Right. This is analogous to any claims client/RP having to handle attributes needed to make access decisions. To date, we have said the following things about it:
- UMA Core Privacy Considerations, Sec 8.2 (rev 09; there is similar wording about the AAT in UMA1): "The primary privacy duty of UMA's design is to the resource owner. However, privacy considerations affect the requesting party as well. This can be seen in the optional issuance of a PCT, which enables an opportunity to optimize an access-seeking flow for a requesting party through persisting a set of collected claims across authorization processes, and can involve a requesting party's authorization for this persistence. Claims are likely to contain personally identifiable and possibly very sensitive information, and much like identity attributes exchanged during single sign-on, the process of claim pushing in particular will tend to be invisible to an end-user requesting party if they have not consciously authorized the possibility. A requesting party who provides claims to an authorization server once redirected there is less susceptible to privacy-destroying behavior."
- Binding Obligations Authorization Server Operator-Requesting Party: Request-Limited-Claims Sec 2.4.3 (our fledgling model text has something similar but our whole UMA Legal set of tools isn't baked yet, so don't take this as gospel): "When the Authorization Server issues an AAT to a Client and as long as the AAT is valid, the Authorization Server Operator gains an obligation to the Requesting Party to request only claims that support the purpose of satisfying an Authorizing Party's policy."
Given that any service interacting in a SAML-ish, OIDC-ish, claims-client-ish way also has the same problem for the same reason, can we learn anything from looking those other places for guidance?