Need for community or namespace like information in tokens

[msalle]

All 3 profiles need information about the community/VO/etc. inside the token.
For WLCG so far the issuer more or less corresponded with the VO.
Does SciTokens also need a VO/accounting group.

Which features do we need to add:

• add extra claim to convey namespace or VO? Should the (scoped) values be combined in a JSON substructure ?
• should we restrict to only 1 VO/accounting group/… per token? Also if we decide to go for a namespace?

[deesto]

This issue as raised is somewhat dense, and might be easier to parse with added examples of what a namespace might look like, even if completely fabricated at this point. It may also cross realms with the concepts of "audience" and "scope" at some level. But I would be for it: I don't see how it could hurt, and I think it might explicitly make tokens easier to parse per VO or group.

[jbasney]

If we need a JSON substructure, we could look at https://www.rfc-editor.org/rfc/rfc9396.html#name-enriched-authorization-deta (OAuth 2.0 Rich Authorization Requests).

[DrDaveD]

The WLCG common JWT profile has a wlcg.groups claim requested through scopes which allows multiple levels of groupings. That approach works well for the purpose of having "subVOs" as are used for example in the "fermilab" token issuer while still allowing other subgoups within them.

[hestem]

Google doc to document proposal: https://docs.google.com/document/d/1TUxmaHVWJqHdVgQ3aBlfZ58jMW7ghyut6xLSHqJ1FLA/edit