UMAnitarians,
see below for a draft of phase 2 testcases
I won't be in for tonight's telecon.
Feedback very welcome
Best,
Cordny
21 January 2012
User Managed Access Core Protocol
Logical testcases based on User-Managed Access (UMA) 1.0 Core Protocol[i] based on specs per 21-01-12
Phase 2: Getting Authorization
Actors: HOST, requester, AM
Steps:
- The requester attempts access at a particular protected resource at a HOST (3.1)
- HOST checks token's status at AM(3.3)
- no match permissions scope attempted access
- requester request token from approprioate AM
- requester request token ,for adding permission, from AM
- Host gives OK response and representation resource to requester's access attempt
Phase2Step1 Requester-HOST: Attempt Access to protected resource
Preconditions:
Host-AM registration UMA-protected resources to be accessed
Response HOST
Phase2Step1Branch1 Requester presents VALID Access Toke
IF requester's Access Request (DETAILS) contains VALID Access token
AND requester's token status associated with 1 or more valid permissions (scope of access)
THEN HOST Response 200 OK status: requester access to protected resource
AND conclusion Phase 3 UMA
ELSE
Phase2Step1Branch2 Requester presents NO Access Token
IF requester's Access Request (DETAILS) contains NO Access token
THEN HOST Response: HTTP 401 (Unauthorized) Status Code
AND AM's URI (facilitation AM Metadata by requester)
HOST-id mandatory??
ELSE
Phase2Step1Branch3 Requester presents INVALID Access Token
IF requester's Access Request token's status invalid
THEN HOST Response: HTTP 401 (Unauthorized) Status Code
AND AM's URI (facilitation AM Metadata by requester)
HOST-id mandatory??
ELSE
Phase2Step1Branch4 Requester token has insufficient permission
IF requester's token status NOT associated with 1 valid permissions (scope of access)
THEN HOST Response: HTTP 403 (Forbidden) Status Code
Phase2Step2 HOST-AM: Ask for Requester Access Token Status
Precondition:
Host receives requester access token from requester when requester tries to access the host.
IF HOST receives access token from requester
THEN HOST asks AM for that token status:
IF HOST request contains:
Ø POST request to AM's token status endpoint with
*body HTTP request message has JSON document ( requester access token + (IP address requester's address OR originating IP address indic. In requester;s X-forwared-For: header value)
*host access token
THEN response AM:
Ø HTTP RESPONSE
· JSON doc.
· AND
· (200 OK status
AND
JSON array contains all necessary properties: resource_set_id, scopes and exp
AND
All permissions valid for tequester access token
OR
indication token is invalid )
ELSE
IF HOST has cached token status description
AND cached token status description is NOT expired
THEN use cached token status description instead of request AM token's status
Technically a substep of Phase2Step1Branch1-4
Phase2Step3 HOST-AM Register a Permission
Precondition:
Technically a substep of Phase2Step1Branch1-4
Phase2Step4 Request Authorization to Add Permissions
Precondition:
Technically a substep of Phase2Step1Branch1-4
Testcases authorization flows
also needed for conformance testing?