Its main purpose is the one-time fine-grainedness (which we don’t do, but I’ve seen proposals for from time to time), but some of these other ideas seem sensible since, after all, we do something like them. Our version is more complicated. Is this a case of potential broader adoption of design ideas we could eventually “adopt back”, or of feedback we should provide on why the design needs more thought, or a mix, or...?

Eve Maler (sent from my iPad) | cell +1 425 345 6756

On Nov 7, 2019, at 2:43 AM, Andrew Hindle <andrew@hindleconsulting.com> wrote:

I hadn't looked at RAR until your email just now prompted me to do so.
RAR does seem like a sensible extension to the existing oAuth protocol. I'm not sure, however, that it overlaps much (in terms of intention, at least) with UMA: the core oAuth assumption that the client is acting on behalf of the resource owner, and that the resource owner and the requesting party are the same individual, remains true.
It might, however, be the case that UMA flows could benefit from the additional informational in a RAR-type request when deciding (for example) whether to issue an RPT.

--&e

On Wed, 6 Nov 2019 at 19:38, Eve Maler <eve@xmlgrrl.com> wrote:
When we come back, I'd like to take a look at the current state of transactional and XYZ specs and see if we can puzzle out equivalent flows for what we can already accomplish. I'm particularly interested to see how RAR stacks up. Has anyone gotten experience with it yet?

Eve Maler
Cell or Signal +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl

_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
https://kantarainitiative.org/mailman/listinfo/wg-uma

--
Andrew Hindle; CIPM, CIPP/E
Hindle Consulting Limited
+44 7966 136543
Schedule a meeting

Hindle Consulting Limited is a company registered in England and Wales. Company number: 8888564.
Registered office: Claremont House, 1 Market Square, Bicester, Oxfordshire OX26 6AA, UK.