Still no WG call tomorrow, but it's been suggested to have a BOF -- so for those of us here at CIS, let's plan to meet at 7:30am over breakfast.

We could take the opportunity to discuss an item that's coming up in a few conversations: While scopes in OAuth are universal to their protected resources, scopes in UMA are bound to a particular RO context.

Thus, in the flow being proposed where clients make scope requests by clients, are the clients:

Making a simplifying assumption about scopes being attached to generic "protected resource classes" (?) of some kind, where specific ROs are bound to instances of these classes later to get RSIDs?
Aware of RSIDs somehow in order to ask for scopes?
Doing something else entirely?

The way APIs are generally designed, the first option seems the most likely/reasonable/privacy-protecting. If that's the case, what other design considerations would there (have to) be for scope sets? E.g., our notes from last week had this list in it:

The universe of scopes the RS has registered for the resource set
The scopes the client has registered for at the AS (if it has done this at all)
What the RO has attached to the policy for the resource set
What the RS requests for at the permission endpoint (in order to get a ticket)
The scopes the client requests at the token endpoint

There would need to be some insertions and questions answered for at least #1, #2, and #5.

Eve Maler
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl