Worldwide LHC Computing Grid
Published September 23, 2025 | Version 1.1
Technical note Open

WLCG Common JWT Profiles

Creators

  • 1. Fermilab
  • 2. Morgridge Institute for Research
  • 3. INFN
  • 4. STFC-RAL
  • 5. Nikhef
  • 6. GRNET
  • 7. CERN
  • 8. DESY
  • 9. ROR icon National Institute for Subatomic Physics
  • 10. ROR icon European Organization for Nuclear Research
  • 11. ROR icon Istituto Nazionale di Fisica Nucleare
  • 12. INFN-CNAF
  • 13. ROR icon Brookhaven National Laboratory

Description

This document describes how WLCG users may use the available geographically distributed resources without X.509 credentials.  In this model, clients are issued with bearer tokens; these tokens are subsequently used to interact with resources.  The tokens may contain authorization groups and/or capabilities, according to the preference of the Virtual Organisation (VO), applications and relying parties. 

Wherever possible, this document builds on existing standards when describing profiles to support current and anticipated WLCG usage.  In particular, three major technologies are identified as providing the basis for this system: OAuth2 (RFC 6749 & RFC 6750), OpenID Connect  and JSON Web Tokens (RFC 7519). Additionally, trust roots are established via OpenID Discovery or OAuth2 Authorization Server Metadata (RFC 8414). This document provides a profile for OAuth2 Access Tokens and OIDC ID Tokens. 

Files

WLCG_Common_JWT_Profiles_1.1.pdf

Files (234.6 kB)

Name Size Download all
md5:a3bc2f7da5e97fab8079e2eb35d8765a
234.6 kB Preview Download

Additional details

Software

Repository URL
https://github.com/WLCG-AuthZ-WG/common-jwt-profile/
Programming language
Markdown
Development Status
Active