I am in the middle of implementing the UMA 1.0 core specification for WSO2 Identity Server. I would be grateful if someone could clarify the below points.

1. How do we relate the user consent types with each protected resource when validating in Authorization API? By user consent type what i mean is how the user would give his consent for access( policy, SMS, email etc.). Do we need to sort of maintain a mapping somewhere during implementation?
2. The spec says the on the wire RPT is an opaque string which resolves to an extended JWT. During implementation I am confused whether to maintain a mapping between a unique string to a JWT containing RPT details or to encrypt the RPT(extended JWT) and send it to the client as the RPT string.
   What would a good approach?
   
   

--