Add support for identifying someone by their voperson_id claim #47
Description
REFEDs has defined a standard set of attributes that work for SAML and OIDC: voPerson.
The voPersonID attribute identifies the person. In OIDC, it is represented via the voperson_id claim.
Using voPersonID has the advantage that it's independent of the authentication scheme: voPersonID is defined for both SAML and OIDC.
Currently, teapot uses the sub claim. While this works, it isn't guaranteed how the OIDC sub claim is represented in SAML (if at all).
Note: EGI CheckIn uses the same value for the sub claim and the voperson_id claim. While this makes sense, there's no guarantee that all OPs will do this.
Note: EGI CheckIn supports voperson_id claim if either the aarc scope or the voperson_id scope are selected.
Here is an example JWT payload from EGI CheckIn (demo)
{
"exp": 1752011947,
"iat": 1752008347,
"auth_time": 1752008346,
"jti": "a66b3ce1-52fd-45e5-95fa-ccf4bbea2c8e",
"iss": "https://aai-demo.egi.eu/auth/realms/egi",
"sub": "c3793c231e305fbed59d820dbe472f1edaa7d9fd358f5d62f74de9d2b5f71f28@egi.eu",
"typ": "Bearer",
"azp": "oidc-agent",
"session_state": "481aa3c9-c527-4073-a5c4-e3132449b35c",
"scope": "openid offline_access aarc",
"sid": "481aa3c9-c527-4073-a5c4-e3132449b35c",
"voperson_id": "c3793c231e305fbed59d820dbe472f1edaa7d9fd358f5d62f74de9d2b5f71f28@egi.eu",
"eduperson_assurance": [
"https://refeds.org/assurance",
"https://refeds.org/assurance/ATP/ePA-1m",
"https://refeds.org/assurance/ID/unique",
"https://refeds.org/assurance/ID/eppn-unique-reassign-1y",
"https://refeds.org/assurance/IAP/low",
"https://refeds.org/assurance/IAP/medium",
"https://refeds.org/assurance/profile/cappuccino"
]
}