Identifying VO membership from the issuer
Opened this issue · 3 comments
Although not explicit stated (see #28), an issuer will only issue tokens to a single VO.
Therefore, it seems logical (at least, to me) that a service might be able to deduce the VO membership of the the agent (person or software) bearing the token, using only information from the iss
claim. This would be true even if the token contains no information on group membership: the service may still identify the corresponding VO even if the wlcg.groups
claim is either missing or empty.
In that sense, the iss
claim identifies the VO.
If this approach seems reasonable, the document should be updated to make it clear that a service MAY (RFC 2119) identify the VO from the issuer (iss
) claim.
If this approach is not reasonable, then the document should be updated to make it clear that a service MUST NOT (RFC 2119) identify the VO from the issuer (iss
) claim.
Note This issue is very specifically only about identifying the VO. If identifying the VO from the iss
claim is acceptable, this issue deliberately makes no comment on how the service might use that VO-membership information.
Again, it depends on exactly what you mean by "VO".
Please check #47 that tries to address the aforementioned concerns to some extent.