So here is my attempt at a simple example:
scopes registered by myPhotos at AS registration time
ClientReg = (view, download, print)
ClientRegisteredDefaults = (view)
[Note, I don't believe the OAuth2 dynamic client registration allows for registering defaults, but I'm including it because it's part of this thread.]
RSReg = (view, share, download, print)
[resource set id = 1234]
Alice defines policy for the registered scopes for her landscape photos
view = promise not to steal
share = promise not to steal
download = family members only
print = NOT ALLOWED
ROPolicy = (view, share, download)
Bob's myPhotos app attempts to access
photos.example.com/photos/alice/landscape and receives back a permission ticket that identifies scopes (view, share). The app presents the permission ticket to the token endpoint along with scopes (print, resale).
RSTicket = (view, share)
ClientReq = (print, resale)
[I'm going to ignore the PrevRPT because I think is has some issues unless defined in a very particular way.]
So, now that all the sets are defined we can apply the set math:
Requested = union(intersection(ClientReq,ClientReg), RSTicket, ClientRegisteredDefaults)
Requested = union(intersection((print,resale),(view,download,print)),(view,share),(view))
Requested = (view,share,print)
Evaluating the policy defined for the registered resource set id:1234, Alice and prohibited the use of the print scope. So the ROPolicy is limited to (view,share,download).
To determine which claims Bob must meet, we have to determine which scopes are in play for resource set id:1234
Scopes = intersection(Requested, ROPolicy)
Scopes = intersection((view,share,print),(view,share,download))
Scopes = (view,share)
Bob meets the necessary claims for scopes (view,share) as defined by the Alice's policy for the 'view' and 'share' scopes on her landscape photos. Bob's myPhotos app is granted an RPT that allows for (view,share) for resource set id:1234
RPTResult = RSID_1234(view,share)
Please check the math! :)
To try an simplify the steps, for each /token call with uma grant
- Determine the set of requested scopes
- Requested = union( intersection(ClientReq,ClientReg), RSTicket, ClientRegisteredDefaults)
- Determine the set of scopes allowed by the Resource Owner
- Evaluate the policy for the identified resource set(s) and determine if any of the registered scopes are not allowed
- ROPolicy = list of scopes allowed by RO
- Determine the set of scopes for which RqP must meet claims in order to receive an RPT
- Scopes = intersection (Requested,ROPolicy)
- Determine the set of claims necessary for Scopes as they pertain to the specified resource set(s)
- Claims = union(resource_set_claims(rsid,scopes))
- Request RqP to meet Claims
- Assuming RqP meets Claims, issue RPT
Thanks,
George
P.S. Note that I think in step 3 we really want two sets of scopes. RequiredScopes and AdditionalScopes as it's possible for the RqP to meet the claims of the scopes in the RSTicket but not the possible additional scopes. This would look like...
RequiredScopes = intersection(RSTicket,ROPolicy)
AdditionalScopes = intersection(difference(Requested,RSTicket),ROPolicy)
I have to admit you guys have now gone beyond my ability to follow. :-) If someone could summarize in English pseudo-spec language, and a simple example, I would be very very grateful. I would like any discussion of this tomorrow to to be efficient, because there's lots of other stuff to discuss too.