January 2017 - WG-UMA - mailman.kantarainitiative.org

Agenda for UMA telecon 2016-01-05
by Eve Maler 05 Jan '17

05 Jan '17

Date and Time - *Thursdays,* 9-10am PT - Skype: +99051000000481 / US +1-805-309-2350 / international lines <https://www.turbobridge.com/join.html> / web calling interface <https://panel.turbobridge.com/webcall/> / code 1782540 - Screen sharing: http://join.me/findthomas - NOTE: do not use the join.me dial-in line - UMA calendar: http://kantarainitiative.org/confluence/display/uma/Calendar Agenda - Roll call - Approve minutes of UMA telecon 2016-12-01 <http://kantarainitiative.org/confluence/display/uma/UMA+telecon+2016-12-01> - Logistics - Hold WG votes on specs this month (as often as we like?), and add publicity - WG vote on proceeding to Public Review no later than Feb 9 (Feb 16 is RSAC; no meeting) - Refer to telecon 2016-12-01 <http://kantarainitiative.org/confluence/display/uma/UMA+telecon+2016-12-01> minutes to see how voting/balloting process goes - UMA V2.0 work - 2016 roadmap <http://kantarainitiative.org/confluence/display/uma/UMA+Roadmap+for+2016> / GitHub issues for V2.0 <https://github.com/KantaraInitiative/wg-uma/issues?q=is%3Aopen+is%3Aissue+l…> (all issues to be kept here for the duration!) / dynamic swimlane <http://www.websequencediagrams.com/files/render?link=Pu0sP0Oe2kjKc2WgdKZd> - Core is up to 10 <https://docs.kantarainitiative.org/uma/ed/uma-core-2.0-10.html> and RReg is up to 03 <http://docs.kantarainitiative.org/uma/ed/oauth-resource-reg-2.0-03.html> - Issues to *discuss in the telecon*: - 266 <https://github.com/KantaraInitiative/wg-uma/issues/266>: Set math - 264 <https://github.com/KantaraInitiative/wg-uma/issues/264>: Authentication-related error details - 254 <https://github.com/KantaraInitiative/wg-uma/issues/254>: Hashed claims discovery - 263 <https://github.com/KantaraInitiative/wg-uma/issues/263>: Claim token profiling / 119 <https://github.com/KantaraInitiative/wg-uma/issues/119>: Create an IANA registry for URIs that stand for claim token formats - Shoebox (stretch goal; let's *make assignments for proposals for next week*): - 246 <https://github.com/KantaraInitiative/wg-uma/issues/246>: Endpoint for collection of "receipts" and notifications of RS action in case of extraordinary behavior / 245 <https://github.com/KantaraInitiative/wg-uma/issues/245>: Location Constraints / 224 <https://github.com/KantaraInitiative/wg-uma/issues/224>: RS Notifies AS or RO of Access / 63 <https://github.com/KantaraInitiative/wg-uma/issues/63>: Audit logs to support legal enforceability / 24 <https://github.com/KantaraInitiative/wg-uma/issues/24>: Possible to audit host's compliance in giving access based on a legitimate active permission from the AM? - 260 <https://github.com/KantaraInitiative/wg-uma/issues/260>: Cascading authorization servers (stretch goal; let's plan to study this and decide whether it's in the WG's scope by *next week*) - Issues that will *close with no action* if no one brings them up for discussion by *next week*: - 261 <https://github.com/KantaraInitiative/wg-uma/issues/261>: Caching token inspection results - 249 <https://github.com/KantaraInitiative/wg-uma/issues/249>: Is there a way to elevate trust in Client Operators further, with a claims-like mechanism? - 108 <https://github.com/KantaraInitiative/wg-uma/issues/108>: Protection and authorization scopes implicit/recommended vs. MUST? - AOB - *Eve Maler*Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl

