Hmm, yeah, agreed that it wouldn't relate to scopes in the totally OOB case. In one of our in-band exception cases (token says X, RS chooses to do Y instead), set #6 *may* still be useful as long as we're not only talking about, say, "token says yes and RS denies all access" (which is expressible in set terms but not all that interesting...).

Eve (sent from my iPhone, possibly with Siri's "help": +1-425-345-6756)

On Jun 3, 2016, at 5:55 PM, Justin Richer <jricher@mit.edu> wrote:

In my view, the RS's decision is always final and can override anything inbound associated with the token. This decision may or may not have anything to do with "scopes" in the OAuth/UMA sense, so I would hesitate to call it a sixth set of scopes to be calculated against.

Furthermore, the calculus as I've described it needs to be performed by the AS at the time of token issuance, and this last bit of permission-filtering happens long after that takes place.

For the UMA Legal construct, I can see it applying, but I would once again not classify that as a scope set.

 -- Justin


On 6/2/2016 4:14 PM, Eve Maler wrote:
John W asked in Skype whether deterministic sets, as we were just talking about in the call today, would allow for overrides of a policy for purposes of data localization or regulation etc. My response was that it's an AS that represents the results of the RO's policy in a token, and it's an RS that might override those results once the client brings that token over to the RS (the "Adrian clause").

Thus, I wondered if the RS's actual granted access should be considered a sixth set of a scopes that we should track, describe, etc. in the spec. It would probably be useful in the UMA Legal work, at a minimum!

I also noted that the RS might need to do overrides in an out-of-band-of-UMA situation. As we've discussed in the past, such a situation might include court order or a "break glass" situation. This would mean that this set of scopes could be interestingly disjoint from the original five sets.

Thoughts?

(BTW, I've sent out Slack invitations, as we'd promised, to everyone who currently gets Google Calendar invitations to our WG meetings, plus whoever else asked for an invitation. If you'd like to get an invitation in addition, drop me a private note.)

Eve Maler
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl



_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma