[WG-UMA] UMA Resource aggregation approach

2 views
Skip to first unread message

Domenico Catalano

unread,
Jan 25, 2012, 4:58:55 PM1/25/12
to UMA WG WG
Hi all,

attached a brief presentation about a Resource aggregation approach based on online Loan scenario and OpenID Connect message specification.

I hope it's useful for the discussion for the issue #31 (and maybe #25).

Cheers,
Domenico

UMA_basket_v01.pdf

John Bradley

unread,
Jan 25, 2012, 7:37:51 PM1/25/12
to Domenico Catalano, UMA WG WG
Good example.

You however can't have spaces in a scope name.

The OAuth request would look like:
https://server.example.com/authorize?
response_type=code%02id_token
&client_id=s6BhdRkqt3
&redirect_uri=https%3A%2F%2Fclient.example.com%2Fcb
&scope=openid
&state=af0ifjsldkj
&nonce=n-0S6_WzA2Mj
&request=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyZXNwb25zZV90eXBlIjoiY2
9kZSBpZF90b2tlbiIsImNsaWVudF9pZCI6InM2QmhkUmtxdDMiLCJyZWRpcmVjdF91cmkiOi
JodHRwczpcL1wvY2xpZW50LmV4YW1wbGUuY29tXC9jYiIsInNjb3BlIjoib3BlbmlkIHByb2
ZpbGUiLCJzdGF0ZSI6ImFmMGlmanNsZGtqIiwibm9uY2UiOiJuLTBTNl9XekEyTWoiLCJ1c2
VyaW5mbyI6eyJjbGFpbXMiOnsibmFtZSI6bnVsbCwibmlja25hbWUiOnsib3B0aW9uYWwiOn
RydWV9LCJlbWFpbCI6bnVsbCwidmVyaWZpZWQiOm51bGwsInBpY3R1cmUiOnsib3B0aW9uYW
wiOnRydWV9fX0sImlkX3Rva2VuIjp7Im1heF9hZ2UiOjg2NDAwLCJjbGFpbXMiOnsiYWNyIj
p7InZhbHVlcyI6WyIyIl19fX19.ou2Yc1B9a5iZLqbzBxE95aNS0pSfRClCqM77n85ehGo

The contents of the request parameter would be a JWT serialized JSON object

{
"response_type": "code%20id_token",
"client_id": "s6BhdRkqt3",
"scope": "openid",
"userinfo":
{
"claims":
{
"name": null,
"nickname": {"optional": true},
"email": null,
"verified": null,
"address": null,
"http://schema.com/payment_info": null,
"http://schema.com/credit_score"": {"trust_framework":"some just framework", "signed":true},
}
},
}

Durring client registration you set the signature format for the user info response. The signature on the attribute would be requested as a defined parameter for that attribute.

Any claims outside of the base set must come from a collision resistant namespace, so URI mostly.

You could have asked for the address and the other default info by using scopes. Claims in scopes are optional.

Claims are required unless you set the optional attribute. So name etc are required claims, if they can't be provided you will get back an error.

I made up some likely parameters for your claims. You may only want them from providers that be lone to some trust framework, You may also want the individual claim signed by its issuer.

John B.

> <UMA_basket_v01.pdf>_______________________________________________
> WG-UMA mailing list
> WG-...@kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-uma

Rainer Hoerbe

unread,
Jan 26, 2012, 1:15:47 AM1/26/12
to John Bradley, UMA WG WG
Is it correct that the birthday claim which was not listed in the request would have to be specified in the scope?

- Rainer

John Bradley

unread,
Jan 26, 2012, 6:29:47 AM1/26/12
to Rainer Hoerbe, UMA WG WG
Nat did a blog post on scopes that may help.
http://nat.sakimura.org/2012/01/26/scopes-and-claims-in-openid-connect/

If you ask for the profile scope you are asking for birthday as a optional claim in a basket of optional claims.

You can use the request object if you want a subset of that bucket or you want the claim to be required.

John

Domenico Catalano

unread,
Jan 26, 2012, 8:25:32 AM1/26/12
to John Bradley, UMA WG WG
John,
Thanks for the comments.

Domenico

Arnie Miles

unread,
Jan 26, 2012, 10:42:24 AM1/26/12
to wg-...@kantarainitiative.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is exactly the use case I would need to satisfy to use UMA for
the CommIT project. In my case, various sources of student attributes
(Testing agencies, various school transcripts, financial aid records,
letters of references), keyed to each other by a unique student
identifier provided by a central identity provider, may each need
permission to release selected records to create a complete college
application.


- --
Arnie Miles
Middleware Architect; Office of the Principal Technologist
Adjunct Assistant Professor of Computer Science
Georgetown University
3300 Whitehaven Street NW
Washington, DC 20007
202.687.9379

http://code.google.com/p/thebes/

"One must still have chaos in oneself to be able to give birth to a
dancing star."
Friedrich Nietzsche
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iD8DBQFPIXRglHilDOPbHk0RAndzAJ4n6ty+LdDboX4TxKts/+MICIYg4wCdEFqX
ESPGw3Cpp2rRpiz/qId+qKo=
=IWLX
-----END PGP SIGNATURE-----

adm35.vcf

Eve Maler

unread,
Jan 26, 2012, 11:50:36 AM1/26/12
to Arnie Miles, wg-...@kantarainitiative.org
Excellent. Looking forward to discussing this shortly. In addition to Domenico's example of an authorizing user also serving as a requesting party (through their login to the online loan application web app), we should add a variation that allows autonomous third parties to request exactly the same aggregated set of info.

Eve

> <adm35.vcf>_______________________________________________


> WG-UMA mailing list
> WG-...@kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-uma


Eve Maler http://www.xmlgrrl.com/blog
+1 425 345 6756 http://www.twitter.com/xmlgrrl

Reply all
Reply to author
Forward
0 new messages