Hi all,

I'm still concerned that we're not going far enough with our solution to this issue, and to a lesser degree, issue 350 ("No error defined for policy evaluation failed" and "Which error code to return when candidate granted scopes is less than requested scopes").

My concern is that policy evaluation is a crucial underpinning of UMA, and to not cater for a "Deny" response is a major flaw for being able to communicate the result of those policy evaluations.

For reference, consider XACML's definition of a policy Decision: http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html#_Toc325047158 - we cater for "Permit" (return token), "Indeterminate" (need_info), and "NotApplicable" (request_submitted), but not "Deny".

Even if we (rightly) don't want to dictate how an AS comes to making its policy decision, we need to be able to support all the possible outcomes of a policy evaluation, just like XACML does, and Deny is an important decision to be able to express. Dressing it up as one of the other decisions is not appropriate.

I'd like to see the reinstatement of the "not_authorized" error code that used to exist in earlier drafts of UMA2 to this end (see https://docs.kantarainitiative.org/uma/wg/uma-core-2.0-20.html#authorization-failure).

Cheers

James