UMA-tarians, Can we discuss two ideas for enhancments: 1) UMA sans permission ticket Let's say the UMA Client knows the scopes required to call a certain API. For example, Google documents this: http://gluu.co/google-scopes In this case, perhaps the client can proactively request an RPT providing the scopes. And this RPT might be acceptable a certain RS for certain resource sets. We might have already discussed this, but wouldn't this make UMA more compatable with existing API access management infrastructures? 2) UMA without the AAT Inspired by Justin. I think the AAT adds value in many cases where the AS wants to make policies based on client claims (client id, domain specific catagory, etc). So I'm not saying eliminate the AAT. However, if the policy for access is based on network address only, or perhaps some other fraud detection technique that doesn't involve client identification, I could see a case where the AAT is not needed. So maybe the AAT could be optional? - Mike ------------------------------------- Michael Schwartz Gluu Founder / CEO mike@gluu.org