We have gradually phased in OpenID Connect authentication support in the migrid stack and will continue in that direction. There are some rough corners and missing pieces in relation to completing the move away from OpenID 2.0 completely. This milestone tries to sum up and work as an umbrella for the associated tasks.

• The built-in external user account auth handling implemented in grid_openid is OpenID 2.0 - we need a corresponding grid_openidc service
• Jupyter sessions fail ("Protected Location") on OpenID Connect (e.g. Start DAG) unless also logged in on OpenID 2.0.
• OpenID Connect login currently does not auto-renew local user accounts like OpenID 2.0 logins does.
• Explicit sign up should no longer be necessary for local users with OpenID Connect
• Log out may or may not be completely supported - in particular with WAYF OpenID Connect
• Further testing of local user OpenID Connect sign up and handling of affiliation+role values is needed