Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Added the subsection "Only One Pushed Claim Token Now Allowed at a Time"


The permission ticket generation ecosystem has been rationalized. In UMA2, a permission ticket is always generated, and the value rotated, in cases of a redirect back from the claims interaction endpoint and in cases of need_info and request_submitted errors from token endpoint requests, and never in cases of other errors. An authorization process is still ongoing while the authorization server is still generating permission tickets. (275, 279, 298)

Only One Pushed Claim Token Now Allowed at a Time

In UMA1, the mechanism for claim token pushing was a JSON-encoded request message sent to the RPT endpoint, optionally including with a claim_tokens array each of whose objects had a format parameter and a token parameter. In UMA2 (Grant Sec 3.3.4), , due to increased alignment with OAuth, this structure was flattened and the request message – now sent to the token endpoint as application/x-www-form-urlencoded format – contains each of the inner parameters only once. (If it is desired to send multiple claim tokens in a single request message, a compound claim token format could be defined.)

RPT Upgrading Logic Improved