[WG-UMA] SmartAM's currently implemented solution

Thomas Hardjono identity at hardjono.net
Thu Mar 8 12:14:38 EST 2012 

George,

 

This is really great. Makes more sense now that I see it visually.

 

In the first gray area, is the RPT an empty RPT (ie. what would be in there?)

 

cheers,

 

/thomas/

 

-----------------

 

From: wg-uma-bounces at kantarainitiative.org [mailto:wg-uma-bounces at kantarainitiative.org] On Behalf Of George Fletcher
Sent: Wednesday, March 07, 2012 1:54 PM
To: UMA WG WG
Subject: Re: [WG-UMA] SmartAM's currently implemented solution

 

A couple thoughts before the seq diagram. I think that either the new API proposed in the latest diagram from Jacek is required, or we have to rework 3.1.1 to return a permission ticket even when there is no token.

A possible sequence diagram showing RAT, RPT and HAT.

http://www.websequencediagrams.com/?lz=dGl0bGUgVU1BIFJlcXVlc3RlciBBY2Nlc3MgRmxvdyAKCnBhcnRpY2lwYW50ICJSb2dlciIgYXMgUlUADA5UcmlwRm9sbHcAGAcAKg5Db3AgTW9ua2V5ADgFQU0ASQ5NeUNhbGVuZABVB0gAZw5BbGljZQAyBlUKCiMgQXR0ZW1wdCB0byBhAIElBnByb3RlY3RlZCByZXNvdXJjZQpub3RlIGxlZnQgb2YgUjogAIE1BSBpcyBhdXRoZW50aWNhdGVkXG50byAAgTEKClItPkg6AIF5CABzBSdzIGMAgRcFYXJcbiB3aXRoIG5vIHRva2VuCkgtLT5SOiA0MDEgaG9zdF9pZCwgYW1fdXJpXG5bVU1BIDMuMS4xXQB7EUxvb2sgZm9yAEEGIGtleWVkIGJ5XG4AgloFLABECABFBgCBORFUADAFbm90IGZvdW5kCgojIFJlZGlyZWN0AIFfB3RvIENvcACCagYgdG8gZXN0YWJsaXNoIFJBVApSLS0-UlU6ACsKdG8KUlUtPkFNOgAtCgpBTQAgB0EAgiULAB8JUHJlc2VudCBDcmVkZW50aWFsc1xuR2l2Z SBjb25zZW50ADYKAFcQUjoAgmYLAIJLBmF1dGhvcml6YXRpb25fY29kAIM4B3JpZ2gAgzgIU3RvcmUgUkFUIGJhc2VkIG9uAIInCACBKgoKIyBOZWVkIHRvIGdldCBhbiAiZW1wdHkiIFJQVACCbAUAhGEIYXIKb3B0IE5ldwCFdwVBUEkKUgCBfAYAhgAHACkJAINSBwCBAg8AJQVQVCA9PgCGMAhcblBlcm1pc3Npb25cbgCDHwUAgj0HACQGAIQyCAAcCnMKZQCDOAYAgkUIUlBUIACEXCZSUFQAgTsFAIReBjMAgh8PSDogSEEAgRcFAIY1BQCCFwosAIZeCgpIAINrBgCERwZTdGF0dXNcbltSUFQsSEFUXQCDeQZIOiBSZXR1cm5zIG5vIHNjb3BlAIEvBgByCjQAQQhSZWdpAIg5BQCBfQoAiEsIAD4PAIF4C1RpY2tldACCAwUAhkMJMwCGMRszAIY6FEV4dHJhY3QARRIKIyBXb3JrAIcvBkFNAIQOCSB2YWxpZACCQAUAg2YPUGVybQCDOwcAgRUQLFJBVACITwZvdmVyIFJVLFIsQU0sSCxBVTogU2VjdGlvbiAzLjYgIm1hZ2ljIgCDcwoAgW8GbmV3IFJQVACIEAk1AIgQBwCFVw1hdmUAhSYFAIVTEACKUwoAgzoTYXIK&s=modern-blue

Here is the text used to generate the diagram for those who want to tweak/correct/replace :)

title UMA Requester Access Flow 

participant "Roger" as RU
participant "TripFollwr" as R
participant "Cop Monkey" as AM
participant "MyCalender" as H
participant "Alice" as AU

# Attempt to access protected resource
note left of R: Roger is authenticated\nto TripFollwr
R->H: Access Alice's calendar\n with no token
H-->R: 401 host_id, am_uri\n[UMA 3.1.1]
note left of R: Look for token keyed by\nRoger,host_id,am_uri
note left of R: Token not found

# Redirect Roger to CopMonkey to establish RAT
R-->RU: Redirect to
RU->AM: CopMonkey
AM-->RU: Authenticate
RU->AM: Present Credentials\nGive consent
AM-->RU: Redirect to
RU->R: TripFollwr with authorization_code
note right of R: Store RAT based on\nRoger,CopMonkey

# Need to get an "empty" RPT for MyCalendar
opt New UMA API
R->AM: Request RPT for host_id
note right of AM: RPT => Request\nPermission\nToken
AM-->R: RPT with no Permissions
end

# Present RPT 
R->H: Access Alice's calendar\n with RPT
opt UMA 3.3
note right of H: HAT => Alice,CopMonkey,MyCalender
H->AM: Token Status\n[RPT,HAT]
AM-->H: Returns no scopes
end
opt UMA 3.4
H->AM: Register Permission Request
AM-->H: Return PermissionTicket
end
H-->R: 403 host_id, am_uri\n[UMA 3.1.3.1]
note left of R: Extract PermissionTicket

# Work with AM to get a valid RPT
R->AM: Request Permssion\nPermissionTicket,RAT
note over RU,R,AM,H,AU: Section 3.6 "magic"
AM-->R: Return new RPT\n[UMA 3.5]
note right of R: Save RPT based on\nRoger,TripFollwr,CopMonkey,MyCalendar

On 3/7/12 12:35 PM, Jacek Szpot wrote: 

.. in a sketchy sequence diagram:
 
goo.gl/jXA4O
 
Our solution to guarantee the request token to be unique per host.
What do you think?
_______________________________________________
WG-UMA mailing list
WG-UMA at kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-uma/attachments/20120308/8f99be56/attachment.html

More information about the WG-UMA mailing list