[WG-UMA] [Uma-dev] Feature Test review, some thoughts

Eve Maler eve at xmlgrrl.com
Fri Aug 1 11:14:49 CDT 2014

Hi Mark-- Thanks for identifying these questions. Some thoughts and status back:

On 31 Jul 2014, at 8:03 AM, Mark Dobrinic <mdobrinic at cozmanova.com> wrote:

> Hi group,
> (cross posting in wg-uma/uma-dev to find the right audience)
> Having looked closer at the Feature Tests, and in particular
> Authorization API as well as Access tests
> * authzapi
> FT-rs-no-rpt: should this also explicitly cover "invalid-rpt" as well as
> "no-rpt" ? The behavior is specified to be the same (uma-core#3.1.2).

As discussed on today's WG call: Yes. This is now done.

> * access
> FT-unprotected-resource : maybe loosen to be optional?

Hmm. This just requires the RS not to "pollute" the response on a non-UMA-protected resource with UMA stuff. I could see how this is more like a definition of an UMA/non-UMA dividing line than an UMA-specific interop test. Is that what you're thinking in suggesting that it's optional? E.g., if some product were to fail this test, would we think this makes it less UMA-conforming? Maybe we should strike the test altogether, if the answer is no.

> FT-c-rpt : maybe define the success condition as 'RS accepts Client request'

Makes sense to me.

> FT-rs-respect-authz : consider adding in the description that this
> depends on non-UMA specified API and scope usage, specific to the RS. To
> stress that this test is impossible to specify from the UMA perspective
> alone.

Good idea. Are there any other tests where such a note would be useful? (I wonder if this sort of thing would be helpful to share with the folks who tried to start the OAuth interop testing conversation at IETF.)

> General: about terminology, 'permissions' and 'authz' are used
> interchangeably. Is this correct and desired?
> i.e. "FT-rs-insufficient-authz : RS responds to client bearing a valid
> "bearer" profile RPT that has insufficient permissions ..."

Good point. Maybe we need a generic authz test, and then tests that are explicitly bound to RPT profiles that could be more specific. That way, communities that identify specific profiles can most easily "inherit" the specific tests, while the generic tests still give coverage. Any chance you can take a look to see how this might fly?

> Comments?
> Cheers!



> Mark

Eve Maler                                  http://www.xmlgrrl.com/blog
+1 425 345 6756                         http://www.twitter.com/xmlgrrl

More information about the WG-UMA mailing list