_______________________________________________
WG-UMA mailing list
WG-...@kantarainitiative.org
https://kantarainitiative.org/mailman/listinfo/wg-uma
Hi Eve,Thanks for updating that page.In our last discussion that originated #355, you mentioned the "Adrian Clause". This is exactly what we are trying to achieve with this extension to permission endpoint, even if an RPT provides sufficient permissions for a particular case, the resource server can choose to bar access based on its own criteria. Where the criteria can be based on information from runtime or some external service. I think this also allows the RS to provide some "claims gathering" flow on its side, prior to issuing a permission ticket. It should also allow the AS to present to the resource owner more details on what he is approving.
As I mentioned before, people are usually interested in security and not privacy, so most of the use cases don't have "user-managed" resources. A vision that I think that will change considering all the concerns around privacy we are facing.
Thanks to both of you and sorry for this belated followup.It sounds like there may be a few different use cases to think about here. Hoping to tease them out a bit.First, Pedro, when you talk about security and not privacy, and non-user-managed resources, I wonder: Are these literally enterprise-owned resources vs. "consumer" use cases you're talking about in this specific case, that is, what we've sometimes called "enterprise UMA" (the resource owner is an organization)? The same org could have this use case and also (maybe eventually) human end-user use cases.
Second, I think I understand what you're doing now in the case of the permission endpoint extension. The RS is collecting claims to satisfy its own need for additional/stricter authorization ("Adrian clause"), and it's providing this additional context to the AS so the latter can display this info to the RO (I guess potentially as part of an access approval flow?). Let me know if I got that wrong.
Third, it sounds like the specific suggestion you made in #355 has turned into an additional "off-label" flow that you support, I guess you could say another extension. I haven't looked this up in your documentation yet, but we had discussed how the RS would act as a direct conduit for security requests and resulting tokens that the client would normally request from the AS. (Justin's recommendation at the time, iirc, was to use one of the more classic OAuth grants vs. the UMA grant, but then maybe you don't get UMA's asynchronicity??) It would be interesting to drill into this more -- at least I for one am interested. :)
Fourth, Adrian, you bring up the challenges of client app trust, particularly in the context of a loosely coupled AS and RS (which UMA has done a lot of deep work around, but which is starting to creep into the OAuth WG's thinking a bit now too). If there were outputs from the meeting in DC that describe the requirements around warnings, can we take a look? It's a bit odd to say that it's the RS that doesn't trust the client app, given that the RS doesn't really have a relationship with the client; the AS does. (The AS is what issues and checks client credentials.)
On Fri, Aug 17, 2018 at 1:34 AM, Eve Maler <e...@xmlgrrl.com> wrote:
Fourth, Adrian, you bring up the challenges of client app trust, particularly in the context of a loosely coupled AS and RS (which UMA has done a lot of deep work around, but which is starting to creep into the OAuth WG's thinking a bit now too). If there were outputs from the meeting in DC that describe the requirements around warnings, can we take a look? It's a bit odd to say that it's the RS that doesn't trust the client app, given that the RS doesn't really have a relationship with the client; the AS does. (The AS is what issues and checks client credentials.)Don't know about the requirements, but yeah, we can take a look :)Agree that AS is the main authority. But I think RS can also decide whether or not a client is trustworthy. Even if backed by information from AS. For instance, what if RS only allow access from Client X if authentication level is Y ?
Apologies for jumping into discussion late, but one thing puzzled me below.
“In our last discussion that originated #355, you mentioned the "Adrian Clause". This is exactly what we are trying to achieve with this extension to permission endpoint, even if an RPT provides sufficient permissions for a particular case, the resource server can choose to bar access based on its own criteria. Where the criteria can be based on information from runtime or some external service. I think this also allows the RS to provide some "claims gathering" flow on its side, prior to issuing a permission ticket. It should also allow the AS to present to the resource owner more details on what he is approving.”
Do you rather mean, prior to sending a permission request to AS (and obtaining a permission ticket from it), the RS does some claim gathering? Does the RS do additional access control before registering permission with the client? Are permission requests generated regardless of the state of the claims?
Thanks,
--Cigdem
Cigdem Sengul, PhD
Senior Researcher
DD: +44 (0)1865 332256 E: cigdem...@nominet.uk
Minerva House, Edmund Halley Road, Oxford Science Park, Oxford, OX4 4DQ, United Kingdom
Nominet UK. Registered in England and Wales No. 3203859
This message is intended exclusively for the individual(s) to whom it is addressed and may contain information that is privileged, or confidential. If you are not the addressee, you must not read, use or disclose
the contents of this e-mail. If you receive this e-mail in error, please advise us immediately and delete the e-mail. Nominet UK has taken every reasonable precaution to ensure that any attachment to this e-mail has been swept for viruses. However, Nominet
cannot accept liability for any damage sustained as a result of software viruses and would advise that you carry out your own virus checks before opening any attachment.
Apologies for jumping into discussion late, but one thing puzzled me below.
“In our last discussion that originated #355, you mentioned the "Adrian Clause". This is exactly what we are trying to achieve with this extension to permission endpoint, even if an RPT provides sufficient permissions for a particular case, the resource server can choose to bar access based on its own criteria. Where the criteria can be based on information from runtime or some external service. I think this also allows the RS to provide some "claims gathering" flow on its side, prior to issuing a permission ticket. It should also allow the AS to present to the resource owner more details on what he is approving.”
Do you rather mean, prior to sending a permission request to AS (and obtaining a permission ticket from it), the RS does some claim gathering? Does the RS do additional access control before registering permission with the client? Are permission requests generated regardless of the state of the claims?
Adrian