Hi all,
Eve sent me an email off-list last night asking "Are we going to be sorry
we don't have a named object for a single permission?" With clarification
this morning, it turns out she was talking about the token introspection
endpoint :)
You'll remember the response currently looks like:
{
"active":true,
"exp":1256953732,
"iat":1256912345,
"permissions":[
{
"resource_id":"112210f47de98100",
"resource_scopes":[
"view",
"http://photoz.example.com/dev/actions/print"
],
"exp":1256953732
}
]
}
With a bit more discussion, the only thing I could see as potentially
useful was to have permissions as an object (instead of array), and use the
resource_id as the key in the object. To do this, we'd have to then make
its value an array so that if you have multiple different scopes with
different expiry times, they could be expressed effectively, so:
{
"active":true,
"exp":1256953732,
"iat":1256912345,
"permissions":{
"112210f47de98100":[
{
"resource_scopes":[
"view",
"http://photoz.example.com/dev/actions/print"
],
"exp":1256953732
},
{
"resource_scopes":[
"edit"
],
"exp":1256953750
}
]
}
}
I'm by no means convinced that this is very much more useful than the
current version, and is thoroughly backwards-incompatible, but the object
structure could be useful if RPT permission arrays were to get very big.
Thoughts?
Cheers
James
http://kantarainitiative.org/confluence/display/uma/UMA+legal+subgroup+note…
2017-07-21
Attending: Eve, Kathleen, Tim
We started looking at chart 6 (not sent in email). Tim would like to ensure
that we get the pairwise (or more) relationships, legal devices, and
artifacts locked down so that he can revise the definitions. The column
mentioning "pairwise" should probably take that word out because some of
the artifacts definitely represent more than two of the roles.
A *license*, versus a *contract* specifically, gives flexibility around
number of parties and promises. It's about tracking permissions. Some
permissions are given with some conditions. The license gets revoked if the
conditions aren't kept. A license scales better than a contract as a legal
mechanism. (Kathleen refers to the licensing model as essentially an
authorization model.)
A DURSA (data use reciprocal service agreement), from healthcare, is an
example of a surrounding contract that could be used to encompass the kind
of license we're talking about. Many of the use cases we've collected – a
nanny collecting kids from daycare, giving someone access to a connected
car – show that there's a desire to ensure a contractual apportionment of
liability across to a requesting party in addition to licensing.
If this were a contract, the RO Alice would be the offeror, the resource
access permissions would be the consideration, and the RqP Bob would
theoretically be the offeree – but where is the acceptance part? In the
technical layer of UMA, Bob might not have acted positively at all to get
access. His client software might have "pushed" claims about him without
any action on his part, Alice's AS might issue a PCT to his client that
represents claims previously collected and the client subsequently "pushes"
that PCT back, but that happens silently. Does that constitute acceptance?
Do we have to build that into our model clauses? Using a licensing model,
RqP Bob *doesn't* have to accept, and any overarching contract layers could
build that in only if they want to. Developing contractual-level tools is
out of scope for us.
The term "access contract" came from UCITA law. Do we want to use it? It
appears in the role definitions, but should we step back from it? Actually,
this is between the RO and ASO. So it appears on the wrong line; it should
be on the RS-ASO line, not RO-RSO. Or was it correct after all? Are the RSO
and ASO both parties to the access contract? The RO becomes *the* licensor,
and do the ASO and RSO both become the sub-licensors? It would be helpful,
in the "Legal Relationship" column, to always state "*so-and-so* is the
*role* for *whom-downstream* of *what* on behalf of *whom-upstream*". E.g.,
"RSO is sub-licensor on behalf of RO". Maybe we can even construct the
columns so that each variable gets filled in, in order, to form a
"sentence"?
The RO is at the "head" of the relationships. The RO owns the access
rights. (In US healthcare, under federal law, a patient owns right of
access.)
The ASO-CO artifact of OAuth client credentials is only related to that
pairwise relationship (not to RqP BoB or to the PCT; this should be
relegated to a separate row). It could be related to a contract, say, ToS.
It's a *potential place* where conditions that are protective of Alice
*could* go, e.g. to ensure that the client (later interacting with Bob,
e.g. sharing Alice's data, storing Alice's data, etc.) acts in a way that
is aligned with Alice's interests.
At the end of the day, the legal aspects have to match the UMA flows and
artifacts exactly.
