Hi all,
 
During the implementation of the standard, I came across several points I think needs to be cleared (at least to me, and I hope the reason is not my stupidity). I know the public comment period ends tomorrow, so I rather use this method of communication, so as, if there is something useful in the list, it is not missed.
 
I wrote some of these remarks down during reading of the older versions, and now I tried to look whether it has already been changed, so excuse me, if I miss something, that was already added.
 
https://docs.kantarainitiative.org/uma/wg/oauth-uma-federated-authz-2.0-05.html:
 
  1. 5.1.1: For exp, the behavior for absent value is defined. iat and nbf are missing definition for this state. Although it is quite intuitive (“if absent, the token-level value takes precedence”), might be worth include it to prevent possible misunderstandings.
 
https://docs.kantarainitiative.org/uma/wg/oauth-uma-grant-2.0-05.html:
 
  1. 3.3: “The client has obtained OAuth client credentials from the authorization server, …, and is prepared to authenticate itself to the token endpoint if appropriate.”
    RFC6749 – 3.2.1: “Confidential clients or other clients issued client credentials MUST authenticate with the authorization server as described in Section 2.3 when making requests to the token endpoint.”
    Doesn’t this mean, that in UMA, the client requesting at the token EP MUST always authenticate? The formulation from uma_grant 3.3 may lead to a conclusion there exists a situation in which it is not necessary to authenticate.
  2. 3.3.2: If AS supports RFC7591, it MUST allow clients to register claims_redirect_uri (as mentioned in 2.), but it is not defined, how this parameter looks like (array?, space separated?)
    Shouldn’t it be better to have “claims_redirect_uris”? (RFC7591 defines redirect_uris also in plural).
    In RFC6749, redirection URI (which is similar from the security point of view to the claims redir URI) SHOULD require the use of TLS and MUST be registered for public clients. In addition, an incomplete redirection URI is enabled, and some other features. Wouldn’t it be beneficial to define claims redirection URI with reference to the definition of redirection URI?
  3. 3.3.3: I personally would extend the first sentence to “ … of the claims redirection URI resolved according to the algorithm described in previous section using the …”. Otherwise, any preregistered claims redirection URI might be used (I know you would need to be an evil implementer to do this, but hey, who isn’t a bit?).
  4. 3.3.3: The example response from AS is actually a request.
  5. 3.3.4: This whole section makes the permission concept unclear to me. I suppose, that a request for RPT can contain multiple tuples (resource, scopes), where the scopes for each resource may be different. Section 3.3.4 puts an impression on me, that all these scopes sets are actually identical. Namely: “Let a set called PermissionTicket stand for the scopes associated with the permission ticket” does not distinguish between all the permissions that can be bound to the permission ticket. The example does not help in this either, as it concerns only a single resource.
    I’d suggest to add something like: “This authorization assessment holds for any permission bound to the permission ticket received by the AS.” Subsequently, it needs to be made clear, what happens if CandidateGrantedScopes < RequestedScopes for not all of the requested permissions.
  6. 3.3.5: Described in https://github.com/KantaraInitiative/wg-uma/issues/332
  7. 5.6: Permission ticket is similar in use to authorization code in OAuth (both are single use, may be transferred over plain HTTP), but the latter is influenced by additional security measure – if the same code is observed twice by AS, it should attempt to revoke all access tokens issued based on that code. Shouldn’t this be considered also for the permission ticket and relevant RPTs?
 
I hope, it was not a loss of time for you to read through these lines.
 
Kind regards,
Ondrej
 
Atos IT Solutions and Services, s.r.o. - CEO: Martin Sùra - registered in the Commercial Register of the Municipal Court in Prague, Sec. C, File 8954, Registered office: Doudlebská 1699/5, 140 00 Prague 4, Czech Republic, IÈ: 44851391, DIÈ: CZ44851391, Bank connection: UniCredit Bank Czech Republic a.s., Na Pøíkopì 858/20, 113 80 Praha 1, Acc. Nr. CZK: 1001885001/2700, IBAN CZK - CZ4627000000001001885001; Acc. Nr. EUR: 1001885095/2700, IBAN EUR - CZ3027000000001001885095
Tato zpráva má pouze informativní charakter, který vychází z podkladù, které byly odesílateli pøedány, nebo zaslány. Obsah této zprávy odesílatele nezavazuje, pokud to v ní není výslovnì uvedeno a odesílatel nemá v úmyslu na základì této zprávy uzavøít smlouvu, pøijmout nabídku, potvrdit uzavøení smlouvy ani nezakládá pøedsmluvní odpovìdnost jejího odesílatele, ledaže je odesílatelem ve zprávì uvedeno výslovnì jinak.Tato zpráva je urèena pouze pro osobní a dùvìrné užití osobou (osobami) uvedenou (uvedenými) výše. Nejste-li osobou, které je tato zpráva urèena, upozoròujeme Vás, že jakékoli šíøení, distribuce èi kopírování této zprávy je zakázáno. Jestliže tuto zprávu omylem obdržíte, prosíme, oznamte tuto skuteènost odesílateli a vymažte ji ze svého systému.
The sole purpose of this message is to provide information based on materials that were given or sent to the sender. The content of the message does not place its sender under any obligation, unless expressly stated otherwise, and the sender has no intention to conclude a contract, accept an offer or confirm the conclusion of a contract on the basis of this message nor shall the message give rise to pre-contractual liability of the sender, unless it expressly states otherwise. The message is only intended for private, confidential use by a person (persons) mentioned above. If you are not the intended recipient of this message, you are hereby notified that any dissemination, distribution or copying thereof is prohibited. If you have received the message in error, please, inform the sender of the fact and delete it from your system.