[WG-UMA] Discussion on Github Issue #99

Casey Gilray casey.gilray at forgerock.com
Fri Aug 15 15:06:21 CDT 2014

As issue #99 stands now there is an open question as to whether it would be
better to automatically send a ticket along with an RPT to the clients
instead of forcing them to request a ticket separately. Currently the
client must request a resource from the RS and be sent an error requesting
that the client get an RPT. The client obtains the RPT and tries the
request again in order gain a permission ticket. The proposed work around
is for the RS to obtain the RPT and automatically register the sought
permissions, then return the new RPT along with the permissions ticket.

There are valid reasons to have both paths available. Issuing the ticket
automatically may tie up more resources on the server side but this also
frees the client from making several requests. This leaves the server more
vulnerable to denial of service attacks at this endpoint. If you are not a
high value target for DDoS or are otherwise not worried about attacks then
having the server automatically issue the ticket along with the RPT would
be a valid solution.

The second part of issue #99 deals with the binding between an RPT and the
RS. When a client obtains an RPT there is no notion of which RS this RPT
will be used with. It was suggested that the Client pass a host ID, a
identifying token which is known by the AS. These hostID tokens could be
stored dynamically or have static “trusted” host IDs depending on the
security demands of the implementation.

In an attempt to open discussion to close issue #99 I will pose the
following question: Would it be possible to add into the spec the option
for the RS to either obtain and create tickets for requests automatically
or make the client obtain and re-request with a new RPT OR, leave the spec
as is where the client is forced to obtain their RPT from the AS, then
attempt the request again to get the permissions ticket.

Secondly, In regards to binding could the RPT request include a host_id
parameter that could match to a list of known and trusted RS’s, thus
binding each RPT to one specific RS?

Link to issue #99: https://github.com/xmlgrrl/UMA-Specifications/issues/99

Casey Gilray
Intern in the CTO Office
Forgerock Vancouver
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/wg-uma/attachments/20140815/3c460366/attachment.html>

More information about the WG-UMA mailing list