Versions Compared

Old Version 6

changes.mady.by.user Nicolas Liampotis

Saved on

compared with

New Version 7

changes.mady.by.user Nicolas Liampotis

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Added list of known issues and workaround for OAuth2 token validation

...

  • Alignment of user attributes: The attributes used to express user information should follow the REFEDS R&S attribute bundle, as defined in [REFEDS-R&S]
  • Alignment of VO/group membership and role information: VO/group membership and role information, which is typically used by relying parties for authorisation purposes, should be expressed according to [AARC-G002]
  • Alignment of resource capabilities information: Capabilities, which define the resources or child-resources a user is allowed to access, should be expressed according to [AARC-G027]
  • Alignment of affiliation information: Affiliation information, including (i) the user’s affiliation within their Home Organisation, such as a university, research institution or private company, and (ii) affiliation within the Community, such as cross-organisation collaborations, should be expressed according to [AARC-G025]
  • Alignment of assurance information: Assurance information used to express how much relying partins can trust the attribute assertions about the authenticating user should follow:
    • REFEDS Assurance framework (RAF) [RAF-version-1.0]
    • Guideline on the exchange of specific assurance information [AARC-G021]
    • Guideline for evaluating the combined assurance of linked identities [AARC-G031]
    • Guideline Expression of REFEDS RAF assurance components for identities derived from social media accounts [AARC-GO41]
    • Guidelines for expressing the freshness of affiliation information, as defined in [AARC-G025]
  • Oauth2 token validation across multiple domains: OAuth2 Authorisation servers Servers (AS) should be able to validate tokens issued by other trusted Authorisaton serversAS. Extending existing flows, such as the OAuth2 Token Exchange flow [OAuth2-Token-Exchange-draft], will need to be considered are being investigated for enabling the validation of such externally issued tokens. 
    • Workaround: Services need to connect to all AS that issue tokens, instead of relying on a single proxy/AS. However, this integration should only be considered a short-term solution, given that connecting all end-services with all proxies/AS cannot scale.

The table below lists the identified technical alignment activities and their status. A green checkmark indicates a complete activity, otherwise the expected time of implementation is provided.

ActivityB2ACCESSCheck-ineduTEAMSINDIGO-IAM
Alignment of user attributesM21
Alignment of VO/group membership and role informationM21
Alignment of resource capabilities informationM18M18M21
Alignment of affiliation informationM21M21M21M21
Alignment of assurance information (including freshness of affiliation information)PY3PY3PY3PY3
Oauth2 token validation across multiple domains (multi-proxy connection workaround)
Oauth2 token validation across multiple domains (initial proof-of-concept implementation)M24M21M21M24
Oauth2 token validation across multiple domainsPY3PY3PY3PY3

...

ActivityB2ACCESSCheck-ineduTEAMSINDIGO-IAM
Alignment of privacy statementsM18M21
Alignment of operational security and incident response policies
Alignment of Acceptable Use Policies (AUPs)M21M21M21

...

This section presents the integration roadmap of the EOSC-hub AAI services. The status of each of the required integrations or the expected time of implementation is described in the table below. Integrations which have already been established are marked with a check mark. Note that where integration is not considered complete, an amber checkmark is used to indicate the status. The currently identified integration gaps are included in the known issues list.


EUDATEGIGEANTINDIGO-IAM
B2ACCESS


Check-in

eduTEAMSM18M18
PY3
INDIGO-IAMPY3PY3PY3

Known issues

  • Multiple user registrations: Users are asked to register with different AAI services as they access services behind different infrastructure proxies. The identified technical (e.g. alignment of user attributes) and policy (e.g. alignment of AUPs) harmonisation activities will enable seamless access across different domains .
  • Multiple IdP discovery steps: The EOSC-hub AAI is based on the AARC BPA “community-first” approach, whereby users often need to go through multiple IdP discovery steps: (a) to select their Community AAI and (b) to select their Home Organisation. During this process, users don’t need to re-enter their login credentials as long as their Single Sign-On session is active, however the IdP selection can be frustrating in some cases. The discovery process needs to be simplified by either narrowing down the number of possible IdPs to choose from or by making the actual selection process fully transparent (see also “IdP hinting” protocol proposed in AARC-G049).
  • OAuth2 token validation: Existing implementations of OAuth2 Authorisation Servers do not support the validation of tokens issued by a different Authorisation server. As a consequence, a token cannot be used across services connected to different proxies/OAuth2 Authorisation Servers. One workaround is to connect a given service to the different Authorisation Servers that issue tokens, instead of relying on a single proxy. As a long-term solution, we’re investigating the extension of the OAuth2 Token Exchange flow for allowing OAuth2 Authorisation Servers to handle tokens issued by other trusted Authorisation Servers (see also technical activity "Oauth2 token validation across multiple domains").