Beyond X.509: token-based authentication and authorization for HEP

X.509 certificates and VOMS have proved to be a secure and reliable solution for authentication and authorization on the Grid, but also showed usability issues and required the development of ad-hoc services and libraries to support VO-based authorization schemes in Grid middleware and experiment computing frameworks. The need to move beyond X.509 certificates is recognized as an important objective in the HEP R&D roadmap for software and computing, to overcome the usability issues of the current AAI and embrace recent advancement in web technologies widely adopted in industry, but also to enable the secure composition of computing and storage resources provisioned across heterogeneous providers in order to meet the computing needs of HL-LHC. A flexible and usable AAI based on modern web technologies is a key enabler of such secure composition and has been a major topic of research of the recently concluded INDIGO-DataCloud project. In this contribution, we present an integrated solution, based on the INDIGO-DataCloud Identity and Access Management service that demonstrates how a next generation, token-based VO-aware AAI can be built in support of HEP computing use cases, while maintaining compatibility with the existing, VOMS-based AAI used by the Grid.