| ID | Title | Summary | Links | Status |
|---|
| AARC-G052 | OAuth 2.0 Proxied Token Introspection | This specification extends the OAuth 2.0 Token Introspection (RFC7662) method to allow conveying meta-information about a token from an Authorization Server (AS) to the protected resource even when there is no direct trust relationship between the protected resource and the token issuer. The method defined in this specification, termed "proxied" token introspection, requires access tokens to be presented in JWT format containing the iss claim for identifying the issuer of the token. Proxied token introspection assumes that the AS which is trusted by the protected resource has established a trust relationship with the AS which has issued the token that needs to be validated. | Google doc | | Status |
|---|
| colour | Yellow |
|---|
| title | FINAL CALL |
|---|
|
|
| AARC-G056 | AARC profile for expressing community identity attributes | This document defines a profile for expressing the attributes of a researcher’s digital identity. The profile contains a common list of attributes and definitions based on existing standards and best practises in research & education. The attributes include identifiers, profile information, and community attributes such as group membership and role information. | Google doc | | Status |
|---|
| colour | GreenYellow |
|---|
| title | IN PROGRESSFINAL CALL |
|---|
|
|
| AARC-I058 | Methods for establishing trust between OAuth 2.0 Authorization Servers | This document explores different approaches for establishing trust among entities such as OAuth 2.0 Authorization Servers (AS) and Resource Servers (RS) residing in distinct domains. These interactions are facilitated through trusted third parties referred to as Trust Anchors, which are entities issuing authoritative statements about entities that participate in an identity federation. | Google doc | | Status |
|---|
| colour | Green |
|---|
| title | IN PROGRESS |
|---|
|
| OAuth 2.0 Proxied Token Introspection | This specification extends the OAuth 2.0 Token Introspection (RFC7662) method to allow conveying meta-information about a token from an Authorization Server (AS) to the protected resource even when there is no direct trust relationship between the protected resource and the token issuer. The method defined in this specification, termed "proxied" token introspection, requires access tokens to be presented in JWT format containing the iss claim for identifying the issuer of the token. Proxied token introspection assumes that the AS which is trusted by the protected resource has established a trust relationship with the AS which has issued the token that needs to be validated. | Google doc | | Status |
|---|
| colour | Yellow |
|---|
| title | FINAL CALL |
|---|
|
|
| N/AAARC-G073 | Guidelines for refreshing tokens between proxies | This document explores the refresh token flow in a scenario where client applications interact with resource servers through interconnected OpenID Providers (OIDC). Specifically, it focuses on the case where an AARC-compliant Infrastructure Proxy [AARC-G045] acts as an intermediary between the client and a Community AAI. To address challenges related to refresh token handling in this configuration, the document specifies a secure refresh token flow that leverages introspection to ensure the validity of refresh tokens before issuing new access tokens. The document describes the flows for both obtaining and using refresh tokens. | Google doc | |
AARC-G080
| AARC Blueprint Architecture 2025
| The AARC Blueprint Architecture (BPA) provides a set of building blocks for software architects and technical decision makers who are designing and implementing access management solutions for international research collaborations. This document describes the evolution of the AARC Blueprint Architecture, starting with a summary of the changes since AARC-BPA-2019. | Google doc (Initial Revision) | |
AARC-G081
| Recommendations for Token Lifetimes | This document provides an overview over various types of tokens, or more generally, about assertions used to identify and authorise users. We analyse the different properties of tokens and categorise available authorisation patterns to give recommendations about the life times of tokens associated with specific properties and authorisation levels. The document is between policy and architecture working group
| Google doc | |
