Subgroup membership implies group membership

[jjensenral]

This issue applies to

1. attribute authorities (AAs) - how group membership is communicated for users who are members of subgroups of groups - and
2. relying parties (RPs) - how the same group information is parsed.

For a user who is member of a subgroup of a group, the implication is that they are also member of the parent group. Thus, it should not be necessary to assert

{
  "groups":["urn:example:foo:group:snap","urn:example:foo:group:snap:yup","urn:example:foo:group:snap:yup:flap"]
}

Instead, the statement

{
  "groups":"urn:example:foo:group:snap:yup:flap"
}

asserts the same information. The implication is that implementations MUST NOT use full string comparison alone to check whether the user is a member of snap (additionally, this example makes use of the rule that allows a list of one element to be replaced with that element)

The corollary is that RPs MUST do a prefix string match. E.g. in C,

#include <stdio.h>
#include <string.h>
int main()
{
    char const *authorised_group = "urn:group:foo", *user_group = "urn:group:foo:bar";
    if(strncmp(authorised_group, user_group, strlen(authorised_group))==0)
        printf("user is authorised\n");
    return 0;
}

or in python 3.11,

authorised_group="urn:group:foo"
user_group="urn:group:foo:baz"
if user_group.startswith(authorised_group):
    print("user is authorised\n")

In contrast, we would not suggest requiring regexp matching, as the configuration then becomes more complicated.

See also #10 and #24

[NicolasLiampotis]

See also https://github.com/WLCG-AuthZ-WG/common-jwt-profile/blob/master/profile.md#group-based-authorization-wlcggroups