Investigate convergence with AARC representation of groups

[paulmillar]

Background

The AARC project (and successors) introduced a standard way to represent group-membership. This was codified as AARC guideline G002, which has been recently updated as guideline G069.

The WLCG JWT profile also supports asserting group membership within the token, but uses an incompatible format. Different claims are used and the claim values are also formatted differently.

The AARC group representation supports more use-cases and is (in some sense) more advanced; however, that comes at a cost of significant inflation of the token size. Token size is significant because the places where tokens are used (typically HTTP headers) have a maximum size. Although HTTP places no restriction, implementations typically reject requests with a header larger then 8 KiB. Other software may start rejecting tokens at a lower threshold.

AARC profile is (from my perspective) being adopted in different communities, and is becoming a widely deployed standard.

The issue

This issue is the incompatibility between WLCG JWT group-membership claim and AARC's claim, as this places an additional burden on OPs and RPs when adopting this profile.

Also, some of the AARC more advanced use-cases may prove useful in the WLCG context.

Much of the inflated size of the AARC group representation is (for our use-cases) redundant information. Therefore, it may be possible (in collaboration with AARC) to define an updated group representation that supports the power of the existing AARC G02/G69 guidelines but with representations that are more compatible with including group-membership information within the token.

[maarten-litmaath]

For the record, the Grand Unified Token Profile WG has been set up to try and address these concerns.

[hshort]

Btw, at the latest AEGIS call there was some discussion that the token inflation problem has been seen in the wild and more effort is needed to find a slimline version for group expression