1 0

Reminder: WG telecom tomorrow
by Eve Maler 04 Jan '17

04 Jan '17

I'm working on the agenda, which will include a series of concrete issues to work through, mostly not huge and some from email (e.g. the latest from the set math thread). For now, if you haven't yet familiarized yourself with rev 10, please do. https://docs.kantarainitiative.org/uma/ed/uma-core-2.0-10.html Also, please make a note to do your best to attend all meetings through Feb 9. Here's the key part of the newly changed TOC; it could yet be changed further and I've already collected some good feedback: 1. Introduction 1.1 Roles and High-Level Communications 1.2 Notational Conventions 1.3 Federated Authorization 1.3.1 HTTP Usage 1.3.2 Resource and Scope Interpretation 1.4 Protocol Flow Summary 1.4.1 Protection API and Related Resource Owner Actions 1.4.2 Authorization Interface and Related Authorization Server and Requesting Party Actions 1.4.3 Protected Resource Interface and Related Resource Server Actions 1.5 Time-to-Live Considerations 2. Authorization Server Configuration 2.1 Configuration Properties 2.2 Configuration Document 2.3 Requests to Authorization Server for Configuration Document 2.4 Authorization Server Response Containing Configuration Document 3. Protocol Flow Details 3.1 Resource Server Obtains PAT 3.2 Resource Server Registers Resources for Protection 3.3 Client Attempts Access to Protected Resource With No Token 3.4 Resource Server Requests Permissions on Client's Behalf With Authorization Server 3.4.1 Resource Server Request to Permission Endpoint 3.4.2 Permission Ticket Creation and Management 3.4.3 Authorization Server Response to Resource Server on Permission Request Success 3.4.4 Authorization Server Response to Resource Server on Permission Request Failure 3.5 Resource Server Responds to Client's Tokenless Access Attempt 3.5.1 Resource Server Response to Client on Permission Request Success 3.5.2 Resource Server Response to Client on Permission Request Failure 3.6 Authorization Process: The UMA Grant 3.6.1 Client Request to Authorization Server for RPT 3.6.2 Client Request to Authorization Server for RPT With Pushed Claims 3.6.3 Client Redirect of User Agent to Authorization Server for Interactive Claims-Gathering 3.6.4 Authorization Server Redirect of User Agent Back to Client After Interactive Claims-Gathering 3.6.5 Authorization Assessment 3.6.6 Authorization Server Response to Client on Authorization Success 3.6.7 Authorization Server Response to Client on Authorization Success With PCT 3.6.8 Authorization Server Response to Client on Authorization Failure 3.7 Client Attempts Access to Protected Resource With RPT 3.8 Resource Server Determines RPT Status 3.8.1 Resource Server Request to Token Introspection Endpoint 3.8.2 Authorization Server Response to Resource Server on Token Introspection Success 3.9 Resource Server Responds to Client’s Access Attempt With RPT 3.9.1 Permissions Assessment 3.9.2 Resource Server Response to Client on Sufficiency of Authorization 3.9.3 Resource Server Response to Client on Insufficiency of Authorization Eve Maler (sent from my iPad) | cell +1 425 345 6756

1 0

AS flexibility around access token management: simplify?
by Eve Maler 02 Jan '17

02 Jan '17

Cigdem asked some good questions in a series of comments she sent me: Core Section 3.5.3 <https://docs.kantarainitiative.org/uma/ed/uma-core-2.0-09.html#give-rpt> (rev 09) has a Note that explains: "The authorization server is free to choose to return either the same RPT that appeared in the request or a new RPT, and it is also free to choose to *invalidate or retain the validity* of the original RPT or any permission that was previously added to that RPT." Cigdem's questions were (slightly edited): *If the original RPT was valid, wouldn't the client have gotten access to the resource at the resource server? Would the client ever ask for another RPT with a valid original RPT? Does it describe the case where the RPT was for one resource/scope and not expired, but the client tried to use it to access another resource/scope and failed?* What we were trying to say was that: 1. *(Client can bring no RPT and ask for one -- not a concern)* 1. *(AS can issue a new RPT A -- not a concern)* 2. Client can bring RPT A that doesn't have a permission for what it wants to do and ask for an RPT that works for what it wants to do 1. AS is allowed to reissue the existing RPT A (same RPT string), having added the relevant permissions to it 2. AS can issue a new RPT B (different RPT string), having added the relevant permissions to it 1. AS can invalidate the old RPT A that the client brought it upon this action 2. AS can retain the validity of the old RPT A that the client brought it and any of its permission(s) -- presumably ones that are still good and that the client didn't just try to exercise but found wanting The question is, do all these options truly make sense? Is it, for example, such a common pattern for an AS to invalidate all previous tokens and stuff all current permissions into the latest and greatest access token (which equates to list item 2.2.1 above) that doing anything else is insanity? Any other option would leave the client juggling multiple tokens, and having to guess which ones unlock which resources. *Eve Maler*Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl

2 1

New drafts, finally: Core rev 10 and RReg rev 03
by Eve Maler 02 Jan '17

02 Jan '17

So, uh, happy new year. :-) https://docs.kantarainitiative.org/uma/ed/uma-core-2.0-10.html https://docs.kantarainitiative.org/uma/ed/oauth-resource-reg-2.0-03.html I've been working on great detailed comments from Cigdem and Mike (thanks!) and other mostly editorial stuff, and managed to implement 98% of the big section refactoring I've been talking about for a while (flatten-consolidate-shorten). Please try and give these a read-through. Questions: - I'm starting to believe that the "*authorization interface*" is actually properly the "*UMA grant*", tip to toe. In one place I actually did call it that. True? - I added a precondition/assumption that the client needs to use the *client credentials grant* to get an access token to use in the header when it makes a call to the token endpoint to get an RPT. Is my understanding correct? We didn't say anything about this before. - We have "five definitive errors" that *end the authorization process*. But is there anything that should happen to make this truly definitive? Should permission tickets expire, or what? - I've got a couple of other *Table of Contents nerd questions* that I'd love to pore over with others similarly inclined in a quick session before our Thursday session. Self-identify and I'll find you. *Eve Maler*Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl

1 0