*AI:* Eve: Try to do an edited matrix in GSlides form for the group.
*Eve Maler*Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl
8am PT/11am ET
http://join.me/findthomas
We'll have fresh role definitions, mappings, and diagrams. Good times!
*Eve Maler*Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl
http://kantarainitiative.org/confluence/display/uma/UMA+telecon+2017-07-20
MinutesRoll call
Quorum was reached.
Approve minutes
Approve minutes of UMA telecon 2017-06-29
<http://kantarainitiative.org/confluence/display/uma/UMA+telecon+2017-06-29>
and
UMA telecon 2017-07-13
<http://kantarainitiative.org/confluence/display/uma/UMA+telecon+2017-07-13>:
APPROVED by unanimous consent.
UMA 2.0 work
Is the right distinction in the Disposition of Comments document
<http://kantarainitiative.org/confluence/display/uma/UMA+V2.0+Disposition+of…>
"Would
the change potentially cause anyone to raise a new IPR issue or not?",
rather than "Is it 'editorial' or 'technical'?" So if something goes from,
say, MUST to something weaker (SHOULD or MAY), that would (could?) raise
IPR issues. But just clarifying something that was unclear in the Draft
Recommendation would presumably be editorial. Andrew asks: If no one makes
a necessary claim, does it matter? "The tree has already fallen in the
forest." [image: (smile)] The WG will make its case in the comment log
where anything seems marginal.
Finalizing the specs
Sample motion when the time comes: "Approve UMA 2.0 Grant and FedAuthz revs
06 as amended by the instructions of UMA telecon 2017-xx-xx as Draft
Recommendations and forward them to the Kantara Leadership Council to
request certification for an All-Member Ballot as Recommendations."
#332 <https://github.com/KantaraInitiative/wg-uma/issues/332>: If the AS is
"basically" expiring a previous PCT when it goes to a new authorization
process, should we say it MUST? It's more like any previous PCT from a
previous assessment has be superseded/overcome by events (namely, "one
process/one ticket lifecycle"). How explicit do we need to be about this,
for implementers to understand this clearly? We're inclined not to add more
refresh token-like text, despite the suggestion, because it's a little too
prescriptive, and we agree with the commenter's interpretation that *"I
would say, that according to the current version, the AS can really choose,
whether to expire PCT when issuing a fresh one and the client is not forced
to discard the old one."* Using this behavior, the AS and client would each
simply have old PCTs from previous authorization processes and could
issue/use them for any future authorization processes they want. The
wording throughout Grant doesn't prevent this; we checked. Do we now need
to consider *clarifying* that this "multiplicity" of uses is okay? Is it
ambiguous the way things stand? That is, Eve's reading, in the issue, of
"basically" expiring is not required. Justin, James, and Mike (Yuriy) all
interpret the current text to be okay with more than one-time use.
Optimization of future experience is basically the rationale for PCTs, so
this makes sense.
Andi brings up the security and privacy considerations; we do cover these,
and revocation is also covered, so we're good there. And the AS can always
expire at will.
No change in the wording.
#337 <https://github.com/KantaraInitiative/wg-uma/issues/337>:
- exp/iat/nbf: There was an original reason for the "split" logic of
talking about what happens when exp is absent vs the others. "If the
parameter is absent, the permission does not expire." We tried to mean that
the permission could live on past the token lifetime, but this is
nonsense. [image:
(smile)] What if we delete this sentence, keep the three other sentences
allowing the token-level value(s) to take precedence (or refactor that
sentence out to the token level), and live with the fact that we don't say
anything about the absence of the OPTIONAL values? What is our intent about
implementers' behavior? The RS's behavior is about cache control. The AS is
likely not to hand back something already expired. Everything beyond
active=true is a hint. So the RS could just try again if it didn't get what
it wanted.
- Did a quick tour through the other items. Most should be easy for
disposition.
UMA logo ideas
AI: Eve: Email out Domenico's first logo idea. Let's send thoughts his way.
Attendees
As of 7 Mar 2017, quorum is 4 of 7. (Domenico, Sal, Andi, Maciej, Eve,
Mike, Cigdem)
1. Domenico
2. Sal
3. Andi
4. Maciej
5. Eve
6. Mike
Non-voting participants:
- James
- Justin
- Andrew
*Eve Maler*Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl
http://kantarainitiative.org/confluence/display/uma/UMA+telecon+2017-07-13
MinutesRoll call
Quorum was not reached.
Approve minutes
Approve minutes of UMA telecon 2017-06-29
<http://kantarainitiative.org/confluence/display/uma/UMA+telecon+2017-06-29>:
Deferred.
UMA 2.0 work
*#328 <https://github.com/KantaraInitiative/wg-uma/issues/328>:* how
client-contributed scopes are mapped to resources during authorization
assessment: Eve's first iteration was "Treat each scope in (
*ClientRequested* ∩ *ClientRegistered*) as applying to all
matching resource-bound scopes in *PermissionTicket*." She's thinking that
it would be more accurate to say something like "...all scopes associated
with resources appearing in *PermissionTicket*", and then we could add ",
with the scope matching performed as described in Section 6.2.1 of
[RFC3986] (Simple String Comparison)."
Let's give this wording a try in context (published draft) and see if it
makes sense there.
#334 <https://github.com/KantaraInitiative/wg-uma/issues/334>: the IANA
registration request for the JWT permissions claim and its constituent
parts: Justin suggests that we need to have a paragraph talking about the
security and privacy considerations of putting this information into the
token vs. an introspection response, because the token is exposed to the
client. The permissions claim and its sub-claims give tools directly usable
by those who want to use the "local validation of self-contained tokens"
path.
Furthermore, the sentence in the Introduction is too modest: "Further*,
with the use of token introspection,* authorization grants can increase and
decrease at the level of individual resources and scopes." We can get rid
of the italicized stuff.
We have the following options:
1. Remove our registration request.
2. Specify how to "validate a self-contained token locally" in a
separate document, with security and privacy considerations.
Do we have enough real-world implementation experience to know what the
considerations are? What is the sensitive information in the token? In a
typical OAuth access token, there are typically scopes. In our permissions
structure, there are resource IDs, scopes, expirations, etc. Also, there
may be permissions that cross RS's. Is this sensitive wrt an individual RS
too? Maybe it's trivial for an RPT that doesn't cross RS's, but not
otherwise. Maybe it requires encryption per array object or something. Any
considerations section would have to explicitly push responsibility onto
the implementer.
Eve speaks in favor of option 2. Kathleen notes that it's good to keep
solving this properly on the roadmap. Sal agrees. James agrees. We have
consensus.
Editorial actions: Remove the IANA request for JWT claims, and edit the
Intro sentence.
Finalizing the specs
Sample motion when the time comes: "Approve UMA 2.0 Grant and FedAuthz revs
06 as amended by the instructions of UMA telecon 2017-xx-xx as Draft
Recommendations and forward them to the Kantara Leadership Council to
request certification for an All-Member Ballot as Recommendations."
UMA logo ideas
tbs
Attendees
As of 7 Mar 2017, quorum is 4 of 7. (Domenico, Sal, Andi, Maciej, Eve,
Mike, Cigdem)
1. Sal
2. Maciej
3. Eve
Non-voting participants:
- Justin
- Kathleen
- Bjorn
- Scott F
- John W
- Jin
- James
- Robert
Regrets:
- Domenico
*Eve Maler*Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl
Hi all,
During the implementation of the standard, I came across several points I think needs to be cleared (at least to me, and I hope the reason is not my stupidity). I know the public comment period ends tomorrow, so I rather use this method of communication, so as, if there is something useful in the list, it is not missed.
I wrote some of these remarks down during reading of the older versions, and now I tried to look whether it has already been changed, so excuse me, if I miss something, that was already added.
https://docs.kantarainitiative.org/uma/wg/oauth-uma-federated-authz-2.0-05.…:
1) 5.1.1: For exp, the behavior for absent value is defined. iat and nbf are missing definition for this state. Although it is quite intuitive (“if absent, the token-level value takes precedence”), might be worth include it to prevent possible misunderstandings.
https://docs.kantarainitiative.org/uma/wg/oauth-uma-grant-2.0-05.html:
1) 3.3: “The client has obtained OAuth client credentials from the authorization server, …, and is prepared to authenticate itself to the token endpoint if appropriate.”
RFC6749 – 3.2.1: “Confidential clients or other clients issued client credentials MUST authenticate with the authorization server as described in Section 2.3 when making requests to the token endpoint.”
Doesn’t this mean, that in UMA, the client requesting at the token EP MUST always authenticate? The formulation from uma_grant 3.3 may lead to a conclusion there exists a situation in which it is not necessary to authenticate.
2) 3.3.2: If AS supports RFC7591, it MUST allow clients to register claims_redirect_uri (as mentioned in 2.), but it is not defined, how this parameter looks like (array?, space separated?)
Shouldn’t it be better to have “claims_redirect_uris”? (RFC7591 defines redirect_uris also in plural).
In RFC6749, redirection URI (which is similar from the security point of view to the claims redir URI) SHOULD require the use of TLS and MUST be registered for public clients. In addition, an incomplete redirection URI is enabled, and some other features. Wouldn’t it be beneficial to define claims redirection URI with reference to the definition of redirection URI?
3) 3.3.3: I personally would extend the first sentence to “ … of the claims redirection URI resolved according to the algorithm described in previous section using the …”. Otherwise, any preregistered claims redirection URI might be used (I know you would need to be an evil implementer to do this, but hey, who isn’t a bit?).
4) 3.3.3: The example response from AS is actually a request.
5) 3.3.4: This whole section makes the permission concept unclear to me. I suppose, that a request for RPT can contain multiple tuples (resource, scopes), where the scopes for each resource may be different. Section 3.3.4 puts an impression on me, that all these scopes sets are actually identical. Namely: “Let a set called PermissionTicket stand for the scopes associated with the permission ticket” does not distinguish between all the permissions that can be bound to the permission ticket. The example does not help in this either, as it concerns only a single resource.
I’d suggest to add something like: “This authorization assessment holds for any permission bound to the permission ticket received by the AS.” Subsequently, it needs to be made clear, what happens if CandidateGrantedScopes < RequestedScopes for not all of the requested permissions.
6) 3.3.5: Described in https://github.com/KantaraInitiative/wg-uma/issues/332
7) 5.6: Permission ticket is similar in use to authorization code in OAuth (both are single use, may be transferred over plain HTTP), but the latter is influenced by additional security measure – if the same code is observed twice by AS, it should attempt to revoke all access tokens issued based on that code. Shouldn’t this be considered also for the permission ticket and relevant RPTs?
I hope, it was not a loss of time for you to read through these lines.
Kind regards,
Ondrej
Atos IT Solutions and Services, s.r.o. - CEO: Martin Sùra - registered in the Commercial Register of the Municipal Court in Prague, Sec. C, File 8954, Registered office: Doudlebská 1699/5, 140 00 Prague 4, Czech Republic, IÈ: 44851391, DIÈ: CZ44851391, Bank connection: UniCredit Bank Czech Republic a.s., Na Pøíkopì 858/20, 113 80 Praha 1, Acc. Nr. CZK: 1001885001/2700, IBAN CZK - CZ4627000000001001885001; Acc. Nr. EUR: 1001885095/2700, IBAN EUR - CZ3027000000001001885095
Tato zpráva má pouze informativní charakter, který vychází z podkladù, které byly odesílateli pøedány, nebo zaslány. Obsah této zprávy odesílatele nezavazuje, pokud to v ní není výslovnì uvedeno a odesílatel nemá v úmyslu na základì této zprávy uzavøít smlouvu, pøijmout nabídku, potvrdit uzavøení smlouvy ani nezakládá pøedsmluvní odpovìdnost jejího odesílatele, ledaže je odesílatelem ve zprávì uvedeno výslovnì jinak.Tato zpráva je urèena pouze pro osobní a dùvìrné užití osobou (osobami) uvedenou (uvedenými) výše. Nejste-li osobou, které je tato zpráva urèena, upozoròujeme Vás, že jakékoli šíøení, distribuce èi kopírování této zprávy je zakázáno. Jestliže tuto zprávu omylem obdržíte, prosíme, oznamte tuto skuteènost odesílateli a vymažte ji ze svého systému.
The sole purpose of this message is to provide information based on materials that were given or sent to the sender. The content of the message does not place its sender under any obligation, unless expressly stated otherwise, and the sender has no intention to conclude a contract, accept an offer or confirm the conclusion of a contract on the basis of this message nor shall the message give rise to pre-contractual liability of the sender, unless it expressly states otherwise. The message is only intended for private, confidential use by a person (persons) mentioned above. If you are not the intended recipient of this message, you are hereby notified that any dissemination, distribution or copying thereof is prohibited. If you have received the message in error, please, inform the sender of the fact and delete it from your system.
