Hi Eve,
Thanks for updating that page.
In our last discussion that originated #355, you mentioned the "Adrian Clause". This is exactly what we are trying to achieve with this extension to permission endpoint, even if an RPT provides sufficient permissions for a particular case, the resource server can choose to bar access based on its own criteria. Where the criteria can be based on information from runtime or some external service. I think this also allows the RS to provide some "claims gathering" flow on its side, prior to issuing a permission ticket. It should also allow the AS to present to the resource owner more details on what he is approving.
As I mentioned before, people are usually interested in security and not privacy, so most of the use cases don't have "user-managed" resources. A vision that I think that will change considering all the concerns around privacy we are facing.
The issue #355 is mainly related to finding a UMA compliant solution that could help people looking for security. Cases where you don't necessarily need a permission ticket, but a smart PEP (in front of RS) that is capable of interacting with the AS to obtain permissions/decisions. For instance, our implementation allows using UMA grant type without a ticket to pass the name/ids of resources and scopes you want to check for access. I'm not proud of using UMA grant type for that, maybe best would be a different grant type, but we decided that a single grant type would make things easier for users.
Regards.
Pedro Igor