On Wed, Jun 7, 2017 at 12:21 PM, Justin Richer <jricher@mit.edu> wrote:

That is not correct. You can have a public client in UMA 2.0, and in fact you inherit all of the various OAuth client types and authentication methods since you’re talking directly to the token endpoint to get the RPT instead of a special thing. But remember, you needed to talk to the AS to get an AAT previously anyway, so you’ve already needed to have those bits in place in your client.

Really, do whatever you’d have done previously to get the AAT (which required an OAuth transaction with the token endpoint) and use it with the token endpoint to get the RPT now. So you always needed a client ID before anyway, that’s not new, and now you can use your secret or key or nothing just like you used to, but in a different part of the process.

Yes, use the AAT with the token endpoint is what I have in mind. If that is fine and still in sync with the spec for me is fine. But, is there anything in spec about public clients ?

Is it recommended that you use a confidential client where possible? Definitely, as the increased security is well worth the minimal effort that’s usually required. There are a lot of cases where it doesn’t make sense though, like a browser or native app that’s not using dynamic registration. In any event, this is all now directly inherited from OAuth instead of being reinvented from OAuth, as it was in 1.0.

That is exactly one of the use cases we need to support.

— Justin

On Jun 7, 2017, at 10:58 AM, Pedro Igor Silva <psilva@redhat.com> wrote:

Hello,

It has been a long time since my last message to this group. Since then we have implemented quite a few things in Keycloak [1] in order to support fine-grained permissions and UMA 1.0.

We are not full compliant yet and some pieces are still missing in our implementation. But we already have the backbone to start implementing now the rest of the spec.

One of my main tasks is now update our implementation to UMA 2.0 and it seems that one of the main changes is related with the removal of AAT in favor of a specific grant type for UMA.

In UMA 1.0 clients were not really forced to authenticate using client credentials when interacting with the RPT endpoint (Authorization API), but just use a AAT as a bearer token. Now, with UMA 2.0, it seems that clients really need to be confidential and use its credentials (e.g.: id/secret or jwt) to authenticate with the token endpoint when using UMA Grant.

Is that correct ?

[1] https://keycloak.gitbooks.io/documentation/authorization_services/index.html

Thanks.
Pedro Igor
_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma