Is there a
good reason for not making the response header a MUST in
this case? "If the resource server knows where to send you
(which is assumed from the text that we just added so go
read that first), then it MUST tell the client where to
go."
I don't see a good reason for making it be a SHOULD. If it
doesn't respond with the header, then the RS isn't doing
UMA. If it is doing UMA, and it doesn't respond with the
header, what does that even mean?
Yes, that’s the kind of “parallel”
optionality I was thinking of.
James mentioned an interesting observation
on the call. Note that the spec says “It SHOULD
respond with the HTTP 403 (Forbidden) status code,
providing…” It doesn’t actually say MUST. Our intent
with the SHOULD was to reinforce that 403 was
preferred, but not to mandate it because all server
responses are actually optional per the Sec 3 intro.
If it would thus not technically be
stretching, we could perhaps craft something closer to
our eventual intention, like this:
“In its response, the resource server
SHOULD provide the authorization server's URI in an
"as_uri" property in a WWW-Authenticate header with
the authentication scheme “UMA", and the just-received
permission ticket in a “ticket" property. If the
resource server does not provide this header, the
client has no way to know how to continue seeking
access to the protected resource to which it just
attempted access. For an HTTP 403 response, the RS MAY
also respond with the ticket in the body in a
JSON-encoded "ticket" property."
A ticket property wasn’t mandated before
(didn’t exist) and it’s not strictly
mandated now (SHOULD), but it’s recommended, and we
expect everybody to do it routinely if they’re
responding at all. A ticket body wasn’t mandated
before (SHOULD) and it’s not now (MAY), but its use
will fall away because it’s redundant and inconvenient
for non-JSON APIs. If it’s awkward to mention the body
part at all, could we even drop it, since it was never
strictly required? If we went this
route, should we explain what the heck is up — in the
spec and/or in the UIG?
If it would be too ethically close to a
breaking change, but we’re certain of our eventual
intention, we could signal our later intent with a MAY
phrase like yours instead of the “undefined but go
look at the UIG” phrase that’s in there now.
Yours in pretzel logic,
Eve