[WG-UMA] SmartAM's currently implemented solution
2 views
Skip to first unread message
Jacek Szpot
Mar 7, 2012, 12:35:21 PM3/7/12
to UMA WG WG
.. in a sketchy sequence diagram:
Our solution to guarantee the request token to be unique per host.
What do you think?
_______________________________________________
WG-UMA mailing list
WG-...@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma
George Fletcher
Mar 7, 2012, 1:54:04 PM3/7/12
to UMA WG WG
A couple thoughts before
the seq diagram. I think that either the new API proposed in the
latest diagram from Jacek is required, or we have to rework 3.1.1
to return a permission ticket even when there is no token.
A possible sequence diagram showing RAT, RPT and HAT.
http://www.websequencediagrams.com/?lz=dGl0bGUgVU1BIFJlcXVlc3RlciBBY2Nlc3MgRmxvdyAKCnBhcnRpY2lwYW50ICJSb2dlciIgYXMgUlUADA5UcmlwRm9sbHcAGAcAKg5Db3AgTW9ua2V5ADgFQU0ASQ5NeUNhbGVuZABVB0gAZw5BbGljZQAyBlUKCiMgQXR0ZW1wdCB0byBhAIElBnByb3RlY3RlZCByZXNvdXJjZQpub3RlIGxlZnQgb2YgUjogAIE1BSBpcyBhdXRoZW50aWNhdGVkXG50byAAgTEKClItPkg6AIF5CABzBSdzIGMAgRcFYXJcbiB3aXRoIG5vIHRva2VuCkgtLT5SOiA0MDEgaG9zdF9pZCwgYW1fdXJpXG5bVU1BIDMuMS4xXQB7EUxvb2sgZm9yAEEGIGtleWVkIGJ5XG4AgloFLABECABFBgCBORFUADAFbm90IGZvdW5kCgojIFJlZGlyZWN0AIFfB3RvIENvcACCagYgdG8gZXN0YWJsaXNoIFJBVApSLS0-UlU6ACsKdG8KUlUtPkFNOgAtCgpBTQAgB0EAgiULAB8JUHJlc2VudCBDcmVkZW50aWFsc1xuR2l2Z SBjb25zZW50ADYKAFcQUjoAgmYLAIJLBmF1dGhvcml6YXRpb25fY29kAIM4B3JpZ2gAgzgIU3RvcmUgUkFUIGJhc2VkIG9uAIInCACBKgoKIyBOZWVkIHRvIGdldCBhbiAiZW1wdHkiIFJQVACCbAUAhGEIYXIKb3B0IE5ldwCFdwVBUEkKUgCBfAYAhgAHACkJAINSBwCBAg8AJQVQVCA9PgCGMAhcblBlcm1pc3Npb25cbgCDHwUAgj0HACQGAIQyCAAcCnMKZQCDOAYAgkUIUlBUIACEXCZSUFQAgTsFAIReBjMAgh8PSDogSEEAgRcFAIY1BQCCFwosAIZeCgpIAINrBgCERwZTdGF0dXNcbltSUFQsSEFUXQCDeQZIOiBSZXR1cm5zIG5vIHNjb3BlAIEvBgByCjQAQQhSZWdpAIg5BQCBfQoAiEsIAD4PAIF4C1RpY2tldACCAwUAhkMJMwCGMRszAIY6FEV4dHJhY3QARRIKIyBXb3JrAIcvBkFNAIQOCSB2YWxpZACCQAUAg2YPUGVybQCDOwcAgRUQLFJBVACITwZvdmVyIFJVLFIsQU0sSCxBVTogU2VjdGlvbiAzLjYgIm1hZ2ljIgCDcwoAgW8GbmV3IFJQVACIEAk1AIgQBwCFVw1hdmUAhSYFAIVTEACKUwoAgzoTYXIK&s=modern-blue
Here is the text used to generate the diagram for those who want to tweak/correct/replace :)
title UMA Requester Access Flow
participant "Roger" as RU
participant "TripFollwr" as R
participant "Cop Monkey" as AM
participant "MyCalender" as H
participant "Alice" as AU
# Attempt to access protected resource
note left of R: Roger is authenticated\nto TripFollwr
R->H: Access Alice's calendar\n with no token
H-->R: 401 host_id, am_uri\n[UMA 3.1.1]
note left of R: Look for token keyed by\nRoger,host_id,am_uri
note left of R: Token not found
# Redirect Roger to CopMonkey to establish RAT
R-->RU: Redirect to
RU->AM: CopMonkey
AM-->RU: Authenticate
RU->AM: Present Credentials\nGive consent
AM-->RU: Redirect to
RU->R: TripFollwr with authorization_code
note right of R: Store RAT based on\nRoger,CopMonkey
# Need to get an "empty" RPT for MyCalendar
opt New UMA API
R->AM: Request RPT for host_id
note right of AM: RPT => Request\nPermission\nToken
AM-->R: RPT with no Permissions
end
# Present RPT
R->H: Access Alice's calendar\n with RPT
opt UMA 3.3
note right of H: HAT => Alice,CopMonkey,MyCalender
H->AM: Token Status\n[RPT,HAT]
AM-->H: Returns no scopes
end
opt UMA 3.4
H->AM: Register Permission Request
AM-->H: Return PermissionTicket
end
H-->R: 403 host_id, am_uri\n[UMA 3.1.3.1]
note left of R: Extract PermissionTicket
# Work with AM to get a valid RPT
R->AM: Request Permssion\nPermissionTicket,RAT
note over RU,R,AM,H,AU: Section 3.6 "magic"
AM-->R: Return new RPT\n[UMA 3.5]
note right of R: Save RPT based on\nRoger,TripFollwr,CopMonkey,MyCalendar
A possible sequence diagram showing RAT, RPT and HAT.
