not contain any personally identifying information.
+    Tracing a token to a user or service may require contacting the issuer.
+
+
+### Scopes and WLCG Groups ###
+
+The `scope` claim is a space-separated list of authorizations that should be granted to the bearer.
+Scopes utilized by OSG services include the following:
+
+| **Capability**   | **SciTokens scope** | **WLCG scope**                                 |
+|------------------|---------------------|------------------------------------------------|
+| HTCondor `READ`  | `condor:/READ`      | `compute.read`                                 |
+| HTCondor `WRITE` | `condor:/WRITE`     | `compute.modify compute.cancel compute.create` |
+| XRootD read      | `read:<PATH>`       | `storage.read:<PATH>`                          |
+| XRootD write     | `write:<PATH>`      | `storage.modify:<PATH>`                        |
+
+Replacing `<PATH>` with a path to the storage location that the bearer should be authorized to access.
+
+A SciToken must have a non-empty scope, or it cannot be used to do anything.
+
+A WLCG Token may have a `wlcg.groups` claim instead of a scope.
+This is a comma and space separated list of collaboration groups.
+The format of these groups are similar to VOMS FQANs: `/<collaboration>[/<group>][/Role=<role>]`,
+replacing `<collaboration>`, `<group>`, and `<role>` with the collaboration, group, and role, respectively, where the
+group and role are optional.
+For example, the following groups and roles have been used by the ATLAS and CMS collaborations:
 
--   Tokens should have a limited lifespan.
-    This is described by the issued-at ("iat"), not-before ("nbf"), and expiration ("exp") claims,
-    all of which are Unix timestamps.
+```
+/atlas/
+/atlas/usatlas
+/cms/Role=pilot
+/cms/local/Role=pilot
+```
 
--   Tokens must have a subject ("sub") claim.
-    The subject identifies an entity (which could be a human or a robot) that owns the token.
-    Unlike the subject of an X.509 certificate, a token subject does not need to be globally unique,
-    only unique to the issuer.
 
 Validating Tokens in Pilot Jobs
 -------------------------------
