WLCG JWT profile - group OR scope authorization

• brief discussion related to the long email thread "Tokens with groups and explicit AuthZ statements" in project-lcg-authz mailing list
• the whole email thread covers an edge case that most VOs should never face - combining scopes with wlcg.groups in one token
  • people seems not to be very concerned that e.g. dCache doesn't implement what's required by WLCG JWT profile
  • LHC experiments plans to avoid tokens that combine scopes and wlcg.groups
• we could easily survive even if current "OR" is replaced with "implementation specific behavior"