The AARC (Authentication and Authorization for Research Collaboration) \[1\] framework defines requirements and best practices for configuring OIDC relying parties. OpenProject is lacking some of the required features:

* Requesting additional custom claims
* Authorization and mapping through OIDC claims
* Begin of the insertionLogical operations on claims
* End of the insertion Association of OIDC group identifiers to OpenProject groups
* Begin of the insertionExtending / GeneralizingEnd of the insertion UI for configuring OIDC Begin of the insertion

End of the insertion Begin of the deletion



End of the deletion ## Begin of the insertionRequesting additional custom claims

The default OpenID Connect configuration does not allow for requesting/requiring additional claims through the UI.

##End of the insertion Extended authorization through OIDC claims

Currently, OpenProject OIDC integration provides only Begin of the insertionbasic authorizationEnd of the insertion Begin of the deletion authenticationEnd of the deletion of users based on Begin of the insertionclaims, effectively rejecting the authentication based on presence or absence of certain claim values.End of the insertion Begin of the deletion claims.End of the deletion It is not possible to define roles, group or project memberships through existence of Begin of the insertionclaims.End of the insertion Begin of the deletion claimsEnd of the deletion

Open question: Begin of the insertionIs it sufficientEnd of the insertion Begin of the deletion How would associationsEnd of the deletion to Begin of the insertionrestrict authorization to the memberships of groups,End of the insertion Begin of the deletion resources other than groups be performed,End of the deletion as Begin of the insertionthrough that follows the authorization on global roles and project memberships.

## Logical operations on claims

The authorization result should allow logical operations on the existance or presence of claim values. For example, authorize the user ifEnd of the insertion a Begin of the deletion mapping fromEnd of the deletion claim Begin of the insertioncontainsEnd of the insertion values Begin of the insertionA (AND) B, A (OR) B, or A (AND NOT) B. 

Open question: What is an example of such a combinationEnd of the insertion to Begin of the insertionderive a membership?End of the insertion Begin of the deletion roles/projects would be necessary.End of the deletion

## Association of OIDC group identifiers to OpenProject groups

Similar to the LDAP group synchronization, internal OpenProject groups need to be associated with a respective OIDC counterpart through a unique identifier, e.g., a URN.

This allows the OpenProject group to be arbitrarily (re)named without losing the connection to the OIDC claim. Begin of the insertion

End of the insertion Begin of the deletion



End of the deletion ## Begin of the insertionExtending / Generalizing UI for configuring OIDC

An admin interface exists for creating or managing common OIDC identity providers such as Azure, Google, etc. They are however not configurable or generalizable for other OIDC integrations. This UI needs to be extended to be able to properly specify and encode logic operations on claims.

##End of the insertion Distinction from OIDC + LDAP group synchronization

Currently, OpenProject supports authentication through OIDC in combination with an LDAPv3-compatible directory service to derive groups and their memberships.
This has the advantage of immediately adding users to the respective authorized groups when the synchronization is performed. In contrast to SSO-based authorization, where users are only synchronized upon retreiving their claims during a login phase.

How will this lifecycle be implemented for AARC? Begin of the insertion

End of the insertion Begin of the deletion



End of the deletion \[1\] [https://aarc-project.eu/](https://aarc-project.eu/)