The RPT hasn't been entirely a "plain" OAuth access token in UMA1, which is why I raised all the questions I did regarding UMA2. At least, I think that's true, to the extent that introspecting it would give a very customized answer.

Would you agree that's true? My questions in this thread were based on trying to figure out what in our spec should/must/shouldn't change, based on aligning more closely with OAuth current practice, and guessing that whole bunches of stuff could be taken out.

Basically, in the case of bearer tokens, could we get rid of the whole notion of an MTI UMA Bearer token profile, and possibly reference 6750, but would we still have to say something about the format of an introspected object (or locally validated token format) that contains explicit resource sets with scopes, vs. just scope strings? And to Cigdem's point, is it worth mentioning PoP tokens and therefore "porting" all of this to a PoP world?


Eve Maler
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl


On Tue, Oct 18, 2016 at 2:01 PM, Cigdem Sengul <Cigdem.Sengul@nominet.uk> wrote:

Hello James,

 

I did only consider tokens indeed, instead of permission tickets. I am also not sure how that would work with the permission ticket.

 

For RPT and PAT OAuth2 tokens: I think bringing the option up may be useful. It is not a MUST of course.

  I understand that the choice is left to the implementation which type of tokens to use etc.

 

--Cigdem

 

From: James Phillpotts <james.phillpotts@forgerock.com>
Date: Tuesday, 18 October 2016 at 13:32
To: Cigdem Sengul <Cigdem.Sengul@nominet.uk>
Cc: "wg-uma@kantarainitiative.org WG" <wg-uma@kantarainitiative.org>
Subject: Re: [WG-UMA] Section 7 - Security considerations - bearer tokens

 

Hi Cigdem,

 

Is that for the PCT? The RPT and PAT are OAuth 2 tokens, so would be separately covered by the specs for OAuth 2 PoP, so I wouldn't have thought we need to say much about that. Not sure how PoP would work with the permission ticket.

 

Cheers,
James

 

On 18 October 2016 at 09:20, Cigdem Sengul <Cigdem.Sengul@nominet.uk> wrote:

 

Hello,

 

Eve suggested that I start the discussion about this in the list.

 

Regarding the security concerns about the bearer tokens in the draft, I was curious whether it is worth mentioning Proof-of-Possession (PoP) tokens.  

 

In addition, RFC 6750 recommendations may also be referred to in the draft.

 

Thanks,

--Cigdem


_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma

 


_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma