Apologies for jumping into discussion late, but one thing puzzled me below.

 

In our last discussion that originated #355, you mentioned the "Adrian Clause". This is exactly what we are trying to achieve with this extension to permission endpoint, even if an RPT provides sufficient permissions for a particular case, the resource server can choose to bar access based on its own criteria. Where the criteria can be based on information from runtime or some external service. I think this also allows the RS to provide some "claims gathering" flow on its side, prior to issuing a permission ticket. It should also allow the AS to present to the resource owner more details on what he is approving.”

 

Do you rather mean, prior to sending a permission request to AS (and obtaining a permission ticket from it), the RS does some claim gathering? Does the RS do additional access control before registering permission with the client? Are permission requests generated regardless of the state of the claims?

 

Thanks,

--Cigdem

 

Cigdem Sengul, PhD

Senior Researcher 

/Users/cigdem/Library/Containers/com.microsoft.Outlook/Data/Library/Caches/Signatures/signature_21833989

Website | Twitter | Facebook

 

DD: +44 (0)1865 332256    E: cigdem.sengul@nominet.uk

 

Minerva House, Edmund Halley Road, Oxford Science Park, Oxford, OX4 4DQ, United Kingdom

 

 

Nominet UK. Registered in England and Wales No. 3203859


This message is intended exclusively for the individual(s) to whom it is addressed and may contain information that is privileged, or confidential. If you are not the addressee, you must not read, use or disclose the contents of this e-mail. If you receive this e-mail in error, please advise us immediately and delete the e-mail. Nominet UK has taken every reasonable precaution to ensure that any attachment to this e-mail has been swept for viruses. However, Nominet cannot accept liability for any damage sustained as a result of software viruses and would advise that you carry out your own virus checks before opening any attachment.

 

 

 

 

On Thu, Aug 9, 2018 at 2:45 PM, Eve Maler <eve@xmlgrrl.com> wrote:

Hey again Pedro,

 

Wanted to let you know that the group took a look at the Keycloak news in the call today, and I've updated the Implementations page with the details and links. Congrats!!

 

We had some questions about the purpose of the permission endpoint and if this is something that makes sense to standardized for any interop purpose, or whether it would be internal to the ecosystem in question:

 

====

 

 

It appears that there is an extension to the permission endpoint to all the RS to push claims to that endpoint. "When creating tickets you can also push arbitrary claims and associate these claims with the ticket ... (example shown) ... Where these claims will be available to your policies when evaluating permissions for the resource and scope(s) associated with the permission ticket.". Is is something that would be interesting to standardize for interop? We can ask Pedro in email. He had proposed an extension (see issue 355) that would shortcut using a permission ticket at all, for narrow-ecosystem enterprise purposes.

 

====

 

What do you think?  Thanks,


 

Eve Maler
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl

 

 

On Tue, Aug 7, 2018 at 11:38 AM, Mike Schwartz <mike@gluu.org> wrote:


Way to go Pedro!!! Great news!!!

The Gluu Gateway could act as the UMA RS, and we have a demo UMA client too. If you have an Internet accessible instance, we'd be interested to test that with you. Perhaps it could lead to a wider interop with WS02 and ForgeRock too (i.e. keep the RS and client constant).

If you want to chat, email me off list.

- Mike

------------------------
Michael Schwartz
Gluu
Founder / CEO
mike@gluu.org
https://www.linkedin.com/in/nynymike/


_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
https://kantarainitiative.org/mailman/listinfo/wg-uma