Hi, I had a look at the discussion about personal discovery service within UMA. In fact we have a similar challenge in IDoT discussion group. We are about to describe a "smart" discovery service that can find objects by using relationships and context. The problem is: if someone asks the right questions he can gain a lot of personalor critical information. So we need a kind of authorization mechanism that controls "who is entitled to see/find which devices". Ingo From: wg-uma-bounces@kantarainitiative.org [mailto:wg-uma-bounces@kantarainitiative.org] On Behalf Of Justin Richer Sent: Donnerstag, 16. April 2015 05:42 To: George Fletcher Cc: wg-uma@kantarainitiative.org UMA Subject: Re: [WG-UMA] Personal Discovery Service I like that response for webfinger, but I think it's going to be something that UMA in general is going to have to deal with. UMA makes a lot of assumptions about how the API is set up, including that the initial call with no access token always returns an error. I think we can do better than that. Another bullet for UMA 2.0. :) (I'm trying to compile a list.) - Justin On Apr 14, 2015, at 9:34 AM, George Fletcher <george.fletcher@teamaol.com<mailto:george.fletcher@teamaol.com>> wrote: Great though Justin. You're right that its difficult to return public data and a pointer to how to get more data. However, in the unauthenticated webfinger case, you could return a link relation to the user's AS as this is pretty much public anyway and possibly a property that indicates that the discovery service is UMA protected. Thanks, George On 4/14/15 10:01 AM, Justin Richer wrote: I almost really like this. The one thing that I'd want out of a flow like this is public discovery information returned from the unauthenticated webfinger call in addition to the pointer to the AS. That way if a client is able to act on the public information it doesn't need to go through the authorization steps, but if it needs more access then it can step up. This is a common enough API pattern and it's something that I think UMA doesn't do very well at, currently. - Justin On Apr 13, 2015, at 1:18 PM, George Fletcher <george.fletcher@teamaol.com<mailto:george.fletcher@teamaol.com>> wrote: So I have a sequence diagram for combining webfinger and UMA. I'll embed and attach the image to this email and I can share the web sequence diagram text if anyone is interested. I'd really appreciate it if someone could validate this flow and make sure I didn't miss anything obvious. It doesn't cover every possible case of UMA but it should cover the default/normal flow. That said, there are still lots of things to consider such as should there be a relation based taxonomy within a vertical to make discovering different kinds of endpoints easier? How to represent a discoverable endpoint as a resource set? If the UMA AS and Discovery endpoint are the same server, should there be a way for the discovery flow to return an RPT to simplify things for callers? <webfinger+uma.png> Thanks, George -- Chief Architect AIM: gffletch Identity Services Engineering Work: george.fletcher@teamaol.com<mailto:george.fletcher@teamaol.com> AOL Inc. Home: gffletch@aol.com<mailto:gffletch@aol.com> Mobile: +1-703-462-3494 Blog: http://practicalid.blogspot.com<http://practicalid.blogspot.com/> Office: +1-703-265-2544 Twitter: http://twitter.com/gffletch <webfinger+uma.png>_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org<mailto:WG-UMA@kantarainitiative.org> http://kantarainitiative.org/mailman/listinfo/wg-uma -- Chief Architect AIM: gffletch Identity Services Engineering Work: george.fletcher@teamaol.com<mailto:george.fletcher@teamaol.com> AOL Inc. Home: gffletch@aol.com<mailto:gffletch@aol.com> Mobile: +1-703-462-3494 Blog: http://practicalid.blogspot.com<http://practicalid.blogspot.com/> Office: +1-703-265-2544 Twitter: http://twitter.com/gffletch