Hi Mike-- We do have an open issue for the latter, and I think one of our open issues (maybe even the same one) might have a suggested flow that encompasses the former. I know Justin is keen to explore his proposed flow along AAT-less lines, and you and JamesP were going back and forth on a somewhat related topic recently as well.

If we can get the Business/Legal work on a firm footing by the end of the year, and establish the status of our budget proposals (note that if we get the budget, these will need requirements work and oversight on our part), then we can start to entertain "next-gen" Technical efforts at the right point in 2016. Sounds like "kick off roadmap and charter refresh discussions" should be on the agenda I'm working on right now...

Eve Maler
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl

On Wed, Dec 9, 2015 at 12:36 PM, Mike Schwartz <mike@gluu.org> wrote:

UMA-tarians,

Can we discuss two ideas for enhancments:

1) UMA sans permission ticket

Let's say the UMA Client knows the scopes required to call a certain API. For example, Google documents this: http://gluu.co/google-scopes

In this case, perhaps the client can proactively request an RPT providing the scopes. And this RPT might be acceptable a certain RS for certain resource sets.

We might have already discussed this, but wouldn't this make UMA more compatable with existing API access management infrastructures?

2) UMA without the AAT

Inspired by Justin. I think the AAT adds value in many cases where the AS wants to make policies based on client claims (client id, domain specific catagory, etc). So I'm not saying eliminate the AAT. However, if the policy for access is based on network address only, or perhaps some other fraud detection technique that doesn't involve client identification, I could see a case where the AAT is not needed. So maybe the AAT could be optional?

- Mike



-------------------------------------
Michael Schwartz
Gluu
Founder / CEO
mike@gluu.org
_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma