Possible algorithm for determining the set of scopes to be issued with a permissions ticket.
- The universe of scopes the RS has registered for the resource set
- The scopes the client has registered for at the AS (if it has done this at all)
- Note that I would add to this that this list of scopes should rather be the list of scopes the AS has determined the client is allowed to request
- What the RO has attached to the policy for the resource set
- What the RS requests for at the permission endpoint (in order to get a ticket)
- The scopes the client requests at the token endpoint
- The max possible set of scopes that could be returned from the /token endpoint when requesting a token is the "universe of scopes the RS has registered for the resource set" identified by the permissions-ticket
- The allowed set of scopes that can be issued by the UMA AS is the INTERSECTION of "universe of scopes [#1]" and the scopes allowed by the RO policy for that resource set [#3]. Let's give this resulting set a number of [#6] {allowed scopes for the resource set}
- The list of scopes requested by the client is determined by the INTERSECTION of [#2] and [#5]. Let's give this resulting set a number of [#7] {scopes the client is allowed to request}
- The set of requested scopes is the UNION of set [#7] and set [#4]. Let's give this resulting set a number of [#8].
- The max scopes that can be allowed for this access_token request is the INTERSECTION of set [#6] and set [#8].
Mapping this to
pseudo-code:
Set PossibleScopes = RegisteredResourceSetScopes INTERSECTION ROAllowedScopes
Set ClientScopes = ASAllowedClientScopes INTERSECTION ClientRequestedScopes
Set RequestedScopes = ClientScopes UNION PermissionTicketScopes
Set AllowedScopes = PossibleScopes UNION RequestedScopes