| ID | Title | Summary | Links | Status |
|---|
| AARC- |
JRA1.4AGuidelines on expressing group membership and role information | Information about the groups a user is a member of is commonly used by SPs to authorise user access to protected resources. Apart from the group information that is managed by the user’s home IdP, research communities usually operate their own group managing services. Such services often act as Attribute Authorities, maintaining additional information about the users, including VO membership, group membership within VOs, as well as user roles. It is therefore necessary that all involved SPs and IdPs/AAs can interpret this information in a uniform way. Specifically, the following challenges are addressed by this document: - Standardising the way group membership information is expressed, both syntactically and semantically
- Indicating the entity that is authoritative for each piece of group membership information
- Expressing VO membership and role information
- Supporting group hierarchies in group membership information
| AARC-JRA1.4A (201701710) [PDF] Older versions AARC-JRA1.4A (1.0) [PDF] | AARC-JRA1.4B | Guidelines on attribute aggregation | PDF | AARC-JRA1.4C | Guidelines on token translation services | PDF | AARC-JRA1.4D | Guidelines on credential delegation | PDF | AARC-JRA1.4E | Best practices for managing authorisation | PDF | AARC-JRA1.4F | Guidelines on non-browser access | PDF | AARC-JRA1.4G | Guidelines for implementing SAML authentication proxies for social media identity providers | PDF | AARC-JRA1.4H | Account linking and LoA elevation use cases and common practices for international research collaboration | PDF | AARC-JRA1.4I | Best practices and recommendations for attribute translation from federated authentication to X.509 credentials | PDF | AARC2-JRA1.1A | Guidelines for interoperable exchange of user and community information between AAIs | AARC2-JRA1.1B | Guidelines for the discovery of authoritative attribute providers across different operational domains | AARC2-JRA1.1C | Guidelines for handling user registration and user consent for releasing attributes across different operational domains | AARC2-JRA1.1D | Guidelines for federated access to non-web services across different operational domains | AARC2-JRA1.2A | Guidelines for scalable and consistent authorisation across multi-SP environments | Wiki | AARC2-JRA1.2B | Requirements and guidelines for SPs using alternative mechanisms and protocols for federated access → OIDC Based Services in research
| Wiki | AARC2-JRA1.2C | Step-up authentication requirements and guidelines for SPs | Wiki | AARC2-JRA1.3A | Guidelines for account linking & LoA elevation in cross-sector AAIs | Wiki | AARC2-JRA1.3B | Guidelines for registering OIDC Relying Parties in AAIs for international research collaboration | Wiki| G052 | OAuth 2.0 Proxied Token Introspection | This specification extends the OAuth 2.0 Token Introspection (RFC7662) method to allow conveying meta-information about a token from an Authorization Server (AS) to the protected resource even when there is no direct trust relationship between the protected resource and the token issuer. The method defined in this specification, termed "proxied" token introspection, requires access tokens to be presented in JWT format containing the iss claim for identifying the issuer of the token. Proxied token introspection assumes that the AS which is trusted by the protected resource has established a trust relationship with the AS which has issued the token that needs to be validated. | Google doc | | Status |
|---|
| colour | Yellow |
|---|
| title | FINAL CALL |
|---|
|
|
| AARC-G056 | AARC profile for expressing community identity attributes | This document defines a profile for expressing the attributes of a researcher’s digital identity. The profile contains a common list of attributes and definitions based on existing standards and best practises in research & education. The attributes include identifiers, profile information, and community attributes such as group membership and role information. | Google doc | | Status |
|---|
| colour | Yellow |
|---|
| title | FINAL CALL |
|---|
|
|
| AARC-I058 | Methods for establishing trust between OAuth 2.0 Authorization Servers | This document explores different approaches for establishing trust among entities such as OAuth 2.0 Authorization Servers (AS) and Resource Servers (RS) residing in distinct domains. These interactions are facilitated through trusted third parties referred to as Trust Anchors, which are entities issuing authoritative statements about entities that participate in an identity federation. | Google doc | | Status |
|---|
| colour | Yellow |
|---|
| title | FINAL CALL |
|---|
|
|
| AARC-G073 | Guidelines for refreshing tokens between proxies | This document explores the refresh token flow in a scenario where client applications interact with resource servers through interconnected OpenID Providers (OIDC). Specifically, it focuses on the case where an AARC-compliant Infrastructure Proxy [AARC-G045] acts as an intermediary between the client and a Community AAI. To address challenges related to refresh token handling in this configuration, the document specifies a secure refresh token flow that leverages introspection to ensure the validity of refresh tokens before issuing new access tokens. The document describes the flows for both obtaining and using refresh tokens. | Google doc | |
AARC-G080
| AARC Blueprint Architecture 2025
| The AARC Blueprint Architecture (BPA) provides a set of building blocks for software architects and technical decision makers who are designing and implementing access management solutions for international research collaborations. This document describes the evolution of the AARC Blueprint Architecture, starting with a summary of the changes since AARC-BPA-2019. | Google doc (Initial Revision) | |
AARC-G081
| Recommendations for Token Lifetimes | This document provides an overview over various types of tokens, or more generally, about assertions used to identify and authorise users. We analyse the different properties of tokens and categorise available authorisation patterns to give recommendations about the life times of tokens associated with specific properties and authorisation levels. The document is between policy and architecture working group
| Google doc | |
