The RPT hasn't been entirely a "plain" OAuth access token in UMA1, which is
why I raised all the questions I did regarding UMA2. At least, I think
that's true, to the extent that introspecting it would give a very
customized answer.
Would you agree that's true? My questions in this thread were based on
trying to figure out what in our spec should/must/shouldn't change, based
on aligning more closely with OAuth current practice, and guessing that
whole bunches of stuff could be taken out.
Basically, in the case of bearer tokens, could we get rid of the whole
notion of an MTI UMA Bearer token profile, and possibly reference 6750, but
would we still have to say something about the format of an introspected
object (or locally validated token format) that contains explicit resource
sets with scopes, vs. just scope strings? And to Cigdem's point, is it
worth mentioning PoP tokens and therefore "porting" all of this to a PoP
world?
*Eve Maler*Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl
On Tue, Oct 18, 2016 at 2:01 PM, Cigdem Sengul
Hello James,
I did only consider tokens indeed, instead of permission tickets. I am also not sure how that would work with the permission ticket.
For RPT and PAT OAuth2 tokens: I think bringing the option up may be useful. It is not a MUST of course.
I understand that the choice is left to the implementation which type of tokens to use etc.
--Cigdem
*From: *James Phillpotts
*Date: *Tuesday, 18 October 2016 at 13:32 *To: *Cigdem Sengul *Cc: *"wg-uma@kantarainitiative.org WG" *Subject: *Re: [WG-UMA] Section 7 - Security considerations - bearer tokens Hi Cigdem,
Is that for the PCT? The RPT and PAT are OAuth 2 tokens, so would be separately covered by the specs for OAuth 2 PoP, so I wouldn't have thought we need to say much about that. Not sure how PoP would work with the permission ticket.
Cheers, James
On 18 October 2016 at 09:20, Cigdem Sengul
wrote: Hello,
Eve suggested that I start the discussion about this in the list.
Regarding the security concerns about the bearer tokens in the draft, I was curious whether it is worth mentioning Proof-of-Possession (PoP) tokens.
In addition, RFC 6750 recommendations may also be referred to in the draft.
Thanks,
--Cigdem
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma