The EOSC-hub project has ended. This space is READ ONLY

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

This page describes the future plans for the EOSC-hub AAI. These include alignment activities across the EOSC-hub AAI services which can be classified into technical and policy-related activities.

Technical alignment activities

The following technical alignment activities have been identified:

  • Alignment of user attributes: The attributes used to express user information should follow the REFEDS R&S attribute bundle, as defined in [REFEDS-R&S]
  • Alignment of VO/group membership and role information: VO/group membership and role information, which is typically used by relying parties for authorisation purposes, should be expressed according to [AARC-G002]
  • Alignment of resource capabilities information: Capabilities, which define the resources or child-resources a user is allowed to access, should be expressed according to [AARC-G027]
  • Alignment of affiliation information: Affiliation information, including (i) the user’s affiliation within their Home Organisation, such as a university, research institution or private company, and (ii) affiliation within the Community, such as cross-organisation collaborations, should be expressed according to [AARC-G025]
  • Alignment of assurance information: Assurance information used to express how much relying partins can trust the attribute assertions about the authenticating user should follow:
    • REFEDS Assurance framework (RAF) [RAF-version-1.0]
    • Guideline on the exchange of specific assurance information [AARC-G021]
    • Guideline for evaluating the combined assurance of linked identities [AARC-G031]
    • Guideline Expression of REFEDS RAF assurance components for identities derived from social media accounts [AARC-GO41]
    • Guidelines for expressing the freshness of affiliation information, as defined in [AARC-G025]
  • Oauth2 token validation across multiple domains: OAuth2 Authorisation servers should be able to validate tokens issued by other trusted Authorisaton servers. Extending existing flows, such as the OAuth2 Token Exchange flow [OAuth2-Token-Exchange-draft], will need to be considered for enabling the validation of such externally issued tokens.

The table below lists the identified technical alignment activities and their status. A green checkmark indicates a complete activity, otherwise the expected time of implementation is provided.

ActivityB2ACCESSCheck-ineduTEAMSINDIGO-IAM
Alignment of user attributesM21
Alignment of VO/group membership and role informationM21
Alignment of resource capabilities informationM18M18M21
Alignment of affiliation informationM21M21M21M21
Alignment of assurance information (including freshness of affiliation information)PY3PY3PY3PY3
Oauth2 token validation across multiple domains (proof-of-concept implementation)M24M21M21M24
Oauth2 token validation across multiple domainsPY3PY3PY3PY3


  • No labels

EOSC-hub receives funding from the European Union's Horizon 2020 research and innovation programme under grant agreement No. 777536.