Hi,

 

I had a look at the discussion about personal discovery service within UMA. In fact we have a similar challenge in IDoT discussion group.

 

We are about to describe  a “smart” discovery service that can find objects by using relationships and context.

The problem is: if someone asks the right questions he can gain a lot of personalor critical information. So we need a kind of authorization mechanism that controls “who is entitled to see/find which devices”.

 

Ingo

 

From: wg-uma-bounces@kantarainitiative.org [mailto:wg-uma-bounces@kantarainitiative.org] On Behalf Of Justin Richer
Sent: Donnerstag, 16. April 2015 05:42
To: George Fletcher
Cc: wg-uma@kantarainitiative.org UMA
Subject: Re: [WG-UMA] Personal Discovery Service

 

I like that response for webfinger, but I think it’s going to be something that UMA in general is going to have to deal with. UMA makes a lot of assumptions about how the API is set up, including that the initial call with no access token always returns an error. I think we can do better than that.

 

Another bullet for UMA 2.0. :)

 

(I’m trying to compile a list.)

 

 — Justin

 

On Apr 14, 2015, at 9:34 AM, George Fletcher <george.fletcher@teamaol.com> wrote:

 

Great though Justin. You're right that its difficult to return public data and a pointer to how to get more data. However, in the unauthenticated webfinger case, you could return a link relation to the user's AS as this is pretty much public anyway and possibly a property that indicates that the discovery service is UMA protected.

Thanks,
George

On 4/14/15 10:01 AM, Justin Richer wrote:

I almost really like this. The one thing that I’d want out of a flow like this is public discovery information returned from the unauthenticated webfinger call in addition to the pointer to the AS. That way if a client is able to act on the public information it doesn’t need to go through the authorization steps, but if it needs more access then it can step up.

 

This is a common enough API pattern and it’s something that I think UMA doesn’t do very well at, currently.

 

 — Justin

 

 

On Apr 13, 2015, at 1:18 PM, George Fletcher <george.fletcher@teamaol.com> wrote:

 

So I have a sequence diagram for combining webfinger and UMA. I'll embed and attach the image to this email and I can share the web sequence diagram text if anyone is interested. I'd really appreciate it if someone could validate this flow and make sure I didn't miss anything obvious. It doesn't cover every possible case of UMA but it should cover the default/normal flow.

That said, there are still lots of things to consider such as should there be a relation based taxonomy within a vertical to make discovering different kinds of endpoints easier? How to represent a discoverable endpoint as a resource set? If the UMA AS and Discovery endpoint are the same server, should there be a way for the discovery flow to return an RPT to simplify things for callers?

<webfinger+uma.png>

Thanks,
George

-- 
Chief Architect                   AIM:  gffletch
Identity Services Engineering     Work: george.fletcher@teamaol.com
AOL Inc.                          Home: gffletch@aol.com
Mobile: +1-703-462-3494           Blog: http://practicalid.blogspot.com
Office: +1-703-265-2544           Twitter: http://twitter.com/gffletch

<webfinger+uma.png>_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma

 



-- 
Chief Architect                   AIM:  gffletch
Identity Services Engineering     Work: george.fletcher@teamaol.com
AOL Inc.                          Home: gffletch@aol.com
Mobile: +1-703-462-3494           Blog: http://practicalid.blogspot.com
Office: +1-703-265-2544           Twitter: http://twitter.com/gffletch