(For those not familiar, "DAC" is Discretionary Access Control and "MAC" is Mandatory Access Control. We're using those terms somewhat loosely, but you get the idea. Here are some discussions:
DAC MAC)
This is some great, careful parsing of the language, and brings us firmly into the BLT challenge -- whether on the federated authorization or the individual consent/delegation side of the world.
You're right that the Delegate-Protection clause, as currently stated, is very "all or nothing", and doesn't match the more careful and new circumscribing in the Respect Permissions clause. (The latter's name, btw, is still old; it comes from when the text was still itself all or nothing. Depending on which way we go, maybe we should rename it.)
In V1.0.1
Core Sec 3.3.3, as already noted, we clarified that the RS always has the right to refuse access, the way an RP does. But we had been assuming that if the UMA flow is being used, then Alice's word goes when it comes to denial of access; you can see it in this wording in the same section:
"The resource server MUST NOT give access in the case of an invalid RPT or an RPT associated with insufficient authorization."
This has been in the text for a long time. The equivalent in V1.0 (
Core Sec 3.1.2) was "The resource server MUST NOT give access where the token's status is not associated with sufficient authorization data for the attempted scope of access." The thinking has been that if the RS is consulting the AS at all, then the process has to count for something. There are plenty of ways for the RS not to consult the AS and do what it wants -- and that's where MAC can come in.
But I can think of at least a couple of sticky wickets here.
- An RS can perform any "local" authorization procedures it wants, before and/or after doing the UMA dance, i.e., getting a token from the client, introspecting it, etc. Are we saying that the moment an RS, say, accepts the client's token -- or introspects it (what's the relevant state change?) -- it's suddenly impossible to grant access if the associated authorization data said no? The state change we pick will strongly affect what optimizations RS's will pick.
- If UMA ultimately gets commonly used for MAC-ish use cases separately from DAC-ish use cases -- iow, it's used in separate circumstances possibly by different IT stakeholders for both ordinary "do what Alice says" stuff and "override her wishes" stuff -- then what the heck is the interaction between not consulting Alice's AS but going off and consulting the enterprise's AS at some point??