http://www.websequencediagrams.com/?lz=dGl0bGUgVU1BIFJlcXVlc3RlciBBY2Nlc3MgRmxvdyAKCnBhcnRpY2lwYW50ICJSb2dlciIgYXMgUlUADA5UcmlwRm9sbHcAGAcAKg5Db3AgTW9ua2V5ADgFQU0ASQ5NeUNhbGVuZABVB0gAZw5BbGljZQAyBlUKCiMgQXR0ZW1wdCB0byBhAIElBnByb3RlY3RlZCByZXNvdXJjZQpub3RlIGxlZnQgb2YgUjogAIE1BSBpcyBhdXRoZW50aWNhdGVkXG50byAAgTEKClItPkg6AIF5CABzBSdzIGMAgRcFYXJcbiB3aXRoIG5vIHRva2VuCkgtLT5SOiA0MDEgaG9zdF9pZCwgYW1fdXJpXG5bVU1BIDMuMS4xXQB7EUxvb2sgZm9yAEEGIGtleWVkIGJ5XG4AgloFLABECABFBgCBORFUADAFbm90IGZvdW5kCgojIFJlZGlyZWN0AIFfB3RvIENvcACCagYgdG8gZXN0YWJsaXNoIFJBVApSLS0-UlU6ACsKdG8KUlUtPkFNOgAtCgpBTQAgB0EAgiULAB8JUHJlc2VudCBDcmVkZW50aWFsc1xuR2l2Z SBjb25zZW50ADYKAFcQUjoAgmYLAIJLBmF1dGhvcml6YXRpb25fY29kAIM4B3JpZ2gAgzgIU3RvcmUgUkFUIGJhc2VkIG9uAIInCACBKgoKIyBOZWVkIHRvIGdldCBhbiAiZW1wdHkiIFJQVACCbAUAhGEIYXIKb3B0IE5ldwCFdwVBUEkKUgCBfAYAhgAHACkJAINSBwCBAg8AJQVQVCA9PgCGMAhcblBlcm1pc3Npb25cbgCDHwUAgj0HACQGAIQyCAAcCnMKZQCDOAYAgkUIUlBUIACEXCZSUFQAgTsFAIReBjMAgh8PSDogSEEAgRcFAIY1BQCCFwosAIZeCgpIAINrBgCERwZTdGF0dXNcbltSUFQsSEFUXQCDeQZIOiBSZXR1cm5zIG5vIHNjb3BlAIEvBgByCjQAQQhSZWdpAIg5BQCBfQoAiEsIAD4PAIF4C1RpY2tldACCAwUAhkMJMwCGMRszAIY6FEV4dHJhY3QARRIKIyBXb3JrAIcvBkFNAIQOCSB2YWxpZACCQAUAg2YPUGVybQCDOwcAgRUQLFJBVACITwZvdmVyIFJVLFIsQU0sSCxBVTogU2VjdGlvbiAzLjYgIm1hZ2ljIgCDcwoAgW8GbmV3IFJQVACIEAk1AIgQBwCFVw1hdmUAhSYFAIVTEACKUwoAgzoTYXIK&s=modern-blue
Here is the text used to generate the diagram for those who want to tweak/correct/replace :)
title UMA Requester Access Flow
participant "Roger" as RU
participant "TripFollwr" as R
participant "Cop Monkey" as AM
participant "MyCalender" as H
participant "Alice" as AU
# Attempt to access protected resource
note left of R: Roger is authenticated\nto TripFollwr
R->H: Access Alice's calendar\n with no token
H-->R: 401 host_id, am_uri\n[UMA 3.1.1]
note left of R: Look for token keyed by\nRoger,host_id,am_uri
note left of R: Token not found
# Redirect Roger to CopMonkey to establish RAT
R-->RU: Redirect to
RU->AM: CopMonkey
AM-->RU: Authenticate
RU->AM: Present Credentials\nGive consent
AM-->RU: Redirect to
RU->R: TripFollwr with authorization_code
note right of R: Store RAT based on\nRoger,CopMonkey
# Need to get an "empty" RPT for MyCalendar
opt New UMA API
R->AM: Request RPT for host_id
note right of AM: RPT => Request\nPermission\nToken
AM-->R: RPT with no Permissions
end
# Present RPT
R->H: Access Alice's calendar\n with RPT
opt UMA 3.3
note right of H: HAT => Alice,CopMonkey,MyCalender
H->AM: Token Status\n[RPT,HAT]
AM-->H: Returns no scopes
end
opt UMA 3.4
H->AM: Register Permission Request
AM-->H: Return PermissionTicket
end
H-->R: 403 host_id, am_uri\n[UMA 3.1.3.1]
note left of R: Extract PermissionTicket
# Work with AM to get a valid RPT
R->AM: Request Permssion\nPermissionTicket,RAT
note over RU,R,AM,H,AU: Section 3.6 "magic"
AM-->R: Return new RPT\n[UMA 3.5]
note right of R: Save RPT based on\nRoger,TripFollwr,CopMonkey,MyCalendar
Thomas Hardjono
Mar 8, 2012, 12:14:38 PM3/8/12
to George Fletcher, UMA WG WG
George,
This is really great. Makes more sense now that I see it visually.
In the first gray area, is the RPT an empty RPT (ie. what would be in there?)
cheers,
/thomas/
-----------------
George Fletcher
Mar 8, 2012, 12:16:04 PM3/8/12
to Thomas Hardjono, UMA WG WG
By an "empty" RPT, I was
thinking that the AM would associate no claims with the token.
This then chains into the "insufficient permissions" flow of UMA.
Thanks,
George
Thanks,
George
Reply all
Reply to author
Forward
0 new messages