Yes, that wording is pretty old; we’d have to modernize it if we’re interested in it. Basing it on the wording we have now, it could be something like:
"If the client's request at the protected resource has a valid RPT associated with sufficient authorization data as determined through RPT status checking (see Section 3.6), then assuming the resource server chooses to respond to the client, it SHOULD provide access to the desired resource. Reasons for not providing access include, for example, a need to apply additional application-specific security checks.”
Since a SHOULD should always be accompanied by a rationale for not following the SHOULD, giving this example seems apt. (And since it’s security-related, it sort of harks back to the statement in the intro that “The recipient of each request message SHOULD respond unless it detects a security concern…”.)
Also note that since the RS is in total control of when it starts using the UMA header in responses, it could apply "application-specific security checks” before starting the UMA dance and we’d be none the wiser.
Eve
p.s. I believe that this entire idea falls into the same category of patch-release logic as the rest of the #163/#163/#168 discussion. :-)
Eve,
I would also clarify what a "valid access token" means. Bear in mind that a token can be valid but may not have the necessary permissions for this resource, right?
Cheers,
Maciej
Eve Maler | cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl | Calendar: xmlgrrl@gmail.com