I am finally taking time to read the spec. First, I would commend the UMAtarians for coming out with this new draft, which looks much better than 1.0.
Having said that, there are a few questions that I have and your response will be much appreciated to form my opinion for the voting.
Q.1 `claims_redirect_uri` seems to be optional sometimes, and does not seem to require it to be unique per AS. Client ID by itself is not globally unique and to prevent mix-up attack, the security recommendation is to have something that scopes the Client ID to the AS. In case of the RFC6749, that is `redirect_uri` and it needs to be unique per AS if the client talks to multiple authorization servers. In UMA 2.0, `redirect_uri` is replaced by `claims_redirect_uri` but since it is optional and does not have the uniqueness qualification, it seems to leave an attack surface there. Was there any conscious reason for leaving this attack surface out?
Q.2 `state` is recommended in RFC6749, but that has to be taken with a grain of salt. It is only ok to be optional if there is any other provisions that takes care of the CSRF, e.g., `nonce` in OpenID Connect. The `state` parameter was RECOMMENDED in RFC6749 to allow these explicit provisions by the profiles of RFC6749. My question is this: what is the specific anti-CSRF provision in UMA 2.0 so that we can leave the `state` as RECOMMENDED? If there is not, then it is better to make it a MUST. The security considerations talks a bit about it but it is all "SHOULD". I feel that being a bit more prescriptive would be a good idea for the internet hygiene. Let me know what was the reasoning behind.
Q.3 It is a version two of the protocol. However, I do not see the version identifier in the messages. I am assuming that the messages are different enough from ver. 1.0 so that there will be no confusion, but want to check if it is so. (In general, I prefer to have an explicit version identifier except for the initial version to avoid the message confusion attack variants.)
Best,
Nat Sakimura
PLEASE READ :This e-mail is confidential and intended for the named recipient only. If you are not an intended recipient, please notify the sender and delete this e-mail.
---------
From: WG-UMA [mailto:wg-uma-bounces@kantarainitiative.org] On Behalf Of Eve Maler
Sent: Tuesday, November 28, 2017 7:34 AM
To: wg-uma@kantarainitiative.org WG