Child pages
  • UMA telecon 2020-10-15

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Eve is trying to distinguish "scope" from "purpose". The former has to do with the action the RS has to allow/deny when it gets the token. The latter has to do with what the RqP can do subsequently with the access it eventually got (e.g. use the data for marketing purposes). (See our very old "simple access authorization claims" work for a way to embed this in required claims!)

The required-claims piece seems different from the other pieces in that required claim values need to be drawn from the RqP, while the others need to be drawn from the RO, in order to build a complete policy. Does policy need to be standardized for interoperability, or can it be handled like UMA Grant handles claim tokens and formats now? We think the latter. Alec will put in strawman solutions for both required claims (in claim token/format fashion) and policy overall (in similar fashion) for us to consider.