Here's perhaps another way to come at the topic (which we touched on in our brief hallway convo).

The OAuth group, in designing its scope capability, struggled with how much formality to give to that capability. Ultimately, the group kept it extremely informal, so that there are no semantics at the spec level.

We in the UMA group have given some formality to scopes so far: They can optionally have description documents (or they can be just strings), and they must be attached to specific resource sets.

I listed three options below in the thread. What Justin has done in his implementation, as I understand it, is to leave the "class-to-instance" mapping implicit at the spec level -- effectively leaving it up to API documentation, exactly the way scope and protected-resource semantics are left to API documentation in OAuth now. So he's exercising "option #3", that is, doing nothing in the spec, while letting the set math flow unimpeded.

(Even if we choose to use this option, I still wonder if some nonnormative explanatory language would be valuable to explain the class-to-instance connection, particularly since UMA has a different approach to protected resources -- that is, they're named and RO-specific compared to OAuth.)

(Another thought: Would it be friendlier if we were to use the name "protected resource" vs. "resource set"? I trip up on "resource set" all the time.)

Though Justin indicated he may not be awake at the appointed BOF hour (I admit I will struggle with it myself!), it feels like this thread is on its way to giving us a better and better basis for discussion and decision-making, tomorrow and in subsequent WG calls.


Eve Maler
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl


On Wed, Jun 8, 2016 at 2:36 PM, Justin Richer <jricher@mit.edu> wrote:
From a hallway conversation with Eve just now:

I believe that the resource set is subordinate to the API that defines the resources, and that the scopes are subordinate to the API. I think it’s a transient property that scopes are defined with the resource set in UMA, since a resource set is really an instantiation of an API. 

UMA doesn’t have a formal class/instance model to reflect this, and I would argue that it doesn’t need one in order to function. Eve (I believe) thinks there could be value in defining that.

Fundamentally, this is why I believe the RS should be allowed to register scopes with the resource set, the RS should be allowed to associate scopes with the ticket, and the client should be allowed to request scopes with the token request. Ergo, we need a way to combine all of these deterministically for a secure, interoperable, and importantly predictable protocol.

 — Justin

On Jun 8, 2016, at 1:00 PM, Eve Maler <eve@xmlgrrl.com> wrote:

Still no WG call tomorrow, but it's been suggested to have a BOF -- so for those of us here at CIS, let's plan to meet at 7:30am over breakfast.

We could take the opportunity to discuss an item that's coming up in a few conversations: While scopes in OAuth are universal to their protected resources, scopes in UMA are bound to a particular RO context.

Thus, in the flow being proposed where clients make scope requests by clients, are the clients:
  • Making a simplifying assumption about scopes being attached to generic "protected resource classes" (?) of some kind, where specific ROs are bound to instances of these classes later to get RSIDs?
  • Aware of RSIDs somehow in order to ask for scopes?
  • Doing something else entirely?
The way APIs are generally designed, the first option seems the most likely/reasonable/privacy-protecting. If that's the case, what other design considerations would there (have to) be for scope sets? E.g., our notes from last week had this list in it:

  1. The universe of scopes the RS has registered for the resource set
  2. The scopes the client has registered for at the AS (if it has done this at all)
  3. What the RO has attached to the policy for the resource set
  4. What the RS requests for at the permission endpoint (in order to get a ticket)
  5. The scopes the client requests at the token endpoint
There would need to be some insertions and questions answered for at least #1, #2, and #5.

Eve Maler
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl

_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma