Identifying VO membership from the issuer

[paulmillar]

Although not explicit stated (see #28), an issuer will only issue tokens to a single VO.

Therefore, it seems logical (at least, to me) that a service might be able to deduce the VO membership of the the agent (person or software) bearing the token, using only information from the iss claim. This would be true even if the token contains no information on group membership: the service may still identify the corresponding VO even if the wlcg.groups claim is either missing or empty.

In that sense, the iss claim identifies the VO.

If this approach seems reasonable, the document should be updated to make it clear that a service MAY (RFC 2119) identify the VO from the issuer (iss) claim.

If this approach is not reasonable, then the document should be updated to make it clear that a service MUST NOT (RFC 2119) identify the VO from the issuer (iss) claim.

Note This issue is very specifically only about identifying the VO. If identifying the VO from the iss claim is acceptable, this issue deliberately makes no comment on how the service might use that VO-membership information.

[DrDaveD]

Again, it depends on exactly what you mean by "VO".

[paulmillar]

See #38 for a separate issue regarding the document's lack of definition of a "VO".

In any case, I think this issue cannot be resolved before #28 is first resolved.

[maarten-litmaath]

Please check #47 that tries to address the aforementioned concerns to some extent.