Child pages
  • UMA Implementer's Guide

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Regarding the resource set registration API, it is common practice when using NoSQL databases to replicate entity tag (ETag HTTP header) revision information in the body of the response message as well, in a _rev property. The API does not mandate this property, however.

...

Anchor
RO-offline
RO-offline
Ensuring Resource Server Access to an Authorization Server When the Resource Owner Is Offline

A protection API token (PAT) is an OAuth access token that needs to work in a number of circumstances when the resource owner is offline. When a client attempts access to a protected resource, requiring the resource server to use runtime portions of the protection API, the resource owner is not assumed to be present. At this point, any interactions with the resource owner, for example, access approval workflows, are conducted out of band of the protocol.

Many use cases assume that the resource owner is explicitly "offline", for example, unconscious in a hospital emergency room. Some anticipate that the resource owner may end up "permanently offline" after having asked for the PAT to be issued (such as "digital death" scenarios, which perhaps raise other long-term issues).

The authorization server thus needs to manage access token freshness and refresh token issuance appropriately to ensure that the resource server has access when it needs it.

...

Anchor
ignored
ignored
Handling Optional and Extension Properties

...