| ID | Title | Summary | Links | Status |
|---|
| AARC- |
JRA1.4AGuidelines on expressing group membership and role information | Information about the groups a user is a member of is commonly used by SPs to authorise user access to protected resources. Apart from the group information that is managed by the user’s home IdP, research communities usually operate their own group managing services. Such services often act as Attribute Authorities, maintaining additional information about the users, including VO membership, group membership within VOs, as well as user roles. It is therefore necessary that all involved SPs and IdPs/AAs can interpret this information in a uniform way. Specifically, the following challenges are addressed by this document: - Standardising the way group membership information is expressed, both syntactically and semantically
- Indicating the entity that is authoritative for each piece of group membership information
- Expressing VO membership and role information
- Supporting group hierarchies in group membership information
| AARC-JRA1.4A (201710) [PDF] Older versions AARC-JRA1.4A (1.0) [PDF] | AARC-JRA1.4B | Guidelines on attribute aggregation | PDF | AARC-JRA1.4C | Guidelines on token translation services | PDF | AARC-JRA1.4D | Guidelines on credential delegation | PDF | AARC-JRA1.4E | Best practices for managing authorisation | PDF | AARC-JRA1.4F | Guidelines on non-browser access | PDF | AARC-JRA1.4G | Guidelines for implementing SAML authentication proxies for social media identity providers | PDF | AARC-JRA1.4H | Account linking and LoA elevation use cases and common practices for international research collaboration | PDF | AARC-JRA1.4I | Best practices and recommendations for attribute translation from federated authentication to X.509 credentials | PDF | | AARC2-JRA1.1A | Guideline on the exchange of specific assurance information between Infrastructures | Increasingly Research Infrastructures and generic e-Infrastructures compose an 'effective' assurance profile derived from several sources. The assurance elements may come from an institutional identity provider (IdP), from community-provided information sources, from step-up authentication services, and from controls placed upon the user, the community, or the Infrastructure Proxy through either policy or technical enforcement. Knowledge about the upstream source of either identity or authenticator can also influence the risk perception of the Infrastructure and result in a modification of the assurance level, e.g. because it has involved a social identity provider or perhaps a government e-ID. The granularity of this composite assurance profile is attuned to the risk assessment specific to the Infrastructure or Infrastructures, and is often both more fine-grained and more specific than what can reasonably be expressed by generic IdPs or consumed by generic service providers. Yet it is desirable to exchange as complete as possible the assurance assertion obtained between Infrastructures, so that assurance elements need not be re-asserted or re-computed by a recipient Infrastructure or Infrastructure service provider. This document describes the assurance profiles that are recommended to be used by the e-Infrastructures and research infrastructures AAI platforms to exchange user authentication information between infrastructures. | Wiki |
| G052 | OAuth 2.0 Proxied Token Introspection | This specification extends the OAuth 2.0 Token Introspection (RFC7662) method to allow conveying meta-information about a token from an Authorization Server (AS) to the protected resource even when there is no direct trust relationship between the protected resource and the token issuer. The method defined in this specification, termed "proxied" token introspection, requires access tokens to be presented in JWT format containing the iss claim for identifying the issuer of the token. Proxied token introspection assumes that the AS which is trusted by the protected resource has established a trust relationship with the AS which has issued the token that needs to be validated. | Google doc | | Status |
|---|
| colour | Yellow |
|---|
| title | FINAL CALL |
|---|
|
|
| AARC-G056 | AARC profile for expressing community identity attributes | This document defines a profile for expressing the attributes of a researcher’s digital identity. The profile contains a common list of attributes and definitions based on existing standards and best practises in research & education. The attributes include identifiers, profile information, and community attributes such as group membership and role information. | Google doc | | Status |
|---|
| colour | Yellow |
|---|
| title | FINAL CALL |
|---|
|
|
| AARC-I058 | Methods for establishing trust between OAuth 2.0 Authorization Servers | This document explores different approaches for establishing trust among entities such as OAuth 2.0 Authorization Servers (AS) and Resource Servers (RS) residing in distinct domains. These interactions are facilitated through trusted third parties referred to as Trust Anchors, which are entities issuing authoritative statements about entities that participate in an identity federation. | Google doc | | Status |
|---|
| colour | Yellow |
|---|
| title | FINAL CALL |
|---|
|
|
| AARC-G073 | Guidelines for refreshing tokens between proxies | This document explores the refresh token flow in a scenario where client applications interact with resource servers through interconnected OpenID Providers (OIDC). Specifically, it focuses on the case where an AARC-compliant Infrastructure Proxy [AARC-G045] acts as an intermediary between the client and a Community AAI. To address challenges related to refresh token handling in this configuration, the document specifies a secure refresh token flow that leverages introspection to ensure the validity of refresh tokens before issuing new access tokens. The document describes the flows for both obtaining and using refresh tokens. | Google doc | |
AARC-G080
| AARC Blueprint Architecture 2025
| The AARC Blueprint Architecture (BPA) provides a set of building blocks for software architects and technical decision makers who are designing and implementing access management solutions for international research collaborations. This document describes the evolution of the AARC Blueprint Architecture, starting with a summary of the changes since AARC-BPA-2019. | Google doc (Initial Revision) | |
AARC-G081
| Recommendations for Token Lifetimes | This document provides an overview over various types of tokens, or more generally, about assertions used to identify and authorise users. We analyse the different properties of tokens and categorise available authorisation patterns to give recommendations about the life times of tokens associated with specific properties and authorisation levels. The document is between policy and architecture working group
| Google doc | |
