I agree with Justin. In a person-centered real world, like in IoT or healthcare, the UMA Client knows what it needs and what&#39;s available from the UMA RS based on out-of-band means OR standards. The person-centered AS, on the other hand may be generic and hardly care.<div><br></div><div>Adrian<br><br>On Thursday, December 10, 2015, Justin Richer &lt;<a href="mailto:jricher@mit.edu">jricher@mit.edu</a>&gt; wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I&#39;ve actually filed an issue and am working on the ramifications of allowing the client to specify scopes in addition to the ticket. UMA paints a picture where the client doesn&#39;t know anything about the API that it&#39;s trying to access, but in the real world the client often has some idea through out of band discovery or configuration. If the client can tell the AS &quot;these are the scopes I&#39;m after&quot; in addition to the ticket saying &quot;these are the scopes recommended for that request&quot; then the AS can make a more informed decision of which scopes to attach to the RPT.<br>
<br>
 -- Justin<br>
<br>
On 12/10/2015 7:57 AM, Mark Dobrinic wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi Mike,<br>
<br>
Don&#39;t forget the as_uri that accompanies the ticket that the RS returns<br>
to the UMA Client, in the protocol-step that you&#39;re trying to optimize.<br>
<br>
Maybe the better question is that if you assume you know which scopes to<br>
request, and the AS to make that request, why use UMA and not just plain<br>
OAuth?<br>
<br>
Mark<br>
<br>
<br>
On 10/12/15 03:23, Mike Schwartz wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Pedro,<br>
<br>
It doesn&#39;t make sense to me that the RS would obtain the RPT...<br>
<br>
Personally, I like the design of the permission ticket, because the UMA<br>
Client does not need to know the scopes. Forcing the UMA Client to know<br>
the scopes creates a tight bundling with the security infrastructure,<br>
and may expose too much information to the UMA Client. I equate this to<br>
hard coding LDAP schema in your application. It puts the infrastructure<br>
team in a bad situation if the schema changes, because you need to re-QA<br>
the app.<br>
<br>
However, some people think that just because Google does something, it<br>
must be right, or it must scale. So my interest in supporting this<br>
feature has more to do with aligning with an existing (bad) pattern.<br>
<br>
- Mike<br>
<br>
<br>
On 2015-12-09 19:37, Pedro Igor Silva wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
----- Original Message -----<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
From: &quot;Mike Schwartz&quot; &lt;<a>mike@gluu.org</a>&gt;<br>
To: <a>wg-uma@kantarainitiative.org</a><br>
Sent: Wednesday, December 9, 2015 6:36:32 PM<br>
Subject: [WG-UMA] Two thoughts for UMA enhancments<br>
<br>
<br>
UMA-tarians,<br>
<br>
Can we discuss two ideas for enhancments:<br>
<br>
1) UMA sans permission ticket<br>
<br>
Let&#39;s say the UMA Client knows the scopes required to call a certain<br>
API. For example, Google documents this: <a href="http://gluu.co/google-scopes" target="_blank">http://gluu.co/google-scopes</a><br>
<br>
In this case, perhaps the client can proactively request an RPT<br>
providing the scopes. And this RPT might be acceptable a certain RS for<br>
certain resource sets.<br>
<br>
We might have already discussed this, but wouldn&#39;t this make UMA more<br>
compatable with existing API access management infrastructures?<br>
<br>
2) UMA without the AAT<br>
<br>
Inspired by Justin. I think the AAT adds value in many cases where the<br>
AS wants to make policies based on client claims (client id, domain<br>
specific catagory, etc). So I&#39;m not saying eliminate the AAT. However,<br>
if the policy for access is based on network address only, or perhaps<br>
some other fraud detection technique that doesn&#39;t involve client<br>
identification, I could see a case where the AAT is not needed. So maybe<br>
the AAT could be optional?<br>
<br>
- Mike<br>
</blockquote>
What about the case below ? I think it was lost because I was not able<br>
to send messages to this list ...<br>
<br>
&quot;I think that when you are in NPE scenario, the permission ticket does<br>
not make much sense. This is pretty much related with my second round<br>
of questions.<br>
<br>
Please correct me if I&#39;m wrong. It seems that the permission ticket is<br>
mostly intended to perform a transactional authorization flow, where a<br>
RqP will ask permissions to access some one resources and the RO will<br>
be able to receive some kind of notification and actually approve this<br>
permission any time in the future. Or even to support multiple ASs<br>
within the same RS, where the user can choose which AS should be used<br>
to obtain permissions for his resources. Here I can see a lot of<br>
value, like for cloud and IoT authz ...<br>
<br>
However, considering NPE use cases, specially when the RO is the RS, a<br>
1:1 relationship between RS and AS and there is no need for a<br>
transactional authorization flow given that RS is protecting its own<br>
resources, it might be unnecessary to use a permission ticket in this<br>
case. But just:<br>
<br>
  1) Client tries to access protected resource on behalf of an user (no<br>
RPT was sent)<br>
  2) RS obtain a RPT for the resource (or with additional resources and<br>
scopes) from AS<br>
  3) RS validates the response from AS, validates the RPT, enforce<br>
authorization and returns the RPT to the client (considering that RPT<br>
has the right permissions)&quot;<br>
<br>
Any thoughts ?<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
<br>
-------------------------------------<br>
Michael Schwartz<br>
Gluu<br>
Founder / CEO<br>
<a>mike@gluu.org</a><br>
_______________________________________________<br>
WG-UMA mailing list<br>
<a>WG-UMA@kantarainitiative.org</a><br>
<a href="http://kantarainitiative.org/mailman/listinfo/wg-uma" target="_blank">http://kantarainitiative.org/mailman/listinfo/wg-uma</a><br>
<br>
</blockquote></blockquote></blockquote>
_______________________________________________<br>
WG-UMA mailing list<br>
<a>WG-UMA@kantarainitiative.org</a><br>
<a href="http://kantarainitiative.org/mailman/listinfo/wg-uma" target="_blank">http://kantarainitiative.org/mailman/listinfo/wg-uma</a><br>
</blockquote>
<br>
_______________________________________________<br>
WG-UMA mailing list<br>
<a>WG-UMA@kantarainitiative.org</a><br>
<a href="http://kantarainitiative.org/mailman/listinfo/wg-uma" target="_blank">http://kantarainitiative.org/mailman/listinfo/wg-uma</a><br>
</blockquote></div><br><br>-- <br><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><br><div dir="ltr">Adrian Gropper MD<span style="font-size:11pt"></span><br><br><span style="font-family:&quot;Arial&quot;,sans-serif;color:#1f497d">PROTECT YOUR FUTURE - RESTORE Health Privacy!</span><span style="font-family:&quot;Arial&quot;,sans-serif;color:#1f497d"><br>HELP us fight for the right to control personal health data.</span><span style="font-family:&quot;Arial&quot;,sans-serif;color:#1f497d"></span><span style="font-family:&quot;Arial&quot;,sans-serif;color:#1f497d"><br>DONATE:
<a href="http://patientprivacyrights.org/donate-2/" target="_blank"><span style="color:#0563c1">http://patientprivacyrights.org/donate-2/</span></a></span><span style="color:#1f497d"></span>
</div></div></div></div></div></div></div><br>