UMA WG, We are proposing "scope expressions" as a way to enable the RS to express complex scope requirements. The serialization format for scope expressions we've tested is JSONLogic: http://jsonlogic.com --------------------- RESOURCE REGISTRATION --------------------- If the scope_expression claim is present, resource_scopes should be blank--scope expression and resource_scopes are mutually exclusive. For example: { "resource_scopes":[], "description":"Collection of digital photographs", "icon_uri":"http://www.example.com/icons/flower.png", "name":"Photo Album", "type":"http://www.example.com/rsrcs/photoalbum", "scope_expression": { "rule": { "and": [ { "or": [ {"var": 0}, {"var": 1} ] }, {"var": 2} ] }, "data": [ "http://photoz.example.com/dev/actions/all", "http://photoz.example.com/dev/actions/add", "http://photoz.example.com/dev/actions/internalClient" ] } } ------------------- Ticket registration ------------------- The RS registers tickets with all scopes mentioned in "data" (we need all scopes in order to evaluate expression. If scopes are missing--it should fail. For example, if 3 scopes are required in the example above. If only 2 are sent, this would be an error. { "resource_id":"112210f47de98100", "resource_scopes":[ "http://photoz.example.com/dev/actions/all", "http://photoz.example.com/dev/actions/add", "http://photoz.example.com/dev/actions/internalClient" ] } ---------- Evaluation ---------- The UMA AS should iterates over each scope and decide if it has enough claims. If not, it should return the need_info error. The RPT would not return the scope expression, but the granted scopes as normal. { "active":true, "exp":1256953732, "iat":1256912345, "permissions":[ { "resource_id":"112210f47de98100", "resource_scopes":[ "http://photoz.example.com/dev/actions/add", "http://photoz.example.com/dev/actions/internalClient" ], "exp":1256953732 } ] }