UMA-tarians, We've been talking about interop / conformance testing for a long time, and I think we need to get this to the starting line. There are a lot of UMA use cases that we need to prove out. I think we all agree that in order to move forward, we should start small, and in each iteration, cover more cases. This past IIW, I broached the idea of forming a new volunteer organization called "SecurityLoft". I have been inspired by OWASP. To start, SecurityLoft would just be a website, and a cloud server somewhere. I spoke with Kelly Grizzle at Sailpoint about hosting SCIM conformance tests at SecurityLoft. Perhaps SecurityLoft could also host UMA tests. The specific use case I think we should start with is (drum roll please...): Client calls API on Resource Server To get this done, we'll need to make a policy that any client can call to test positive and negative results. To make it easy to start with, I suggest using a policy based on time. In order to get a successful request, the permission ticket must be registered in the first 15 seconds of the minute. Just an idea... I was also thinking perhaps the UMA client could send claims as a json payload. Modest start? Yes! But at least a start that shows something tangible! - Mike