Michael Shapiro reminds me that in the X.509 grid-mapfile world, we have some filters in place to meet IGTF policies. Specifically:
- There are no "Community User" mappings created by default.
- Only mappings for "vetted" users on active allocations are included.
These filters are in place because IGTF does not allow us to issue user certificates to non-persons like "Community Users" and does not allow us to issue certificates to unvetted users.
I think in the OAuth world, we can free ourselves from these constraints, and we should deliver a tool that includes all the username mappings for the resource. Let the resource provider decide when to disable accounts when allocations end, and let the OAuth tokens specify the level of identity vetting via standard OAuth methods like authentication context reference (acr).
The design document needs to be more explicit on this topic.